Invalid response from https://www.ggc.world/.well-known/acme-challenge/

Help
1

My domain is: ggc.world

I ran this command:

(base) marco@pc01:~/webMatters/acme.sh$ sudo su
[sudo] password for marco: 
root@pc01:/home/marco/webMatters/acme.sh# 
root@pc01:/home/marco/webMatters/acme.sh# D=/var/www/ggc.world/html
root@pc01:/home/marco/webMatters/acme.sh# mkdir -vp ${D}/.well-known/acme-challenge/
mkdir: created directory '/var/www/ggc.world/html/.well-known'
mkdir: created directory '/var/www/ggc.world/html/.well-known/acme-challenge/'
root@pc01:/home/marco/webMatters/acme.sh# chown -R www-data:www-data ${D}/.well-
known/acme-challenge/
root@pc01:/home/marco/webMatters/acme.sh# chmod -R 0555 ${D}/.well-known/acme-challenge/
root@pc01:/home/marco/webMatters/acme.sh# mkdir -p /etc/nginx/ssl/ggc.world/
root@pc01:/home/marco/webMatters/acme.sh# cd /etc/nginx/ssl/ggc.world/
root@pc01:/etc/nginx/ssl/ggc.world# openssl dhparam -out dhparams.pem -dsaparam 4096
Generating DSA parameters, 4096 bit long prime

…+…+.+…+…+…+…+…+…+…+…+.+…+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
…+…+…+…+…+…+…+…+.+…+…+…+…+…+…+…+…+.+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+.+.+…+…+…+…+…+…+…+.+…+…+…+…+…+…+…+…+…+…+…+…+.+…+…+…+…+…+…+…+…+…+…+…+…+…+.+…+…+…+…+…+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*

root@pc01:/etc/nginx/ssl/ggc.world# acme.sh --issue -d ggc.world -w /var/www/ggc.world/html -d
www.ggc.world --nginx -k 2048 --force --debug

It produced this output:

