Invalid response from http://sitebuilt.net/.well-known/acme-challenge/

Invalid response from http://sitebuilt.net/.well-known/acme-challenge/

I moved this domain to racknerd recently and have not been able to get a cert. What have I missed?

domain

sitebuilt.net

root@mom:/mnt/c/fs/www# ping sitebuilt.net
PING sitebuilt.net (107.175.134.21) 56(84) bytes of data.

no ip6

root@racknerd-sitebuilt:/# ping -6 sitebuilt.net
ping: sitebuilt.net: Address family for hostname not supported

root@racknerd-sitebuilt:/# certbot --version

certbot 1.21.0

Ubuntu 22.04.1 LTS on

host

Racknerd

root login

I can login as root

using control panel

no

I ran this command

certbot --nginx -d sitebuilt.net

root@racknerd-sitebuilt:~# certbot --nginx -d sitebuilt.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for sitebuilt.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: sitebuilt.net
Type:   unauthorized
Detail: 107.175.134.21: Invalid response from http://sitebuilt.net/.well-known/acme-challenge/UxM5_kKL1PjjmSQ68VefA_RNcesTyVg0w9sgze6QXGY: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@racknerd-sitebuilt:~# certbot --nginx -v -d sitebuilt.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for sitebuilt.net
Performing the following challenges:
http-01 challenge for sitebuilt.net
Waiting for verification...
Challenge failed for domain sitebuilt.net
http-01 challenge for sitebuilt.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: sitebuilt.net
Type:   unauthorized
Detail: 107.175.134.21: Invalid response from http://sitebuilt.net/.well-known/acme-challenge/975WezV_KjQyr1C5NobZQu75qxDICE4VIvz7NTbmmyM: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

default site-enabled

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html index.php index.htm index.nginx-debian.html;

    server_name sitebuilt.net www.sitebuilt.net;

    location / {
        try_files $uri $uri/ =404;
        autoindex on;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }
    location ~ /.well-known/acme-challenge {
        default_type text/plain;
        allow all;
    }
    location ~ /\.ht {
        deny all;
    }
}

log

root@racknerd-sitebuilt:/# tail -f /var/log/letsencrypt/letsencrypt.log
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-11-10 21:21:49,861:ERROR:certbot._internal.log:Some challenges have failed.

ls -al /var/www/html

root@racknerd-sitebuilt:/var/www/html# ls -al
total 240
drwxr-xr-x  4 root root   4096 Oct 27 04:20  .
drwxr-xr-x  3 root root   4096 Sep  8 19:18  ..
-rw-r--r--  1 root root    187 Sep 27 16:00  index.html
drwxr-xr-x  3 root root   4096 Sep 22 22:14  .well-known
root@racknerd-sitebuilt:/var/www/html# cd .well-known
root@racknerd-sitebuilt:/var/www/html/.well-known# ls -al
total 12
drwxr-xr-x 3 root root 4096 Sep 22 22:14 .
drwxr-xr-x 4 root root 4096 Oct 27 04:20 ..
drwxr-xr-x 2 root root 4096 Sep 22 22:14 acme-challenge
root@racknerd-sitebuilt:/var/www/html/.well-known# cd acme-challenge/
root@racknerd-sitebuilt:/var/www/html/.well-known/acme-challenge# ls -al
total 8
drwxr-xr-x 2 root root 4096 Sep 22 22:14 .
drwxr-xr-x 3 root root 4096 Sep 22 22:14 ..
1 Like

Thanks for the nice trouble report.

I tested various things already but don't see anything obviously wrong.

As background, the --nginx plug-in makes temp changes to your nginx config to satisfy the ACME challenge. The location statement for /.well-known/acme-challenge and the related folders are not used in this case.

I have a feeling there is something else in your nginx config that is confusing the --nginx plug-in. Can you upload either the whole letsencrypt.log file (need to copy to .txt file first) or upload result of this command:

nginx -T >config.txt

must be capital T which outputs the entire nginx active config. The entire nginx config is also in the log file so either one is good for now.

