I can't create certificate

Hello guys!
I am trying to create a certificate for my domain www.pracadacarne.com.br

I cloned the certbot through git and am using the command

./certbot-auto certonly --nginx -d pracadacarne.com.br -d www.pracadacarne.com.br

The output is:

Requesting to rerun ./certbot-auto with root privileges …
./certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Selected plugins: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pracadacarne.com.br
http-01 challenge for www.pracadacarne.com.br
Waiting for verification …
Challenge failed for domain pracadacarne.com.br
Challenge failed for domain www.pracadacarne.com.br
http-01 challenge for pracadacarne.com.br
http-01 challenge for www.pracadacarne.com.br
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: pracadacarne.com.br
    Type: unauthorized
    Detail: Invalid response from http://pracadacarne.com.br/login
    [18.231.157.7]: "<! DOCTYPE html> \ n \ n \ t \ n \ t \ t <meta
    charset = \ "utf-8 " /> \ n \ t \ t <meta name = \ "viewport "
    content = \ “width = device-width, initial-scale = 1, m”
    Domain: www.pracadacarne.com.br
    Type: unauthorized
    Detail: Invalid response from http://www.pracadacarne.com.br/login
    [18.231.157.7]: "<! DOCTYPE html> \ n \ n \ t \ n \ t \ t <meta
    charset = \ "utf-8 " /> \ n \ t \ t <meta name = \ "viewport "
    content = \ “width = device-width, initial-scale = 1, m”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A / AAAA record (s) for that domain
contain (s) the right IP address.

1 Like

Welcome to the Let’s Encrypt Community :slightly_smiling_face:

Let’s see what we can do for you. :thinking:

1 Like

So it looks like pracadacarne.com.br and www.pracadacarne.com.br both redirect (302) to a login page regardless of the requested resource. This will make access to the http-01 challenge files impossible for the Let’s Encrypt server.

You may want to look into this:

1 Like

Thank you very much for your reply and welcome.
This is my first contact with Let’s Encrypt.

Yes, this is a system that I developed for a customer and he in fact always redirects to the login page.

In that case, what should I do to make Let’s Encrypt work for me. This is a behavior that I cannot change, as it is one of the main requirements that my client demanded.

1 Like

You can exclude the Lets Encrypt requests from the redirection to the login page.
[they will be unable to login to the site - and don’t need anything from the actual site]

1 Like

The idea is to allow the challenge requests access to the files without redirection nor requiring a login.
Here is an example of a test challenge file request:
http://pracadacarne.com.br/.well-known/acme-challenge/test-file-1234
If you can place a file in the expected folder and have it accessible from the Internet (without a login), then you can get a cert for this site.
The test is very simple.
The method to provide the access may be a bit less simple but nonetheless straightforward and logical.
There are several ways to allow access to the challenge folder.
One that is simple and common is to include a location section within the HTTP vhost config that tells Apache exactly what to do when such a matching request is seen.
You can add something like this to make that happen:

  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>

That code can be used to wrap around the redirection section and says when NOT like .well-known then redirect.
So that .well-known will go directly to that file/folder instead.
Note: You will need to have a document root section for this vhost and depending on the client and method used for installation/validation, a working path to the expected challenge folder.
[which, again, can be tested with http://your.domain/.well-known/acme-challenge/a-test-file - before trying to actually get a cert]

1 Like

Or you can use DNS challenges (TXT records) instead of HTTP challenges (files). These can be more difficult to automate though for renewal purposes.

1 Like

I didn’t get it right …
Where do I have to include this file?
Another doubt is that if I point to a file, why is it useless if I point to www.pracadacarne.com.br/login?

My system is a springboot java with nginx redirecting the ports. In that case, where do I have to put the file?

The expected challenge folder.
http://pracadacarne.com.br/.well-known/acme-challenge/test-file-1234
That breaks down to:
http://pracadacarne.com.br/ = the DocumentRoot for that FQDN:
[use this to find that quickly]
nginx -T | grep -Ei 'server_name|Root'

then the path appends those subfolders to that root:
{root}/.well-known/acme-challenge/
[then to put a test file there, you may have to create those folders first]