[lun 10 feb 2020, 15.27.51, CET] Lets find script dir.
[lun 10 feb 2020, 15.27.51, CET] _SCRIPT_='/root/.acme.sh/acme.sh'
[lun 10 feb 2020, 15.27.51, CET] _script='/root/.acme.sh/acme.sh'
[lun 10 feb 2020, 15.27.51, CET] _script_home='/root/.acme.sh'
[lun 10 feb 2020, 15.27.51, CET] Using config home:/home/marco/webMatters/acme.sh/data/
https://github.com/acmesh-official/acme.sh
v2.8.6
[lun 10 feb 2020, 15.27.51, CET] Running cmd: issue
[lun 10 feb 2020, 15.27.51, CET] _main_domain='ggc.world'
[lun 10 feb 2020, 15.27.51, CET] _alt_domains='www.ggc.world'
[lun 10 feb 2020, 15.27.51, CET] Using config home:/home/marco/webMatters/acme.sh/data/
[lun 10 feb 2020, 15.27.51, CET] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[lun 10 feb 2020, 15.27.51, CET] DOMAIN_PATH='/home/marco/webMatters/acme.sh/data//ggc.world'
[lun 10 feb 2020, 15.27.51, CET] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[lun 10 feb 2020, 15.27.51, CET] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[lun 10 feb 2020, 15.27.51, CET] GET
[lun 10 feb 2020, 15.27.51, CET] url='https://acme-v02.api.letsencrypt.org/directory'
[lun 10 feb 2020, 15.27.51, CET] timeout=
[lun 10 feb 2020, 15.27.51, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters   
/acme.sh/data//http.header  -g '
[lun 10 feb 2020, 15.27.52, CET] ret='0'
[lun 10 feb 2020, 15.27.52, CET] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org
/acme/key-change'
[lun 10 feb 2020, 15.27.52, CET] ACME_NEW_AUTHZ
[lun 10 feb 2020, 15.27.52, CET] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org
/acme/new-order'
[lun 10 feb 2020, 15.27.52, CET] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org
/acme/new-acct'
[lun 10 feb 2020, 15.27.52, CET] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org
/acme/revoke-cert'
[lun 10 feb 2020, 15.27.52, CET] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-
v1.2-November-15-2017.pdf'
[lun 10 feb 2020, 15.27.52, CET] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org
/acme/new-nonce'
[lun 10 feb 2020, 15.27.52, CET] ACME_VERSION='2'
[lun 10 feb 2020, 15.27.52, CET] Le_NextRenewTime='1586369908'
[lun 10 feb 2020, 15.27.52, CET] _on_before_issue
[lun 10 feb 2020, 15.27.52, CET] _chk_main_domain='ggc.world'
[lun 10 feb 2020, 15.27.52, CET] _chk_alt_domains='www.ggc.world'
[lun 10 feb 2020, 15.27.52, CET] Le_LocalAddress
[lun 10 feb 2020, 15.27.52, CET] d='ggc.world'
[lun 10 feb 2020, 15.27.52, CET] Check for domain='ggc.world'
[lun 10 feb 2020, 15.27.52, CET] _currentRoot='/var/www/ggc.world/html'
[lun 10 feb 2020, 15.27.52, CET] d='www.ggc.world'
[lun 10 feb 2020, 15.27.52, CET] Check for domain='www.ggc.world'
[lun 10 feb 2020, 15.27.52, CET] _currentRoot='nginx:'
[lun 10 feb 2020, 15.27.52, CET] d
[lun 10 feb 2020, 15.27.52, CET] _saved_account_key_hash is not changed, skip register account.
[lun 10 feb 2020, 15.27.52, CET] Read key length:
[lun 10 feb 2020, 15.27.52, CET] Creating domain key
[lun 10 feb 2020, 15.27.52, CET] Using config home:/home/marco/webMatters/acme.sh/data/
[lun 10 feb 2020, 15.27.52, CET] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org
/directory'
[lun 10 feb 2020, 15.27.52, CET] Use length 2048
[lun 10 feb 2020, 15.27.52, CET] Using RSA: 2048
[lun 10 feb 2020, 15.27.52, CET] The domain key is here: /home/marco/webMatters/acme.sh
/data//ggc.world/ggc.world.key
[lun 10 feb 2020, 15.27.52, CET] _createcsr
[lun 10 feb 2020, 15.27.52, CET] Multi domain='DNS:ggc.world,DNS:www.ggc.world'
[lun 10 feb 2020, 15.27.52, CET] Getting domain auth token for each domain
[lun 10 feb 2020, 15.27.52, CET] d='www.ggc.world'
[lun 10 feb 2020, 15.27.52, CET] d
[lun 10 feb 2020, 15.27.52, CET] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[lun 10 feb 2020, 15.27.52, CET] payload='{"identifiers": [{"type":"dns","value":"ggc.world"},
{"type":"dns","value":"www.ggc.world"}]}'
[lun 10 feb 2020, 15.27.52, CET] RSA key
[lun 10 feb 2020, 15.27.52, CET] HEAD
[lun 10 feb 2020, 15.27.52, CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[lun 10 feb 2020, 15.27.52, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header  -g  -I  '
[lun 10 feb 2020, 15.27.53, CET] _ret='0'
[lun 10 feb 2020, 15.27.53, CET] POST
[lun 10 feb 2020, 15.27.53, CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[lun 10 feb 2020, 15.27.53, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header  -g '
[lun 10 feb 2020, 15.27.53, CET] _ret='0'
[lun 10 feb 2020, 15.27.53, CET] code='201'
[lun 10 feb 2020, 15.27.53, CET] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order
/77760425/2290495455'
[lun 10 feb 2020, 15.27.54, CET] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org
/acme/finalize/77760425/2290495455'
[lun 10 feb 2020, 15.27.54, CET] url='https://acme-v02.api.letsencrypt.org/acme/authz-
v3/2728308541'
[lun 10 feb 2020, 15.27.54, CET] payload
[lun 10 feb 2020, 15.27.54, CET] POST
[lun 10 feb 2020, 15.27.54, CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-
v3/2728308541'
[lun 10 feb 2020, 15.27.54, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header  -g '
[lun 10 feb 2020, 15.27.54, CET] _ret='0'
[lun 10 feb 2020, 15.27.54, CET] code='200'