4 Likes

I'd try placing a test txt file in that (expected) challenge location.
Then see if it can be reach via the Internet.

2 Likes
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

that didn't work , I get 404 http://sitebuilt.net/.well-known/acme-challenge/config.txt

# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default:

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	index index.html index.php index.htm index.nginx-debian.html;

	server_name sitebuilt.net www.sitebuilt.net;

	location / {
		try_files $uri $uri/ =404;
		autoindex on;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.1-fpm.sock;
	}
	location /.well-known/acme-challenge {
		default_type text/plain;
		root /etc/letsencrypt/webroot;
  	}
	location ~ /\.ht {
		deny all;
	}
}

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/services:
server {
	listen 80;
    listen [::]:80;
    listen 443;
	server_name services.sitebuilt.net;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/services.sitebuilt.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/services.sitebuilt.net/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';    
    # ssl_dhparam /etc/ssl/certs/dhparam.pem;

    location /hello/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:1642/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /geniot/ws:3333 {
        proxy_pass http://localhost:3333;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400; 
    }
    location /iotb/wss:4333 {
        proxy_pass http://localhost:4333;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400; 
    }
    location /geniot/mqqt/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:1883/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /geniot/app/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3332/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /bogged/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3009/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /auth/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3002/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /soauth/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:7080/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /iotex/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:4332/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /reroox/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:4352/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
    location /timecards/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:4362/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off; 
    }
}
# configuration file /etc/nginx/sites-enabled/stuff2get:
server {
	listen 80;
	listen [::]:80;
	root /home/stuff2get/public_html;
	server_name stuff2get.sitebuilt.net;
	index index.php index.html index.htm;

	location / {
	    try_files $uri $uri/ =404;
	    autoindex on;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	}
  location ~ /\.ht {
      deny all;
  }	
}
# configuration file /etc/nginx/sites-enabled/timecards:
server {
	listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
	server_name timecards.sitebuilt.net;
	#include snippets/ssl-sitebuilt.net-0001.conf;
  #include snippets/ssl-params.conf;

	root /home/timecards/public_html;
	index index.php index.html index.htm;

	location / {
	    try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.1-fpm.sock;
	}
  location ~ /\.ht {
      deny all;
  }
  location ~ /.well-known {
    allow all;
  }
    ssl_certificate /etc/letsencrypt/live/sitebuilt.net-0003/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sitebuilt.net-0003/privkey.pem; # managed by Certbot
}
	location /.well-known/acme-challenge {
		default_type text/plain;
		root /etc/letsencrypt/webroot;
  	}

Try creating text file:
/etc/letsencrypt/webroot/test1
And see if that can be reached via:
http://sitebuilt.net/.well-known/acme-challenge/test1

If that fails, create text file:
/etc/letsencrypt/webroot/.well-known/acme-challenge/test2
And see if that can be reached via:
http://sitebuilt.net/.well-known/acme-challenge/test2

3 Likes

sorry for the messy file, btw services.sitebuilt.net runs a lot of servers. That, thank God, did get a certificate via sudo letsencrypt certonly --standalone -d services.sitebuilt.net

config.txt (14.3 KB)

1 Like

That will require your nginx server to be stopped to free port 80. The standalone method needs to bind to port 80

I didn't see any nginx config issues that would cause the --nginx plug-in trouble. Note it doesn't rely on the nginx root folder like --webroot authentication does.

But, if you are using a mix of standalone and --nginx plug-in something odd can happen.

The --nginx plug-in has a bug when nginx is not running when certbot is started. In this case, the plug-in will start nginx directly instead of with systemd. This results in two instances of nginx which are difficult to control and which fight over the ports.

