Invalid response from http://domain-on-ipv4-only.com; I suspect it is not creating temp files on acme-challenge directory [SOLVED]


#1

Hello. I am reviewing all similar posts but none of them matches with my problem.

My S.O. info:
Ubuntu server 16

# apt-cache policy certbot | grep -i Installed
  Installed: 0.25.0-1+ubuntu16.04.1+certbot+1

Mi server is neither configured for IPv6 nor has any AAAA record:

server {
    listen 80 default_server;

    location ^~ /.well-known/ {
	default_type "text/plain";
	root /var/www/letsencrypt;
   }
}

# dig +short A subdom.mydomain.com
172.104.140.XXX

# dig +short A subdom.mydomain.com
(nothing)

# curl -i4 'http://subdom.mydomain.com/.well-known/existing-folder/existing-test.txt'
HTTP/1.1 200 OK

# curl -i4 'http://subdom.mydomain.com/.well-known/existing-folder/existing-test.txt
curl: (6) Could not resolve host: subdom.mydomain.com

I suspect It is not creating temporary files on acme-challenge directory because I am trying F5 (reloading) directory while renewing certs and ANY of file is created for any moment.

So… why have invalid response by using cerbot renew --dry-run ?


#2

Well, it’s hard to say without seeing your existing renewal parameters or Certbot logs, but that location block doesn’t look like it would work, since Certbot’s webroot plugin expects to place files in the /.well-known/acme-challenge directory, not the /.well-known/ directory.

The simplest thing to do is just to allow Certbot to figure out the nginx directives by using the nginx plugin:

certbot renew --cert-name subdom.mydomain.com --nginx --dry-run

#3

I have another working server with 0.19 version and when I am trying to renew certificates, the temp files are created and deleted as normal behaviour on the acme-challenge directory. In my no-working server the temp files are not created on the acme-challenge directory. Why?


#4

Post your unredacted renewal parameters from /etc/letsencrypt/renewal/*.conf and it’ll probably become clear. My suspicion is on your location block not mapping properly onto the webroot anticipated by Certbot, but there’s insufficient evidence to be sure.


#5
# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/subdom.mydomain.com
cert = /etc/letsencrypt/live/subdom.mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/subdom.mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/subdom.mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/subdom.mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
installer = None
webroot_path = /var/www/html,
authenticator = webroot
account = c5a2b678387db7b06e8050bfe2dffbdd
[[webroot_map]]
subdom.mydomain.com = /var/www/html

#6

There we go - Certbot has a completely different idea about the location of the webroot.

Maybe replace your location with a simple:

location /.well-known/acme-challenge/ {
   root /var/www/html;
}

#7

@_az I am VERY SO THANKFUL. Your response was the correct one.

VERY THANKS.

However, I changed parameters from /etc/letsencrypt/renewal/subdom.mydomain.com.conf in order to working on /var/www/letsencrypt and I worked fine

I hope this is helpful for another letsencrypt users

:wink:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.