Invalid response from... 404

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

tube.vat.ru.net

I ran this command:

sudo certbot --nginx -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.tube.vat.ru.net
Requesting a certificate for www.tube.vat.ru.net
Performing the following challenges:
http-01 challenge for www.tube.vat.ru.net
Waiting for verification...
Challenge failed for domain www.tube.vat.ru.net
http-01 challenge for www.tube.vat.ru.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.tube.vat.ru.net
  Type:   unauthorized
  Detail: Invalid response from http://www.tube.vat.ru.net/.well-known/acme-challenge/1JZQLcnYhrLoJl46gayH9MmgwppJKvriXfwCHgQVsEg [178.72.89.118]: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx 1.18.0

The operating system my web server runs on is (include version):

Raspberry Pi OS (clear installation)
sudo apt update && sudo apt upgrade -y
sudo apt install -y nginx-full certbot python3-certbot-nginx

I see server from internet - welcome NGINX page work

netstat -peanut

Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 16192 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 13688 -
tcp 0 0 192.168.10.13:22 192.168.10.6:53735 ESTABLISHED 0 13830 -
tcp6 0 0 :::80 :::* LISTEN 0 16193 -
tcp6 0 0 :::22 :::* LISTEN 0 13690 -
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 13733 -
udp 0 0 0.0.0.0:51310 0.0.0.0:* 108 9744 -
udp 0 0 0.0.0.0:5353 0.0.0.0:* 108 9742 -
udp6 0 0 :::546 :::* 0 13771 -
udp6 0 0 :::53860 :::* 108 9745 -
udp6 0 0 :::5353 :::* 108 9743 -

Also, my net config look like:
Internet
->Router(80 forwarded)
->Revers Proxy(Nas Synology)
->Router (back call)
->Raspberry Pi 3

My hosting provider, if applicable, is:

Axelname

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no - I have no any site yet. Just try up server. Though SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.25.0

Because nginx looks like it's working, if you know what your webroot is, I'd use

certbot -i nginx -a webroot -w /path/to/webroot [other options as needed]

You should also check if the nginx config is doing something funny to the requests for .well-known/acme-challenge

1 Like

Could you say how? I can post here any logs, but not sure that I understand them right. I am somewhere in the middle of understanding of what going on in my system.

I think the Synology is intercepting the /.well-known/acme-challenge/ requests.

Compare:

$ curl -i www.tube.vat.ru.net/.well-known/acme-challenge/xyz
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 02 Apr 2022 04:52:07 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Keep-Alive: timeout=20

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

against:

$ curl -i www.tube.vat.ru.net/.well-knownx/acme-challenge/xyz
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 02 Apr 2022 04:52:11 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
Keep-Alive: timeout=20

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>

Notice that the server version shows up in the HTML body only for the .well-knownx request, which would be from the Raspberry Pi.

As such, I don't think changing to --webroot would achieve anything.

If you can, reconfiguring Synology's reserve proxy server to use try_files so that it doesn't unconditionally intercept the acme-challenge requests could do the trick. But it's a bit of an advanced endeavor.

3 Likes
root@raspberrypi:/etc/nginx# certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): tube.vat.ru.net
Requesting a certificate for tube.vat.ru.net
Input the webroot for tube.vat.ru.net: (Enter 'c' to cancel): /
 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: tube.vat.ru.net
  Type:   unauthorized
  Detail: Invalid response from http://tube.vat.ru.net/.well-known/acme-challenge/GF5SMaKp-vFEpWp02t0EP-DS7zOZJmOqdRerU6lrSxw [178.72.89.118]: 404
 
 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
 
 Some challenges have failed.
 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I think @_az is right. You need to check the nginx config on your synology.

If you don't understand it, show us. It should be a server { line and some listen 80 or server_name something lines after.

http://nginx.org/en/docs/http/ngx_http_core_module.html#try_files

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.