This might explain the 404 when using the plug-in

We can check this by showing the results of these:

ps -eF | grep nginx
systemctl status nginx
3 Likes

root@racknerd-sitebuilt:/# ps -eF | grep nginx

root      872452       1  0 15370  9792   1 Nov10 ?        00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data  872536  872452  0 15447 10352   0 Nov10 ?        00:00:00 nginx: worker process
www-data  872537  872452  0 15447 10388   1 Nov10 ?        00:00:22 nginx: worker process
root      879106  878925  0  2302  2200   1 14:07 pts/7    00:00:00 grep --color=auto nginx
root@racknerd-sitebuilt:/# 

root@racknerd-sitebuilt:/# systemctl status nginx

nginx.service - A high performance web server and a reverse proxy server
    Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
    Active: active (running) since Thu 2022-11-10 22:25:37 GMT; 15h ago
    Docs: man:nginx(8)
    Process: 872449 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 872451 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 872452 (nginx)
    Tasks: 3 (limit: 2288)
    Memory: 8.2M
        CPU: 22.497s
    CGroup: /system.slice/nginx.service
            ├─872452 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
            ├─872536 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
            └─872537 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

Nov 10 22:25:37 racknerd-sitebuilt systemd[1]: Starting A high performance web server and a reverse proxy server...
Nov 10 22:25:37 racknerd-sitebuilt nginx[872449]: nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" direc>
Nov 10 22:25:37 racknerd-sitebuilt nginx[872451]: nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" direc>
Nov 10 22:25:37 racknerd-sitebuilt systemd[1]: Started A high performance web server and a reverse proxy server.
lines 1-19/19 (END)

this one worked

/etc/letsencrypt/webroot/.well-known/acme-challenge/test2
And see if that can be reached via:
http://sitebuilt.net/.well-known/acme-challenge/test2

You should modify your listen to be like your other server blocks so it includes the ssl option. Then, remove ssl on; to avoid that deprecation warning in status nginx

But, that isn't what is causing the problem with the --nginx plug-in

You might try pursuing rg305 tests and use --webroot instead. You can use it with certonly just to get a cert but then you must update the nginx config for the https server block yourself. Or, you can use webroot with the nginx plug-in as installer only but since it is not behaving well as authenticator I hesitate to recommend that.

So, what does this test show

certbot certonly --dry-run  --webroot -w /etc/letsencrypt/webroot -d sitebuilt.net  -d www.sitebuilt.net

Note: I added the www subdomain as you have it defined but did not show it in your first certbot command

3 Likes

the test was successful

root@racknerd-sitebuilt:/etc/letsencrypt/webroot/.well-known# certbot certonly --dry-run  --webroot -w /etc/letsencrypt/webroot -d sitebuilt.net  -d www.sitebuilt.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Simulating a certificate request for sitebuilt.net and www.sitebuilt.net
The dry run was successful.

log (last 200 lines)