[lun 10 feb 2020, 15.27.54, CET] url=‘https://acme-v02.api.letsencrypt.org/acme/authz-
v3/2743212421’
[lun 10 feb 2020, 15.27.54, CET] payload
[lun 10 feb 2020, 15.27.54, CET] POST
[lun 10 feb 2020, 15.27.54, CET] _post_url=‘https://acme-v02.api.letsencrypt.org/acme/authz-
v3/2743212421’
[lun 10 feb 2020, 15.27.54, CET] _CURL=‘curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header -g ’
[lun 10 feb 2020, 15.27.55, CET] _ret=‘0’
[lun 10 feb 2020, 15.27.55, CET] code=‘200’
[lun 10 feb 2020, 15.27.55, CET] d=‘ggc.world’
[lun 10 feb 2020, 15.27.55, CET] Getting webroot for domain=‘ggc.world’
[lun 10 feb 2020, 15.27.55, CET] _w=’/var/www/ggc.world/html’
[lun 10 feb 2020, 15.27.55, CET] _currentRoot=’/var/www/ggc.world/html’
[lun 10 feb 2020, 15.27.55, CET] entry=’“type”:“http-01”,“status”:“valid”,“url”:“https://acme-
v02.api.letsencrypt.org/acme/chall-v3/2728308541
/UmtAkQ”,“token”:“qtYTtmaMHh4RPaqWLAjC98eSVHSfc8ZmdvOdWcYDr1E”,“validationRecord”:
[{“url”:“http://ggc.world/.well-known/acme-challenge
/qtYTtmaMHh4RPaqWLAjC98eSVHSfc8ZmdvOdWcYDr1E”,“hostname”:“ggc.world”,“port”:“80”,“addres
sesResolved”:[“2.36.58.214”],“addressUsed”:“2.36.58.214”’
[lun 10 feb 2020, 15.27.55, CET] token=‘qtYTtmaMHh4RPaqWLAjC98eSVHSfc8ZmdvOdWcYDr1E’
[lun 10 feb 2020, 15.27.55, CET] uri=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/2728308541
/UmtAkQ’
[lun 10 feb 2020, 15.27.55, CET]
keyauthorization=‘qtYTtmaMHh4RPaqWLAjC98eSVHSfc8ZmdvOdWcYDr1E.3saRMlkAj4d_m20XxunO
7Z9O1TWIIqp2MbT-pbsKl3c’
[lun 10 feb 2020, 15.27.55, CET] ggc.world is already verified.
[lun 10 feb 2020, 15.27.55, CET] keyauthorization=‘verified_ok’
[lun 10 feb 2020, 15.27.55, CET] dvlist=‘ggc.world#verified_ok#https://acme-v02.api.letsencrypt.org
/acme/chall-v3/2728308541/UmtAkQ#http-01#/var/www/ggc.world/html’
[lun 10 feb 2020, 15.27.55, CET] d=‘www.ggc.world’
[lun 10 feb 2020, 15.27.55, CET] Getting webroot for domain=‘www.ggc.world’
[lun 10 feb 2020, 15.27.55, CET] _w=‘nginx:’
[lun 10 feb 2020, 15.27.55, CET] _currentRoot=‘nginx:’
[lun 10 feb 2020, 15.27.55, CET] entry=’“type”:“http-01”,“status”:“pending”,“url”:“https://acme-v02.api.letsencrypt.org/acme/chall-v3/2743212421
/qwhJ0w”,“token”:“oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-me7yXIT-Zg”’
[lun 10 feb 2020, 15.27.55, CET] token=‘oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-me7yXIT-Zg’
[lun 10 feb 2020, 15.27.55, CET] uri=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/2743212421
/qwhJ0w’
[lun 10 feb 2020, 15.27.55, CET] keyauthorization=‘oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-
me7yXIT-Zg.3saRMlkAj4d_m20XxunO7Z9O1TWIIqp2MbT-pbsKl3c’
[lun 10 feb 2020, 15.27.55, CET] dvlist=‘www.ggc.world#oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-
me7yXIT-Zg.3saRMlkAj4d_m20XxunO7Z9O1TWIIqp2MbT-pbsKl3c#https://acme-
v02.api.letsencrypt.org/acme/chall-v3/2743212421/qwhJ0w#http-01#nginx:
[lun 10 feb 2020, 15.27.55, CET] d
[lun 10 feb 2020, 15.27.55, CET] vlist=‘ggc.world#verified_ok#https://acme-v02.api.letsencrypt.org
/acme/chall-v3/2728308541/UmtAkQ#http-01#/var/www/ggc.world
/html,www.ggc.world#oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-me7yXIT-
Zg.3saRMlkAj4d_m20XxunO7Z9O1TWIIqp2MbT-pbsKl3c#https://acme-v02.api.letsencrypt.org
/acme/chall-v3/2743212421/qwhJ0w#http-01#nginx:,’
[lun 10 feb 2020, 15.27.55, CET] d=‘ggc.world’
[lun 10 feb 2020, 15.27.55, CET] ggc.world is already verified, skip http-01.
[lun 10 feb 2020, 15.27.55, CET] d=‘www.ggc.world’
[lun 10 feb 2020, 15.27.55, CET] ok, let’s start to verify
