Invalid response from...on nginx

hello,

i’trying to generate a ssl certificate running “certbot --nginx”

My domain is: geotechnicengineering.com

I ran this command:certbot --nginx
It produced this output:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 19
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for geotechnicengineering.com
Waiting for verification…
Challenge failed for domain geotechnicengineering.com
http-01 challenge for geotechnicengineering.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): nginx 1.19.0

The operating system my web server runs on is (include version): Centos 7

I can login to a root shell on my machine (yes or no, or I don’t know): Yes
he version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.5.0

the following is the content of letsencrypt.log

2020-07-02 10:50:20,744:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-07-02 10:50:20,744:DEBUG:certbot._internal.main:Arguments: [’–nginx’]
2020-07-02 10:50:20,744:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-07-02 10:50:20,780:DEBUG:certbot._internal.log:Root logging level set at 20
2020-07-02 10:50:20,780:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-07-02 10:50:20,793:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2020-07-02 10:50:29,977:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f37fac06a90>
Prep: True
2020-07-02 10:50:29,982:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f37fac06a90> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f37fac06a90>
2020-07-02 10:50:29,983:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2020-07-02 10:50:30,048:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/80138672’, new_authzr_uri=None, terms_of_service=None), 96ce2b03f21fd24c873fd74c69b88be3, Meta(creation_host=u’WEB’, creation_dt=datetime.datetime(2020, 3, 9, 13, 30, 24, tzinfo=)))>
2020-07-02 10:50:30,052:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-07-02 10:50:30,074:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-07-02 10:50:30,669:DEBUG:urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658
2020-07-02 10:50:30,670:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Thu, 02 Jul 2020 08:50:30 GMT
x-frame-options: DENY
content-type: application/json

{
“69nfqKVutew”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2020-07-02 10:50:30,772:DEBUG:certbot.util:Not suggesting name “localhost”
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/util.py”, line 278, in get_filtered_names
filtered_names.add(enforce_le_validity(name))
File “/usr/lib/python2.7/site-packages/certbot/util.py”, line 465, in enforce_le_validity
“{0} needs at least two labels”.format(domain))
ConfigurationError: localhost needs at least two labels
2020-07-02 10:50:35,070:INFO:certbot._internal.main:Obtaining a new certificate
2020-07-02 10:50:35,211:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0179_key-certbot.pem
2020-07-02 10:50:35,220:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0179_csr-certbot.pem
2020-07-02 10:50:35,221:DEBUG:acme.client:Requesting fresh nonce
2020-07-02 10:50:35,221:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-07-02 10:50:35,368:DEBUG:urllib3.connectionpool:“HEAD /acme/new-nonce HTTP/1.1” 200 0
2020-07-02 10:50:35,369:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
cache-control: public, max-age=0, no-cache
date: Thu, 02 Jul 2020 08:50:35 GMT
x-frame-options: DENY
replay-nonce: 0101O2M7bJXp7wV8SauwNs5PNmSXNLr5YNK4sFVM0a40NCE

2020-07-02 10:50:35,369:DEBUG:acme.client:Storing nonce: 0101O2M7bJXp7wV8SauwNs5PNmSXNLr5YNK4sFVM0a40NCE
2020-07-02 10:50:35,370:DEBUG:acme.client:JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “geotechnicengineering.com
}
]
}
2020-07-02 10:50:35,373:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICIwMTAxTzJNN2JKWHA3d1Y4U2F1d05zNVBObVNYTkxyNVlOSzRzRlZNMGE0ME5DRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzgwMTM4NjcyIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJnZW90ZWNobmljZW5naW5lZXJpbmcuY29tIgogICAgfQogIF0KfQ”,
“signature”: “m-XRKoYFEZdiV67TmPNoh30IdGw45c3DwvkYspfByCKVxBCSKkuFHjS07RH-BojpG8cCIG21ThiZn4ykyz-HNL4t3VOyja6wLgRBWL-_MKIIW1Lc34RT1HYbLZQHYGlQ5TJaLI-0gAi6ELvG8kdqfALvhm2Lyp0TVe7QCj3UVRTWa7hhzV_Iq-e8C8WO__lrYx_WWV998_aqqC0sfFZf1IODBzuBWnuKDTm8F90RWTVLWerZmECTC81WQNIGZHSIUwWDXlbFVITXgerJNdWA0Gl1JFlAmdA0F21TXCnoqho1M2ycgfkX6HuhZLeeSpPFYYrgs4Taa6USsjRnUULYCQ”
}
2020-07-02 10:50:35,683:DEBUG:urllib3.connectionpool:“POST /acme/new-order HTTP/1.1” 201 355
2020-07-02 10:50:35,685:DEBUG:acme.client:Received response:
HTTP 201
content-length: 355
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
location: https://acme-v02.api.letsencrypt.org/acme/order/80138672/4019117599
boulder-requester: 80138672
date: Thu, 02 Jul 2020 08:50:35 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 01010hQgtSrxtrdMFYZiDZBFO9DXdMD0b71amoFPSgbA7Kg