root@racknerd-sitebuilt:/etc/letsencrypt/webroot/.well-known# tail -n 200 /var/log/letsencrypt/letsencrypt.log
2022-11-11 17:20:30,508:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 11 Nov 2022 17:20:30 GMT
Content-Type: application/json
Content-Length: 605
Connection: keep-alive
Boulder-Requester: 75779394
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/75779394/5135270604
Replay-Nonce: B37CuJi-Vt_82BKhesOuz8V3nifKBcwc1_3xYV0jObRfa00
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "valid",
"expires": "2022-11-18T17:20:28Z",
"identifiers": [
    {
    "type": "dns",
    "value": "sitebuilt.net"
    },
    {
    "type": "dns",
    "value": "www.sitebuilt.net"
    }
],
"authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4286042944",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4286042954"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/75779394/5135270604",
"certificate": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa1f14e8b347263d8cba18ca173d52808fea"
}
2022-11-11 17:20:30,515:DEBUG:acme.client:Storing nonce: B37CuJi-Vt_82BKhesOuz8V3nifKBcwc1_3xYV0jObRfa00
2022-11-11 17:20:31,518:DEBUG:acme.client:JWS payload:
b''
2022-11-11 17:20:31,526:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/order/75779394/5135270604:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83NTc3OTM5NCIsICJub25jZSI6ICJCMzdDdUppLVZ0XzgyQktoZXNPdXo4VjNuaWZLQmN3YzFfM3hZVjBqT2JSZmEwMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9vcmRlci83NTc3OTM5NC81MTM1MjcwNjA0In0",
"signature": "d2jgWmhT5LtvjKROf3y7MCKJXN8exm2Jvotu8wl6eBC-FyrhAqRwuMMHBqpdlDnntO0__gZX_dSVi71f6Fse07gYS0pafw3RkORs27UGQ3e2OF_ErBYJClZKkASG0FTKaM8hYA-lqXZ0Q6iSJFoUIHg6Ll9mwyFpAr4frs_zqSzPxAePqZzDn3QKYMsLZYPQsxSLENzb6Jxb8h-d1UDWfa07-nw7tbr0lZxYMVHPULpqxRHXx1oTe1gD9QK-29cX0eWVlCK1H7t1hvd8gvcnR3_mgCOHjI0VdTQm75u8rJm-zsE4nFAbBhoNEfZuXlK7eLuO8VV-MTurF2OAB-BT0g",
"payload": ""
}
2022-11-11 17:20:31,594:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/order/75779394/5135270604 HTTP/1.1" 200 605
2022-11-11 17:20:31,598:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 11 Nov 2022 17:20:31 GMT
Content-Type: application/json
Content-Length: 605
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 8F05mOtWZPe9L6LR1fdp-qXS5wJbunOF_ZeDz9R-otxUuIY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "valid",
"expires": "2022-11-18T17:20:28Z",
"identifiers": [
    {
    "type": "dns",
    "value": "sitebuilt.net"
    },
    {
    "type": "dns",
    "value": "www.sitebuilt.net"
    }
],
"authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4286042944",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/4286042954"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/75779394/5135270604",
"certificate": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa1f14e8b347263d8cba18ca173d52808fea"
}
2022-11-11 17:20:31,599:DEBUG:acme.client:Storing nonce: 8F05mOtWZPe9L6LR1fdp-qXS5wJbunOF_ZeDz9R-otxUuIY
2022-11-11 17:20:31,599:DEBUG:acme.client:JWS payload:
b''
2022-11-11 17:20:31,603:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa1f14e8b347263d8cba18ca173d52808fea:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83NTc3OTM5NCIsICJub25jZSI6ICI4RjA1bU90V1pQZTlMNkxSMWZkcC1xWFM1d0pidW5PRl9aZUR6OVItb3R4VXVJWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jZXJ0L2ZhMWYxNGU4YjM0NzI2M2Q4Y2JhMThjYTE3M2Q1MjgwOGZlYSJ9",