[lun 10 feb 2020, 15.27.55, CET] ggc.world is already verified, skip http-01.
[lun 10 feb 2020, 15.27.55, CET] Verifying: www.ggc.world
[lun 10 feb 2020, 15.27.55, CET] d=‘www.ggc.world’
[lun 10 feb 2020, 15.27.55, CET] keyauthorization=‘oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-
me7yXIT-Zg.3saRMlkAj4d_m20XxunO7Z9O1TWIIqp2MbT-pbsKl3c’
[lun 10 feb 2020, 15.27.55, CET] uri=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/2743212421
/qwhJ0w’
[lun 10 feb 2020, 15.27.55, CET] _currentRoot=‘nginx:’
[lun 10 feb 2020, 15.27.55, CET] Nginx mode for domain:www.ggc.world
[lun 10 feb 2020, 15.27.55, CET] _croot=‘nginx:’
[lun 10 feb 2020, 15.27.55, CET] _start_f
[lun 10 feb 2020, 15.27.55, CET] find start conf from nginx command
[lun 10 feb 2020, 15.27.55, CET] NGINX_CONF=’–conf-path=/etc/nginx/nginx.conf’
[lun 10 feb 2020, 15.27.55, CET] NGINX_CONF=’/etc/nginx/nginx.conf’
[lun 10 feb 2020, 15.27.55, CET] Found nginx conf file:/etc/nginx/nginx.conf
[lun 10 feb 2020, 15.27.55, CET] Start detect nginx conf for www.ggc.world from:/etc/nginx/nginx.conf
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/nginx.conf
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/nginx.conf
[lun 10 feb 2020, 15.27.55, CET] Try include files
[lun 10 feb 2020, 15.27.55, CET] check included /etc/nginx/modules-enabled/50-mod-http-geoip.conf
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/modules-enabled/50-mod-http-
geoip.conf
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/modules-enabled/50-
mod-http-geoip.conf
[lun 10 feb 2020, 15.27.55, CET] check included /etc/nginx/modules-enabled/50-mod-http-image-
filter.conf
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/modules-enabled/50-mod-http- image-filter.conf
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/modules-enabled/50-
mod-http-image-filter.conf
[lun 10 feb 2020, 15.27.55, CET] check included /etc/nginx/modules-enabled/50-mod-http-xslt-
filter.conf
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/modules-enabled/50-mod-http-
xslt-filter.conf
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/modules-enabled/50-
mod-http-xslt-filter.conf
[lun 10 feb 2020, 15.27.55, CET] check included /etc/nginx/modules-enabled/50-mod-mail.conf
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/modules-enabled/50-mod-
mail.conf
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/modules-enabled/50-
mod-mail.conf
[lun 10 feb 2020, 15.27.55, CET] check included /etc/nginx/modules-enabled/50-mod-stream.conf
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/modules-enabled/50-mod-
stream.conf
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/modules-enabled/50-
mod-stream.conf
[lun 10 feb 2020, 15.27.55, CET] check included /etc/nginx/mime.types
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/mime.types
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/mime.types
[lun 10 feb 2020, 15.27.55, CET] check included /etc/nginx/conf.d/default.conf
[lun 10 feb 2020, 15.27.55, CET] Start _checkConf from:/etc/nginx/conf.d/default.conf
[lun 10 feb 2020, 15.27.55, CET] single
[lun 10 feb 2020, 15.27.55, CET] _isRealNginxConf www.ggc.world /etc/nginx/conf.d/default.conf
[lun 10 feb 2020, 15.27.55, CET] _fln=‘3’
[lun 10 feb 2020, 15.27.55, CET] _start=‘1:server {’
[lun 10 feb 2020, 15.27.55, CET] _start_n=‘1’
[lun 10 feb 2020, 15.27.55, CET] _start_nn=‘2’
[lun 10 feb 2020, 15.27.55, CET] _end=‘27:server {’
[lun 10 feb 2020, 15.27.55, CET] _end_n=‘27’
[lun 10 feb 2020, 15.27.55, CET] _seg_n=’ listen 443 ssl http2 default_server;
server_name ggc.world www.ggc.world;

