Invalid response from (domain name): 404

My domain is: audio.crpchalifax.ca

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/audio.crpchalifax.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for audio.crpchalifax.ca

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: audio.crpchalifax.ca
  Type:   unauthorized
  Detail: 168.138.79.231: Invalid response from http://audio.crpchalifax.ca/.well-known/acme-challenge/n2HQJt1sPPdXe13suq2oUctjYeX9yk8lcmUZfG7kWgc: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate audio.crpchalifax.ca with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/audio.crpchalifax.ca/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My hosting provider, if applicable, is: Oracle Cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

I received an email warning me of renewal (which I normally don't receive because auto-renewal is set up and used to work), so I checked things out and ran the dry run command and it failed. I looked at the log file while shows:

2023-01-12 16:32:35,023:INFO:certbot.compat.misc:Running post-hook command: cat /etc/letsencrypt/live/audio.crpchalifax.ca/fullchain.pem /etc/letsencrypt/live/audio.crpchalifax.ca/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart
2023-01-12 16:32:35,856:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/2618/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/main.py", line 1630, in renew
    renewal.handle_renewal_request(config)
  File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2023-01-12 16:32:35,857:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

Port 80 is open on my IP tables (as I know Letsencrypt still requires port 80 for renewals), but I did make changes a couple of months ago to force redirection from http to https. That included running icecast on port 8000. Here is what is in /etc/nginx/sites-enabled/default:

server
{
  listen 80;
  server_name audio.crpchalifax.ca;

  location ~ /.well-known
  {
    allow all;
  }

  location /
  {
    if ($ssl_protocol = "")
    {
      rewrite ^ https://$server_name$request_uri? permanent;
    }
  }
}

#### SSL ######################################################

server
{
  #ssl on;
  ssl_certificate_key /etc/letsencrypt/live/audio.crpchalifax.ca/privkey.pem;
  ssl_certificate /etc/letsencrypt/live/audio.crpchalifax.ca/fullchain.pem;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  # Recommended security settings from https://wiki.mozilla.org/Security  /Server_Side_TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp384r1;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
# Enable this if you want HSTS (recommended)
# With or without preload (without very secure but not recommended)
  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
#add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  listen 443 ssl;
  root /var/www/html;

  server_name audio.crpchalifax.ca;

  location ~ /.well-known
  {
    allow all;
  }

  location /
  {
#    access_log /var/log/icecast/access_https.log icecast_combined;
    proxy_pass http://127.0.0.1:8000/;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
#user www;
worker_processes 4;
#pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log debug;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        ##
        # Virtual Host Configs
        ##

        #include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

}

rtmp {
        server {
                listen 1935;
                chunk_size 4096;

                application 83654211 {
                    live on;
                    record off;
                    exec /usr/bin/ffmpeg -i rtmp://audio.crpchalifax.ca/redacted/redacted -vn -c:a libmp3lame -f mp3 icecast://source:redacted@localhost:8000/live.mp3;
                }
        }
}

I suspect it has to do with my configuration changes maybe, but I can't figure out what went wrong.

If you re-add:

root /var/www/html;

to your port 80 server, and then try:

certbot renew --cert-name audio.crpchalifax.ca -w /var/www/html --dry-run

does it work?

4 Likes

It does! Thanks you so much for your speedy reply!

I edited /etc/nginx/sites-available/default and added root /var/www/html just below server name so it looked like:

server
{
  listen 80;
  server_name audio.crpchalifax.ca;
  root /var/www/html;

Saved, restarted the nginx server, ran the certbot command you recommended, and it worked perfectly. Thanks!

However, I ran sudo certbot renew --dry-run again to see what happens afterward, and I still get an error. Any idea why?

3 Likes

Did you run it without --dry-run? You'll have to do that to make sure it actually saves the new certificate and configuration.

For good measure, you can add to the end:

--deploy-hook "service nginx reload"

to avoid having to do that by hand.

After you've done that (without --dry-run) you should be able to do a successful dry-run.

5 Likes

Yep. That's exactly it. I ran the command you recommended, without the dry run, and then ran the regular certbot dry run and it worked. Problem resolved. Thank you!!!

5 Likes