"signature": "b6b-0XBT3kpAY8KPkJvpe88pBh1ju3IkSlsspMbLCLN9gT9wsqIa8K-G4nlVGh1NIkBkkD0iZrz3IOzUnRkPIniogbyUDsRJAoii3hqySqF-EhXrD6GjyjHgMasKFF2rzMNGvUXJCMdVKDhGk6kEj51oQ4sWU6zM_dPERNM8b6qswLXYDaLNaVrXU2ueVZUb_dfBLMhEUKgulXM6Fz-qWljeGf8IoVENxNNdjmX7Lsi6S5SWKL901QBW6Hh6z-Z5qr5pYWvQAJiS5iFMxzQkTa2aHu-hymd_E9wIr0Cbg1uaEDSogMql3pEXl6Kv3BTYeeDp2YYPRGG_0KosvNM11A",
"payload": ""
}
2022-11-11 17:20:31,668:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/cert/fa1f14e8b347263d8cba18ca173d52808fea HTTP/1.1" 200 5755
2022-11-11 17:20:31,670:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 11 Nov 2022 17:20:31 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 5755
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa1f14e8b347263d8cba18ca173d52808fea/1>;rel="alternate"
Replay-Nonce: A272OTuwHgSJNS-OOwCaXZhnoQcJ4YPOwfcRU_m0Wjv8zjQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgITAPofFOizRyY9jLoYyhc9UoCP6jANBgkqhkiG9w0BAQsF
ADBZMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXKFNUQUdJTkcpIExldCdzIEVuY3J5
cHQxKDAmBgNVBAMTHyhTVEFHSU5HKSBBcnRpZmljaWFsIEFwcmljb3QgUjMwHhcN
MjIxMTExMTYyMDMwWhcNMjMwMjA5MTYyMDI5WjAYMRYwFAYDVQQDEw1zaXRlYnVp
bHQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwDlmSNKd6o/6
RkDt05f2DLK0a/UNpMuqaQvQQH0YAnMJv24G+KmfwdHag3WTXnqNrLanZTrgYHZv
VabYLYOdP5dJ29T6P+s3neRUZd9dJsDZnZzohH+XySDrR1EiyoipdvTksdPYy0lz
rg0nHcOg0oxrVv4ELKCFwm9EzYPE4010vM+swtVZLjdFfutTWyLyYB7eoLuzhzVv
A/uUFmUx0wihDlJONxTleUUGs3mhN1PBgxVmdef4rL6NMM5PammTnE+vD6+LKBby
QyFZ/VoWnJhpy7pDhEd0KSXgEwhs0Am6KdxvGV3XnGhdCx9h7TJWG85wSOmgoQeW
tfbahNnjbwIDAQABo4ICYjCCAl4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSOAWa6
1DIW1Zxw/uMJy82/kUyavTAfBgNVHSMEGDAWgBTecnpI3zHDplDfn4Uj31c3S10u
ZTBdBggrBgEFBQcBAQRRME8wJQYIKwYBBQUHMAGGGWh0dHA6Ly9zdGctcjMuby5s
ZW5jci5vcmcwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGctcjMuaS5sZW5jci5vcmcv
MCsGA1UdEQQkMCKCDXNpdGVidWlsdC5uZXSCEXd3dy5zaXRlYnVpbHQubmV0MEwG
A1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB
8QDvAHUAwYMkC/GkUMdvuwByadysO+IqSAXU2+BJZsPIq8RHsAwAAAGEZ7UQQwAA
BAMARjBEAiAnL1ttP/ly9KSvXlQjiq9S3eTNJITiy0yuNvYZEDhu4wIgLd72LaEs
0STqkDFuxI2bJUZOfV+uBcfXFzsSYTQHJf4AdgCwzIPlpfl9a698CcwoSQSHKsfo
ixMsY1C3xv0m4WxsdwAAAYRntRBAAAAEAwBHMEUCIDeoqFs2ZMOS2qlJ8aN0lieq
6FiYcJXNBF80tdFuPUX6AiEA2N6v9nTsuKVWBTBWXeznC+yxmBF2DnND5VeJaENt
UFowDQYJKoZIhvcNAQELBQADggEBAFRocqwoAhvlepAcVFj8JObCyagJB6JUJhXI
Wgx+B0TbNf0P4X0Ee10aDXMvEcbw1m87fLSQYOyND6F/FIkJwTCF01G1er3OMT0q
wtGvgeaxQejexOHrRSXoWBQ/Dfn8agCMYZEJi6QBjlb5muk17Y6Pw9x0JSnmYP0r
QcLkHQ6Ya4a1sAEVvUWes1kzOv7/KHRur0aPg7JScBTinw0pFNO2u7OUnVYVGhL9
Ei/oAJvoFOYmEZDB4mb3xOJUk884X+x5x9wew2TJ2UrwRlDgvIxUrkPZAEzDElP/
ix0tr81KypkJ8yFaJqmbYSDgAxWy444kfoxXY7Qz6bkB6mYZLm4=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFWzCCA0OgAwIBAgIQTfQrldHumzpMLrM7jRBd1jANBgkqhkiG9w0BAQsFADBm
MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
ZWFyIFgxMB4XDTIwMDkwNDAwMDAwMFoXDTI1MDkxNTE2MDAwMFowWTELMAkGA1UE
BhMCVVMxIDAeBgNVBAoTFyhTVEFHSU5HKSBMZXQncyBFbmNyeXB0MSgwJgYDVQQD
Ex8oU1RBR0lORykgQXJ0aWZpY2lhbCBBcHJpY290IFIzMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu6TR8+74b46mOE1FUwBrvxzEYLck3iasmKrcQkb+
gy/z9Jy7QNIAl0B9pVKp4YU76JwxF5DOZZhi7vK7SbCkK6FbHlyU5BiDYIxbbfvO
L/jVGqdsSjNaJQTg3C3XrJja/HA4WCFEMVoT2wDZm8ABC1N+IQe7Q6FEqc8NwmTS
