Invalid response acme-challenge on nginx server


#1

My domain is: medik.app

I ran this command: sudo certbot certonly --agree-tos --email my_mail@gmail.com --webroot -w /var/lib/letsencrypt/ -d mydomain.app -d www.mydomain.app

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for medik.app
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. medik.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://medik.app/.wel
l-known/acme-challenge/rImBpQfvuAl_VUIXPXQQvKj4s9t-b3Dab3xk81q6V5Q: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>"

**IMPORTANT NOTES:**
- The following errors were reported by the server:

Domain: medik.app
Type:   unauthorized
Detail: Invalid response from
http://medik.app/.well-known/acme-challenge/rImBpQfvuAl_VUIXPXQQvKj4s9t-b3Dab3xk81q6V5Q:
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
bgcolor=\"white\">\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Linux ubuntu-s-1vcpu-1gb-sfo2-01 4.15.0-39-generic #42-Ubuntu SMP Tue Oct 23 15:48:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hello I need some help to figure out what is going on, let me explain.

I am trying to setup ssl on my dockerized rails app that points to http://0.0.0.0:3000 and NGINX reverse proxy on host, without success.

I buyed I domain .app on 1and1 (hint: when I buyed my domain 1and1 says that domain can only be accesed by https), so I pointed my domain to vps droplet on DigitalOcean like this:

A = mydomain.app, directs to my public IP XXX.XXX.XXX.XXX
CNAME = www.mydomain.app, is an alias of mydomain.app
NS = mydomain.app directs to ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com

In 1and1 site I changed under DNS servers, the default DNS servers for digital ocean DNS servers (ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com)

I have an NGINX reverse proxy server on ubuntu 18.04 configured like this:

# /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
worker_rlimit_nofile 1024;

events {
  multi_accept on;
  worker_connections 1024;
}

http {
  charset utf-8;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  server_tokens off;
  log_not_found off;
  types_hash_max_size 2048;
  client_max_body_size 16M;
  
  # MIME
  include mime.types;
  default_type application/octet-stream;
  
  # logging
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log warn;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*.conf;
}

# /etc/nginx/sites-available/mydomain.app.conf

# test lets encrypt challenge block
server {
  listen 80;
  root /var/www/mydomainapp/public;
  index index.html;
  server_name mydomain.app www.mydomain.app;
  include snippets/letsencrypt.conf;
}

# /etc/nginx/snippets/letsencrypt.conf

location ~ /.well-known/acme-challenge/ {
  allow all;
  #  root /var/lib/letsencrypt/;
  #  default_type "text/plain";
  #  try_files $uri =404;
}

location ~ /.well-known {
  allow all;
}

With certbot I am using this command:

sudo certbot certonly --agree-tos --email my_mail@gmail.com --webroot -w /var/lib/letsencrypt/ -d mydomain.app -d www.mydomain.app

But throws this error:

FailedChallenges: Failed authorization procedure. www.mydomain.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain.app/.well-known/acme-challenge/

Domain: mydomain.app
Type: unauthorized
Detail: Invalid response from

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

NOTE: the error goes for both domains, mydomain.app and www.mydomain.app (I run each domain cerbot command separately but the same error)

I am following this tutorial: https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-18-04/#disqus_thread

This is my first ssl and domain registration/configuration, any help?


#2

Hi,

It seems that the webroot folder might not be accessible by nginx.

You need to uncomment all lines inside the location block in the letsencrypt.conf

After that’s done, reload nginx and try again please.

Thank you


#3

Also: medik.app and mydomain.app resolve to different IP addresses.


#4

I think mydomain.app is just like “example.com”…


#5

One would think so… But I’m not 100% sure in this case.


#6

as @stevenzhu says mydomain.com is an “example.com” domain, my real domain is medik.app


#7

Thank you it works!

I really appreciate your help guys