Invalid response for 1 domain

#1

My domain is: logs.dlucadou.com

I ran this command: sudo certbot --nginx

It produced this output:

$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: logs.dl.codes
2: logs.dlucadou.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/logs.dl.codes.conf)

It contains these names: logs.dl.codes

You requested these names for the new certificate: logs.dl.codes,
logs.dlucadou.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for logs.dlucadou.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. logs.dlucadou.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://logs.dlucadou.com/.well-known/acme-challenge/Ji8T2dx3h8ekGstwOGEN9kDxv3sZGD833sV0PLgugoA [2600:1f18:2a1:cd0d:51d5:a5d1:dc78:3a2b]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: logs.dlucadou.com
   Type:   unauthorized
   Detail: Invalid response from
   http://logs.dlucadou.com/.well-known/acme-challenge/Ji8T2dx3h8ekGstwOGEN9kDxv3sZGD833sV0PLgugoA
   [2600:1f18:2a1:cd0d:51d5:a5d1:dc78:3a2b]:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I want logs.dlucadou.com to redirect to logs.dl.codes, which has a Puma app. My sites-available file for the domains:

$ cat /etc/nginx/sites-available/logs.dlucadou.com
server {
  server_name logs.dlucadou.com;
  listen 80;
  listen [::]:80;
  location ~ /.well-known {
    allow all;
    root /usr/share/nginx/html;
  }
  return 307 $scheme://logs.dl.codes$request_uri;
}
$ cat /etc/nginx/sites-available/logs.dl.codes
upstream app {
  # Path to Puma SOCK file
  server unix:///home/ubuntu/git/irc-log-explorer-prod/shared/sockets/puma.sock;
}

server {
  server_name logs.dl.codes;
  root /home/ubuntu/git/irc-log-explorer-prod/public;

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Forwarded-Proto https; # Needed to avoid 'WARNING: Can't verify CSRF token authenticity'
    proxy_pass http://app;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/logs.dl.codes/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/logs.dl.codes/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = logs.dl.codes) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name logs.dl.codes;
    return 404; # managed by Certbot


}

I was able to run sudo certbot --nginx just fine for logs.dl.codes, but it fails on expanding the cert to include logs.dlucadou.com. I’ve even tried copying the sites-available files for some other domains I have and changing the server name, still no dice.

#2

Hi @BoxOfPizza

checking your domain - looks like a wrong redirect ( https://check-your-website.server-daten.de/?q=logs.dlucadou.com ):

Domainname Http-Status redirect Sec. G
http://logs.dl.codes/ 301 https://logs.dl.codes/ 0.260 A
http://logs.dlucadou.com/
34.200.49.50 307 http://logs.dl.codes/ 0.213 D
http://logs.dlucadou.com/
2600:1f18:2a1:cd0d:51d5:a5d1:dc78:3a2b 307 http://logs.dl.codes/ 0.203 D
https://logs.dl.codes/ 200 1.036 B
https://logs.dlucadou.com/
34.200.49.50 200 1.304 N
Certificate error: RemoteCertificateNameMismatch
https://logs.dlucadou.com/
2600:1f18:2a1:cd0d:51d5:a5d1:dc78:3a2b 200 0.913 N
Certificate error: RemoteCertificateNameMismatch
http://logs.dl.codes/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 301 https://logs.dl.codes/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.223 A
Visible Content: 301 Moved Permanently nginx/1.14.0 (Ubuntu)
http://logs.dlucadou.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
34.200.49.50 307 http://logs.dl.codes/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.214 D
Visible Content: 307 Temporary Redirect nginx/1.14.0 (Ubuntu)
http://logs.dlucadou.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2600:1f18:2a1:cd0d:51d5:a5d1:dc78:3a2b 307 http://logs.dl.codes/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.207 D
Visible Content: 307 Temporary Redirect nginx/1.14.0 (Ubuntu)
https://logs.dl.codes/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.896 A

Your logs.dlucadou.com/.well-known/acme-challenge redirect to your logs.dl.codes/.well-known/acme-challenge

But Letsencrypt doesn’t see that redirect, instead the (preferred) ipv6 doesn’t work:

http://logs.dlucadou.com/.well-known/acme-challenge/Ji8T2dx3h8ekGstwOGEN9kDxv3sZGD833sV0PLgugoA
   [2600:1f18:2a1:cd0d:51d5:a5d1:dc78:3a2b]

and doesn’t have a redirect.

If you use --nginx, Certbot creates a temporary rule. Perhaps run the command again with the -vvv option to see, what Certbot adds.

It’s possible that you use the webroot - with the logs.dl.codes - root, both domains use that webroot.

certbot run -a webroot -i nginx -w rootOflogsdlcodes -d logs.dl.codes -d logs.dlucadou.com
#3

I just ran sudo certbot --nginx -vvv and it worked. I haven’t modified the sites-available file, and I didn’t run it without -vvv since this morning so it’s possible -vvv fixed it, or letting it sit for several hours fixed it. ¯\_(ツ)_/¯

closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.