nmmRQm4TQvr06DP+zgFK/MNubxWWDSbSKKTH5im5j2fZfg+j/tM1bGaczFWw8/lS
nukyn5J2L+NJYnclzkXoh9nMFnyPmVbfyDPOc4Y25aTzVoeBKXa/cZ5MM+WddjdL
biWvm19f1sYn1aRaAIrkppv7kkn83vcth8XCG39qC2ZvaQIDAQABo4IBEDCCAQww
DgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAS
BgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTecnpI3zHDplDfn4Uj31c3S10u
ZTAfBgNVHSMEGDAWgBS182Xy/rAKkh/7PH3zRKCsYyXDFDA2BggrBgEFBQcBAQQq
MCgwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGcteDEuaS5sZW5jci5vcmcvMCsGA1Ud
HwQkMCIwIKAeoByGGmh0dHA6Ly9zdGcteDEuYy5sZW5jci5vcmcvMCIGA1UdIAQb
MBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCN
DLam9yN0EFxxn/3p+ruWO6n/9goCAM5PT6cC6fkjMs4uas6UGXJjr5j7PoTQf3C1
vuxiIGRJC6qxV7yc6U0X+w0Mj85sHI5DnQVWN5+D1er7mp13JJA0xbAbHa3Rlczn
y2Q82XKui8WHuWra0gb2KLpfboYj1Ghgkhr3gau83pC/WQ8HfkwcvSwhIYqTqxoZ
Uq8HIf3M82qS9aKOZE0CEmSyR1zZqQxJUT7emOUapkUN9poJ9zGc+FgRZvdro0XB
yphWXDaqMYph0DxW/10ig5j4xmmNDjCRmqIKsKoWA52wBTKKXK1na2ty/lW5dhtA
xkz5rVZFd4sgS4J0O+zm6d5GRkWsNJ4knotGXl8vtS3X40KXeb3A5+/3p0qaD215
Xq8oSNORfB2oI1kQuyEAJ5xvPTdfwRlyRG3lFYodrRg6poUBD/8fNTXMtzydpRgy
zUQZh/18F6B/iW6cbiRN9r2Hkh05Om+q0/6w0DdZe+8YrNpfhSObr/1eVZbKGMIY
qKmyZbBNu5ysENIK5MPc14mUeKmFjpN840VR5zunoU52lqpLDua/qIM8idk86xGW
xx2ml43DO/Ya/tVZVok0mO0TUjzJIfPqyvr455IsIut4RlCR9Iq0EDTve2/ZwCuG
hSjpTUFGSiQrR2JK2Evp+o6AETUkBCO1aw0PpQBPDQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIRAO1dW8lt+99NPs1qSY3Rs8cwDQYJKoZIhvcNAQELBQAw
cTELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1
cml0eSBSZXNlYXJjaCBHcm91cDEtMCsGA1UEAxMkKFNUQUdJTkcpIERvY3RvcmVk
IER1cmlhbiBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQw
M1owZjELMAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBT
ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRl
bmQgUGVhciBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdD
Ta1QgGBWSYkyMhscZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPW
nL++fgehT0FbRHZgjOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigk
kmx8OiCO68a4QXg4wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZ
GTIf/oRt2/c+dYmDoaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6V
P19sTGy3yfqK5tPtTdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkL
YC0Ft2cYUyHtkstOfRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2
UPQFxmWFRQnFjaq6rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/
2dBZKmJqxHkxCuOQFjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRM
EeOXUYvbV4lqfCf8mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEm
QWUOTWIoDQ5FOia/GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eV
EGOIpn26bW5LKerumJxa/CFBaKi4bRvmdJRLAgMBAAGjgfEwge4wDgYDVR0PAQH/
BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLXzZfL+sAqSH/s8ffNE
oKxjJcMUMB8GA1UdIwQYMBaAFAhX2onHolN5DE/d4JCPdLriJ3NEMDgGCCsGAQUF
BwEBBCwwKjAoBggrBgEFBQcwAoYcaHR0cDovL3N0Zy1kc3QzLmkubGVuY3Iub3Jn
LzAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vc3RnLWRzdDMuYy5sZW5jci5vcmcv
MCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEB
CwUAA4IBAQB7tR8B0eIQSS6MhP5kuvGth+dN02DsIhr0yJtk2ehIcPIqSxRRmHGl
4u2c3QlvEpeRDp2w7eQdRTlI/WnNhY4JOofpMf2zwABgBWtAu0VooQcZZTpQruig
F/z6xYkBk3UHkjeqxzMN3d1EqGusxJoqgdTouZ5X5QTTIee9nQ3LEhWnRSXDx7Y0
ttR1BGfcdqHopO4IBqAhbkKRjF5zj7OD8cG35omywUbZtOJnftiI0nFcRaxbXo0v
oDfLD0S6+AC2R3tKpqjkNX6/91hrRFglUakyMcZU/xleqbv6+Lr3YD8PsBTub6lI
oZ2lS38fL18Aon458fbc0BPHtenfhKj5
-----END CERTIFICATE-----

