Invalid response from acme-challenge 404 but from browser its OK

slavus · May 30, 2023, 11:55am

Hi, encountered a strange error:

In certbot log I see 404 error, but if I open the link at the same moment in my browser I will see the correct answer:

In Nginx log I see that:
23.178.112.102 - - [30/May/2023:14:43:06 +0300]"GET /.well-known/acme-challenge/iy4_DTlxl4uiCFVoCiFoa4tt9uX9IchRSH7JvpQyDQU HTTP/1.1" 404 15831".well-known/acme-challenge/iy4_DTlxl4uiCFVoCiFoa4tt9uX9IchRSH7JvpQyDQU" admin.portal.wavea.cc "Mozilla/5.0 (compatible; Let's Encrypt validation server; +htt ps://www.letsencrypt.org)""0.000" "-""-" "US"

but from browser code 200:

- [30/May/2023:14:43:21 +0300]"GET /.well-known/acme-challenge/iy4_DTlxl4uiCFVoCiFoa4tt9uX9IchRSH7JvpQyDQU HTTP/2.0" 200 87"-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0""0.000" "-""-" "-"

My domain is:

I ran this command:
certbot certonly --nginx -d
It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Invalid response from well-known/acme-challenge/iy4_DTlxl4uiCFVoCiFoa4tt9uX9IchRSH7JvpQyDQU: 404

My web server is (include version):
nginx/1.24.0
The operating system my web server runs on is (include version):
Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0

Trying to reinstall cerbot, and disable ssl redirect but nothing has changed.
certbot log:

MikeMcQ · May 30, 2023, 12:09pm

That is very strange that you get a 200 from your own browser. Because, the --nginx plug-in does not place a file in your webserver root folder. Instead, that plug-in makes temp changes to your nginx config to return the needed result using rewrite and a return statement in the server block for that domain.

Can you upload the /var/log/letsencrypt/letsencrypt.log file from the failed request? You will need to copy it to a .txt file to use the upload button on the forum post menu.

slavus · May 30, 2023, 12:29pm

Hi, thanks for the reply! I attached the letsencrypt.log to the post)

_az · May 30, 2023, 12:42pm

Try with

certbot certonly --nginx -d admin.portal.wavea.cc \
--nginx-sleep-seconds 10 --dry-run

slavus · May 30, 2023, 1:02pm

Hi, thanks for the reply!
I ran this command and this is the result:

MikeMcQ · May 30, 2023, 1:05pm

Excellent. Now remove the --dry-run but keep the sleep-seconds and you should get a fresh production cert.

slavus · May 30, 2023, 1:06pm

I did it without --dry-run and it worked just fine, thanks for the help!

MikeMcQ · May 30, 2023, 1:08pm

Great. In your first log I saw a cert request for a different domain name that failed oddly. If you want to review that would you show result of this

certbot certificates

system · June 29, 2023, 1:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.