    ssl_certificate_key /etc/nginx/ssl/ggc.world/ggc.world.key;
    ssl_certificate /etc/nginx/ssl/ggc.world/ggc.world.cer;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-  
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    #ssl_stapling on;
    #ssl_stapling_verify on;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {'
[lun 10 feb 2020, 15.27.55, CET] ssl on, skip
[lun 10 feb 2020, 15.27.55, CET] _fln='32'
[lun 10 feb 2020, 15.27.55, CET] _start='28:server {'
[lun 10 feb 2020, 15.27.55, CET] _start_n='28'
[lun 10 feb 2020, 15.27.55, CET] _start_nn='29'
[lun 10 feb 2020, 15.27.55, CET] _end
[lun 10 feb 2020, 15.27.55, CET] _seg_n='    listen 80 default_server;
    listen [::]:80 default_server;
    error_page 497 https://$host:$server_port$request_uri;
     server_name www.ggc.world;
    return 301 https://$server_name$request_uri;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# https://www.nginx.com/blog/nginx-nodejs-websockets-socketio/
# https://gist.github.com/uorat/10b15a32f3ffa3f240662b9b0fefe706 
# http://nginx.org/en/docs/stream/ngx_stream_core_module.html

#upstream websocket {
 #    ip_hash;
#    server localhost:3000;
#}

#server {
#    listen       81;
#    server_name  ggc.world www.ggc.world;

    #location / {
#    location ~ ^/(websocket|websocket\/socket-io) {
#        proxy_pass http://127.0.0.1:4201;
#        proxy_http_version 1.1;
#        proxy_set_header Upgrade $http_upgrade;
#        proxy_set_header Connection "upgrade";
#        proxy_set_header X-Forwared-For $remote_addr;
#        proxy_set_header Host $host;