2022-11-11 17:20:31,674:DEBUG:acme.client:Storing nonce: A272OTuwHgSJNS-OOwCaXZhnoQcJ4YPOwfcRU_m0Wjv8zjQ
2022-11-11 17:20:31,716:DEBUG:certbot._internal.client:Dry run: Skipping creating new lineage for sitebuilt.net
2022-11-11 17:20:31,718:DEBUG:certbot._internal.display.obj:Notifying user: The dry run was successful.
root@racknerd-sitebuilt:/etc/letsencrypt/webroot/.well-known#

Good. If you remove --dry-run it will get a production cert. You will then have to manually configure a server block for https using those certs. You already have other https domains working so I presume you can figure that out.

3 Likes

do you mean? ...

Add a block with lines like these

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/apps.sitebuilt.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/apps.sitebuilt.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

replacing the live directory name with whatever certbot creates?

Right now there are these cert there

root@racknerd-sitebuilt:/etc/letsencrypt/live# ls -al
total 20
drwx------  4 root root 4096 Sep 27 16:27 .
drwxr-xr-x 10 root root 4096 Nov 11 17:20 ..
-rw-r--r--  1 root root  740 Sep 22 17:29 README
drwxr-xr-x  2 root root 4096 Sep 22 17:29 services.sitebuilt.net
drwxr-xr-x  2 root root 4096 Sep 27 16:27 sitebuilt.net-003

And finally...

When I create that cert, if I don' use the -d option, will I get a list of domains/subdomains enabled that I can also put on the same certificate? Or is it better in the command line?

certbot certonly --webroot -w /etc/letsencrypt/webroot -d sitebuilt.net -d www.sitebuilt.net -d arimckenna.com -d restoringroots.net -d iot.sitebuilt.net

Then does each of those sites-enabled get

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/apps.sitebuilt.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/apps.sitebuilt.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

(do they all need the last two lines)?

The server block must also contain most, if not all, of the matching HTTP server block.
Things like:

  • server_name
  • root ...

That can get a bit complicated.
The certbot wizard is only so smart.
It can only list names that are explicitly defined within server blocks; But without even defining which web server is being used, it won't even know where to look.

I prefer being explicit on the command line.
You only need to get it right once; Then it can auto-renew from then on.