#        proxy_redirect off;
#        proxy_set_header X-Real-IP $remote_addr;
#    }

#}
# https://stackoverflow.com/questions/40516288/webpack-dev-server-with-nginx-proxy-pass'
[lun 10 feb 2020, 15.27.55, CET] /etc/nginx/conf.d/default.conf is found.
[lun 10 feb 2020, 15.27.55, CET] Found conf file: /etc/nginx/conf.d/default.conf
[lun 10 feb 2020, 15.27.55, CET] _ln='32'
[lun 10 feb 2020, 15.27.55, CET] _lnn='33'
[lun 10 feb 2020, 15.27.55, CET] _start_tag='    return 301 https://$server_name$request_uri;'
[lun 10 feb 2020, 15.27.55, CET] _backup_conf='/home/marco/webMatters/acme.sh/data//ggc.world
/backup/www.ggc.world.nginx.conf'
[lun 10 feb 2020, 15.27.55, CET] Backup /etc/nginx/conf.d/default.conf to /home/marco/webMatters
/acme.sh/data//ggc.world/backup/www.ggc.world.nginx.conf
[lun 10 feb 2020, 15.27.55, CET] Check the nginx conf before setting up.
[lun 10 feb 2020, 15.27.55, CET] OK, Set up nginx config file
[lun 10 feb 2020, 15.27.55, CET] nginx conf is done, let's check it again.
[lun 10 feb 2020, 15.27.55, CET] Reload nginx
[lun 10 feb 2020, 15.27.55, CET] _realConf='/etc/nginx/conf.d/default.conf'
[lun 10 feb 2020, 15.27.57, CET] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2743212421
/qwhJ0w'
[lun 10 feb 2020, 15.27.57, CET] payload='{}'
[lun 10 feb 2020, 15.27.57, CET] POST
[lun 10 feb 2020, 15.27.57, CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-
v3/2743212421/qwhJ0w'
[lun 10 feb 2020, 15.27.57, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
 /acme.sh/data//http.header  -g '
[lun 10 feb 2020, 15.27.58, CET] _ret='0'
[lun 10 feb 2020, 15.27.58, CET] code='200'
[lun 10 feb 2020, 15.27.58, CET] trigger validation code: 200
[lun 10 feb 2020, 15.27.58, CET] sleep 2 secs to verify
[lun 10 feb 2020, 15.28.00, CET] checking
[lun 10 feb 2020, 15.28.00, CET] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2743212421
 /qwhJ0w'
[lun 10 feb 2020, 15.28.00, CET] payload
[lun 10 feb 2020, 15.28.00, CET] POST
[lun 10 feb 2020, 15.28.00, CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-
v3/2743212421/qwhJ0w'
[lun 10 feb 2020, 15.28.00, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header  -g '
[lun 10 feb 2020, 15.28.01, CET] _ret='0'
[lun 10 feb 2020, 15.28.01, CET] code='200'
[lun 10 feb 2020, 15.28.01, CET] www.ggc.world:Verify error:Invalid response from   
https://www.ggc.world/.well-known/acme-challenge/oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-
me7yXIT-Zg [2.36.58.214]: 
[lun 10 feb 2020, 15.28.01, CET] Debug: get token url.
[lun 10 feb 2020, 15.28.01, CET] GET
[lun 10 feb 2020, 15.28.01, CET] url='http://www.ggc.world/.well-known/acme-challenge
/oZTTCdqXiiRJZsWUSArnLaJalM7x8jIV-me7yXIT-Zg'
[lun 10 feb 2020, 15.28.01, CET] timeout=1
[lun 10 feb 2020, 15.28.01, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header  -g  --connect-timeout 1'
[lun 10 feb 2020, 15.28.02, CET] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for 
error code: 28
[lun 10 feb 2020, 15.28.02, CET] ret='28'
[lun 10 feb 2020, 15.28.02, CET] Skip for removelevel:
[lun 10 feb 2020, 15.28.02, CET] pid
[lun 10 feb 2020, 15.28.02, CET] _restoreNginx
[lun 10 feb 2020, 15.28.02, CET] NGINX_RESTORE_VLIST='www.ggc.world#/etc/nginx/conf.d
/default.conf#/home/marco/webMatters/acme.sh/data//ggc.world/backup/www.ggc.world.nginx.conf,'
[lun 10 feb 2020, 15.28.02, CET] ng_entry='www.ggc.world#/etc/nginx/conf.d/default.conf#
/home/marco/webMatters/acme.sh/data//ggc.world/backup/www.ggc.world.nginx.conf'
[lun 10 feb 2020, 15.28.02, CET] Restoring from /home/marco/webMatters/acme.sh/data//ggc.world
/backup/www.ggc.world.nginx.conf to /etc/nginx/conf.d/default.conf
[lun 10 feb 2020, 15.28.02, CET] Reload nginx
[lun 10 feb 2020, 15.28.02, CET] _clearupdns
[lun 10 feb 2020, 15.28.02, CET] dns_entries
[lun 10 feb 2020, 15.28.02, CET] skip dns.
[lun 10 feb 2020, 15.28.02, CET] _on_issue_err
[lun 10 feb 2020, 15.28.02, CET] Please add '--debug' or '--log' to check more details.
[lun 10 feb 2020, 15.28.02, CET] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-
debug-acme.sh
[lun 10 feb 2020, 15.28.02, CET] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2728308541
/UmtAkQ'
[lun 10 feb 2020, 15.28.02, CET] payload='{}'
[lun 10 feb 2020, 15.28.02, CET] POST
[lun 10 feb 2020, 15.28.02, CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-
 v3/2728308541/UmtAkQ'
[lun 10 feb 2020, 15.28.02, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header  -g ' 
[lun 10 feb 2020, 15.28.03, CET] _ret='0'
[lun 10 feb 2020, 15.28.03, CET] code='200'
[lun 10 feb 2020, 15.28.03, CET] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/2743212421
/qwhJ0w'
[lun 10 feb 2020, 15.28.03, CET] payload='{}'
[lun 10 feb 2020, 15.28.03, CET] POST
[lun 10 feb 2020, 15.28.03, CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-
v3/2743212421/qwhJ0w'
[lun 10 feb 2020, 15.28.03, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters
/acme.sh/data//http.header  -g '
[lun 10 feb 2020, 15.28.04, CET] _ret='0'
[lun 10 feb 2020, 15.28.04, CET] code='400'
[lun 10 feb 2020, 15.28.04, CET] socat doesn't exists.
[lun 10 feb 2020, 15.28.04, CET] Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.1  11 Sep 2018
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. 
-fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time 
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' 
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log 
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid 
--modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-
temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-
path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-
http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-
http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module 
--with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-
http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module 
--with-mail=dynamic --with-mail_ssl_module
 socat:

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 Desktop

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I’m using acme.sh as client

2 Likes
2

The -w parameter used must match the root used.
Please show the matching vhost config(s).
[both http and https - and also for both names, if configured separately]

1 Like
3

This is the complete log: CompleteIssueLog.txt (54.2 KB)

sudo nano /etc/nginx/conf.d/default.conf :

server {
    listen 443 ssl http2 default_server;
    server_name www.ggc.world ggc.world;

    ssl_certificate_key /etc/nginx/ssl/ggc.world/ggc.world.key;
    ssl_certificate /etc/nginx/ssl/ggc.world/ggc.world.cer;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
    draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    #ssl_stapling on;
    #ssl_stapling_verify on;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    error_page 497 https://$host:$server_port$request_uri;
    server_name www.ggc.world;
    return 301 https://$server_name$request_uri;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

upstream websocket {
    ip_hash;
    server localhost:3000;
}

server {
    listen       81;
    server_name  www.ggc.world ggc.world;

    #location / {
    location ~ ^/(websocket|websocket\/socket-io) {
        proxy_pass http://127.0.0.1:4201;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwared-For $remote_addr;
        proxy_set_header Host $host;