2 Likes

So I just tried to get sitebuilt.net and www.sitebuilt.net to work

certbot certonly --webroot -w /etc/letsencrypt/webroot -d sitebuilt.net -d www.sitebuilt.net 

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for sitebuilt.net and www.sitebuilt.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sitebuilt.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/sitebuilt.net/privkey.pem
This certificate expires on 2023-02-09.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

It added a sitebuilt.net dir and files to ../live/

total 24
drwx------  5 root root 4096 Nov 11 18:40 .
drwxr-xr-x 10 root root 4096 Nov 11 18:40 ..
-rw-r--r--  1 root root  740 Sep 22 17:29 README
drwxr-xr-x  2 root root 4096 Sep 22 17:29 services.sitebuilt.net
drwxr-xr-x  2 root root 4096 Nov 11 18:40 sitebuilt.net
drwxr-xr-x  2 root root 4096 Sep 27 16:27 sitebuilt.net-0003

I changed the sitebuilt.net server block like so

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.html index.php index.htm index.nginx-debian.html;

    server_name sitebuilt.net www.sitebuilt.net;

    location / {
        try_files $uri $uri/ =404;
        autoindex on;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }
    location /.well-known/acme-challenge {
        default_type text/plain;
        root /etc/letsencrypt/webroot/;
    }
    location ~ /\.ht {
        deny all;
    }
    ssl_certificate /etc/letsencrypt/live/sitebuilt.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sitebuilt.net/privkey.pem; # managed by Certbot	
}

nginx -t
systemctl restart nginx

navigating my browser to https://sitebuilt.net

This server could not prove that it is sitebuilt.net; its security certificate is from services.sitebuilt.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

You forgot to add listen clauses after the listen for port 80. These are the ones you use for timecards

  listen 443 ssl http2;
  listen [::]:443 ssl http2;

As an aside, it is usually better to have separate server blocks for http (port 80) and for https (port 443). But, you already had them together for your other domains so in that case might be best to be consistent.

The reason for the "server could not prove" error is because you fell into the default server since there was no listen for port 443 for this domain

2 Likes

Summarize the problem and SOLUTION

PROBLEM: Invalid response from http://sitebuilt.net/.well-known/acme-challenge/

After moving site(s) to different server, when using

certbot --nginx -d sitebuilt.net -d www.sitebuilt.net

Discussion

I have always needed to turn off ngingx and use the following to get my node servers protected with certificates

sudo letsencrypt certonly --standalone -d services.sitebuilt.net   

Problem was

But, if you are using a mix of standalone and --nginx plug-in something odd can happen.

The --nginx plug-in has a bug when nginx is not running when certbot is started. In this case, the plug-in will start nginx directly instead of with systemd. This results in two instances of nginx which are difficult to control and which fight over the ports.

This might explain the 404 when using the plug-in

Next we tried this instead of certbot --nginx

certbot certonly --dry-run  --webroot -w /etc/letsencrypt/webroot -d sitebuilt.net  -d www.sitebuilt.net

When that succeeded we ran it again for real

certbot certonly --webroot -w /etc/letsencrypt/webroot -d sitebuilt.net  -d www.sitebuilt.net

and saw that it created a directory and files in /etc/letsencrypt/live

Finally modified by hand the default sites-enabled and ADDED..

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl http2; # ADDED THIS
    listen [::]:443 ssl http2; # ADDED THIS

    root /var/www/html;

    index index.html index.php index.htm index.nginx-debian.html;

    server_name sitebuilt.net www.sitebuilt.net;

    location / {
        try_files $uri $uri/ =404;
        autoindex on;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }
    location /.well-known/acme-challenge {
        default_type text/plain;
        root /etc/letsencrypt/webroot/;
    }
    location ~ /\.ht {
        deny all;
    }
    ssl_certificate /etc/letsencrypt/live/sitebuilt.net/fullchain.pem; # ADDED THIS
    ssl_certificate_key /etc/letsencrypt/live/sitebuilt.net/privkey.pem; # ADDED THIS	
}

Great thanks to @MikeMcQ for sticking with me and guiding me through this.

1 Like

I'm glad that you were able to get a new cert.
And the modified post is better, but still not good.
The cert belongs in a separate HTTPS server block; and it must have:
listen 443 ssl http2;

That server block shown has both:
listen 80;
listen 443 ssl http2;

In short: You need two server blocks for the exact same server names.

  • One for HTTP.
  • One for HTTPS.
2 Likes