        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
    }
}


(base) marco@pc01:~$ ls -lah /etc/nginx/sites-available/
total 16K
drwxr-xr-x  2 root root 4,0K feb 10 16:58 .
drwxr-xr-x 10 root root 4,0K feb 10 17:18 ..
-rw-r--r--  1 root root 3,6K feb 10 16:57 default
-rw-r--r--  1 root root  283 feb 10 09:14 example.com
(base) marco@pc01:~$ ls -lah /etc/nginx/sites-enabled/
total 8,0K
drwxr-xr-x  2 root root 4,0K feb 10 17:43 .
drwxr-xr-x 10 root root 4,0K feb 10 17:18 ..
lrwxrwxrwx  1 root root   38 feb 10 17:42 example.com -> /etc/nginx/sites-available/example.com

sudo nano /etc/nginx/sites-available/example.com :

server {
        listen 80;
        listen [::]:80;

        root /var/www/example.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name example.com www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}
1 Like
4

I’m going to restart from scratch… and I will report there the result.
Thank you for helping.

5

This seems irregular and potentially problematic:
[notice the double slash]

[lun 10 feb 2020, 17.55.49, CET] _currentRoot='/var/www/ggc.world/html/'
[lun 10 feb 2020, 17.55.49, CET] wellknown_path='/var/www/ggc.world/html//.well-known/acme-challenge'
1 Like
6

@rg305

To start from scratch, I temporary moved the /etc/nginx/conf.d/default.conf file to a subdirectory, and used instead /etc/nginx/sites-available/default :

/etc/nginx/sites-available/default :

server {
    listen 443;
    server_name ggc.world;
    ssl on;
    ssl_certificate_key /etc/nginx/ssl/ggc.world/ggc.world.key;
    ssl_certificate /etc/nginx/ssl/ggc.world/ggc.world.cer;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  
    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/nginx/ssl/ggc.world/dhparams.pem;
    ssl_prefer_server_ciphers on;

    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;

    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 8.8.8.8;
    ssl_stapling_verify on;

    ## Send header to tell the browser to prefer https to http traffic
    add_header Strict-Transport-Security max-age=31536000;

    ## SSL logs ##
    access_log /var/log/nginx/ggc.world/ssl_access.log;
    error_log /var/log/nginx/ggc.world/ssl_error.log;
    #-------- END SSL config -------##

    # Let's Encrypt webroot
    include includes/letsencrypt-webroot;
    root /var/www/ggc.world/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }
}

I then reloaded and re-started nginx server:

(base) marco@pc01:~$ sudo systemctl reload nginx
(base) marco@pc01:~$ sudo systemctl start nginx
(base) marco@pc01:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-02-10 17:43:40 CET; 1h 11min ago
     Docs: man:nginx(8)
  Process: 11718 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload  
(code=exited, status=0/SUCCESS)
  Process: 992 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, 
status=0/SUCCESS)
  Process: 974 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, 
status=0/SUCCESS)
 Main PID: 995 (nginx)
    Tasks: 9 (limit: 4915)
   CGroup: /system.slice/nginx.service
           ├─  995 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─11719 nginx: worker process
           ├─11720 nginx: worker process
           ├─11722 nginx: worker process
           ├─11723 nginx: worker process
           ├─11725 nginx: worker process
           ├─11726 nginx: worker process
           ├─11727 nginx: worker process
           └─11728 nginx: worker process

feb 10 17:44:26 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy 
server.
feb 10 17:44:26 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy 
server.
feb 10 17:54:07 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy 
server.
feb 10 17:54:07 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy 
server.
feb 10 18:36:08 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy 
server.
 feb 10 18:36:09 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy 
server.
 feb 10 18:42:12 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy 
server.
feb 10 18:42:12 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy 
server.
feb 10 18:54:44 pc01 systemd[1]: Reloading A high performance web server and a reverse proxy 
server.
feb 10 18:54:45 pc01 systemd[1]: Reloaded A high performance web server and a reverse proxy 
server.
(base) marco@pc01:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

But when trying to issuing the certificate, I get the error: “Failed to connect to host”.
This is the complete log: FailedToConnectToHost-CompleteLog.txt (53.2 KB)

1 Like
7

Your log is riddled with double slashes:

[lun 10 feb 2020, 19.00.01, CET] DOMAIN_PATH='/home/marco/webMatters/acme.sh/data//www.ggc.world'
[lun 10 feb 2020, 19.00.01, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.r8BrsBdjnJ  -g '
[lun 10 feb 2020, 19.00.02, CET] csrkey='/home/marco/webMatters/acme.sh/data//www.ggc.world/www.ggc.world.key'
[lun 10 feb 2020, 19.00.02, CET] csr='/home/marco/webMatters/acme.sh/data//www.ggc.world/www.ggc.world.csr'
[lun 10 feb 2020, 19.00.02, CET] csrconf='/home/marco/webMatters/acme.sh/data//www.ggc.world/www.ggc.world.csr.conf'
[lun 10 feb 2020, 19.00.02, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g  -I  '
[lun 10 feb 2020, 19.00.03, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g '
[lun 10 feb 2020, 19.00.04, CET] Use cached jwk for file: /home/marco/webMatters/acme.sh/data//ca/acme-v02.api.letsencrypt.org/account.key
[lun 10 feb 2020, 19.00.04, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g '
[lun 10 feb 2020, 19.00.05, CET] Use cached jwk for file: /home/marco/webMatters/acme.sh/data//ca/acme-v02.api.letsencrypt.org/account.key
[lun 10 feb 2020, 19.00.05, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g '
[lun 10 feb 2020, 19.00.06, CET] wellknown_path='/var/www/ggc.world/html//.well-known/acme-challenge'
[lun 10 feb 2020, 19.00.06, CET] writing token:cIEzXKpE3ou3btnE03TLcGK4evElREwClfEq28MHInU to /var/www/ggc.world/html//.well-known/acme-challenge/cIEzXKpE3ou3btnE03TLcGK4evElREwClfEq28MHInU
[lun 10 feb 2020, 19.00.06, CET] Use cached jwk for file: /home/marco/webMatters/acme.sh/data//ca/acme-v02.api.letsencrypt.org/account.key
[lun 10 feb 2020, 19.00.06, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g '
[lun 10 feb 2020, 19.00.10, CET] Use cached jwk for file: /home/marco/webMatters/acme.sh/data//ca/acme-v02.api.letsencrypt.org/account.key
[lun 10 feb 2020, 19.00.10, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g '
[lun 10 feb 2020, 19.00.12, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g  --connect-timeout 1'
[lun 10 feb 2020, 19.00.12, CET] Debugging, skip removing: /var/www/ggc.world/html//.well-known/acme-challenge/cIEzXKpE3ou3btnE03TLcGK4evElREwClfEq28MHInU
[lun 10 feb 2020, 19.00.12, CET] Use cached jwk for file: /home/marco/webMatters/acme.sh/data//ca/acme-v02.api.letsencrypt.org/account.key
[lun 10 feb 2020, 19.00.12, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g '
[lun 10 feb 2020, 19.00.14, CET] Use cached jwk for file: /home/marco/webMatters/acme.sh/data//ca/acme-v02.api.letsencrypt.org/account.key
[lun 10 feb 2020, 19.00.14, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g  -I  '
[lun 10 feb 2020, 19.00.15, CET] _CURL='curl -L --silent --dump-header /home/marco/webMatters/acme.sh/data//http.header  --trace-ascii /tmp/tmp.drCgYJsjTg  -g '
1 Like
8

Yes. I think it’s better if I remove the acme.sh directory, and start again from the very very beginning.
I do not understand where these double slashed could come from

9

After removing all the previous directories, git cloning and installing acme.sh, and following these steps https://www.cyberciti.biz/faq/how-to-configure-nginx-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/ to issue the certificate, I still get the error “Failed to connect to host or proxy”. This is the complete log: RestartingFromScratch.txt (58.0 KB)

10

The problem seems to start from the _currentRoot definition:

[lun 10 feb 2020, 20.25.50, CET] _currentRoot='/var/www/ggc.world/'
[lun 10 feb 2020, 20.25.50, CET] wellknown_path='/var/www/ggc.world//.well-known/acme-challenge'

Where is that defined?

1 Like
11

This is changing the subject, but:

I'm not sure if it's insecure or not, but it's unusual to use -dsaparam.

1 Like
12

Someone is probably following a somewhat old tutorial…

Since then:

  1. Ciphers requiring DH primes being “difficult” to implement successfully across a varied client base have been removed from most cipher lists.
  2. RSA based ciphers have been all but replaced with ECDSA based ciphers (for various reasons).
    [not to be confused with the DSAparam mentioned above]

My bet is:
The creation of the DHparams.pem file is probably just a red herring as it might not actually be used.
[hard to say with any certainty as :9000 is currently closed to Internet access]

1 Like
13

@mnordhoff I opened a new Help Request: Failed to connect to host for acme-challenge

Thank you for your kind help.
Marco

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.