{
“status”: “pending”,
“expires”: “2020-07-09T08:50:35.905808819Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “geotechnicengineering.com
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/5615647893
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/80138672/4019117599
}
2020-07-02 10:50:35,685:DEBUG:acme.client:Storing nonce: 01010hQgtSrxtrdMFYZiDZBFO9DXdMD0b71amoFPSgbA7Kg
2020-07-02 10:50:35,686:DEBUG:acme.client:JWS payload:

2020-07-02 10:50:35,689:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/5615647893:
{
“protected”: “eyJub25jZSI6ICIwMTAxMGhRZ3RTcnh0cmRNRllaaURaQkZPOURYZE1EMGI3MWFtb0ZQU2diQTdLZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNTYxNTY0Nzg5MyIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84MDEzODY3MiIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “f-kJmnXQhGFnryK6qL4xceOGnq7POzRdardIB1Ymzhq7_84A6KMdLLR47aj-hIDpM-k0aAy5o1cLU-bkLEhbUcnse8dtA1D7i8oT7F1pgbXjYc-CtkNvOJcp26-no86oqsuSHtcp6OsNQWLiRmhSUWbTevFuJdSGwoi7CdFeujB1W-GPGHo_TN1EiWvlvSBchGt4jOd2KA1o4GUO-rq9zUKtSB1ioeGtC-YuCe_qtojt2AbRmAWBAvAqacIlTz6UOw8RajwOFH_Qzysc7gxR4QijkyqFiFgUZfiVkh2l-Z-txuc5q4ykUJcoFqNh4oaGqcOfAzGHH6SkTiwXo2Xpbw”
}
2020-07-02 10:50:35,866:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/5615647893 HTTP/1.1” 200 803
2020-07-02 10:50:35,867:DEBUG:acme.client:Received response:
HTTP 200
content-length: 803
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 80138672
date: Thu, 02 Jul 2020 08:50:36 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0102sfDToczFAuH06MxxTDYQoIuKKs8Skn6yTuWcPzG8Q40

{
“identifier”: {
“type”: “dns”,
“value”: “geotechnicengineering.com
},
“status”: “pending”,
“expires”: “2020-07-09T08:50:35Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/5615647893/UoSstg”,
“token”: “1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/5615647893/-XZJCg”,
“token”: “1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/5615647893/2TN1Cg”,
“token”: “1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00”
}
]
}
2020-07-02 10:50:35,867:DEBUG:acme.client:Storing nonce: 0102sfDToczFAuH06MxxTDYQoIuKKs8Skn6yTuWcPzG8Q40
2020-07-02 10:50:35,868:INFO:certbot._internal.auth_handler:Performing the following challenges:
2020-07-02 10:50:35,868:INFO:certbot._internal.auth_handler:http-01 challenge for geotechnicengineering.com
2020-07-02 10:50:36,070:DEBUG:certbot_nginx._internal.http_01:Generated server block:

2020-07-02 10:50:36,073:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/pointhairacademy.conf
2020-07-02 10:50:36,074:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/diva-antibacterial.conf
2020-07-02 10:50:36,074:DEBUG:certbot.reverter:Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
2020-07-02 10:50:36,075:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/beatyfairalbania.conf
2020-07-02 10:50:36,076:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/summerland.conf
2020-07-02 10:50:36,076:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/evald.conf
2020-07-02 10:50:36,078:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/oval.conf
2020-07-02 10:50:36,079:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/unemundem.conf
2020-07-02 10:50:36,079:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/clinicadentale.conf
2020-07-02 10:50:36,080:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/evolflex.conf
2020-07-02 10:50:36,080:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/2belectrician.conf
2020-07-02 10:50:36,081:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/__default.conf
2020-07-02 10:50:36,081:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2020-07-02 10:50:36,082:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/psikoterapia.conf
2020-07-02 10:50:36,082:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/geotech.conf
2020-07-02 10:50:36,083:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2020-07-02 10:50:36,083:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/livingreen.conf
2020-07-02 10:50:36,084:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/balkan-shiping.conf
2020-07-02 10:50:36,089:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
load_module modules/ngx_http_modsecurity_module.so;
load_module modules/ngx_http_geoip2_module.so;

events {
worker_connections 1024;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main; 

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

client_max_body_size 400M;

Enable ModSecurity globally - done individually on each config.

# modsecurity on;
# modsecurity_rules_file /etc/nginx/modsec/main.conf;

brotli on;
brotli_static on; # for static compression,
brotli_comp_level 4; # this setting can vary from 1-11
brotli_types t
ext/xml
image/svg+xml
application/x-font-ttf
image/vnd.microsoft.icon
application/x-font-opentype
application/json
font/eot
application/vnd.ms-fontobject
application/javascript
font/otf
application/xml
application/xhtml+xml
text/javascript
application/x-javascript
text/plain
application/x-font-truetype
application/xml+rss
image/x-icon font/opentype
text/css
image/x-win-bitmap;

#gzip will trigger always A waf RULE IN FORTIGATE - Opened a ticket and wating for a reply - fixed from fortigate
#gzip_vary on;
#gzip_min_length 10240;
#gzip_proxied expired no-cache no-store private auth;
#gzip_disable “MSIE [1-6].”;

gzip on;
gzip_static on;
gzip_comp_level 4;
gzip_http_version 1.0;
gzip_disable “msie6”;
gzip_vary on;
gzip_proxied any;
gzip_buffers 16 8k;
gzip_min_length 1024;
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/json
application/xml
application/rss+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;	

Caching on reverse proxy with nginx!

Cache on RAM 15% benefit —> mount -t tmpfs -o size=2G tmpfs /var/cache/nginx/reverse_proxy_cache/RAM

add_header X-Cache-Status $upstream_cache_status;

proxy_cache_path /var/cache/nginx/reverse_proxy_cache levels=1:2 keys_zone=my_cache:10m inactive=48h max_size=10g use_temp_path=off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme; #http or https

proxy_cache my_cache;

proxy_ignore_headers Cache-Control;

#  proxy_cache_valid 200 48h;
#  proxy_cache_lock on;

proxy_cache_key “$host$request_uri $cookie_user”; # very important!

Caching on fast_cgi for php-fpm

add_header X-FastCGI-Cache $upstream_cache_status;
add_header X-Frame-Options SAMEORIGIN;
fastcgi_hide_header X-Powered-By;

fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/evolflex				 levels=1:2 keys_zone=evolflex:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/point-hair-academy 	 levels=1:2 keys_zone=point-hair-academy:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/clinicadentale 		 levels=1:2 keys_zone=clinicadentalekeys:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/2belectrician 		 levels=1:2 keys_zone=2belectrician:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/balkan-shipping 		 levels=1:2 keys_zone=balkan-shipping:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/beatyfairalbania   	 levels=1:2 keys_zone=beatyfairalbania:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/summerland 			 levels=1:2 keys_zone=summerlandkeys:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/oval 				 levels=1:2 keys_zone=ovalkeys:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/psikoterapia 	     levels=1:2 keys_zone=psikoterapia:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/evaldal 				 levels=1:2 keys_zone=evaldkeys:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/diva-antibacterial 	 levels=1:2 keys_zone=diva-antibacterial:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/unemundem 			 levels=1:2 keys_zone=unemundem:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/livingreen 			 levels=1:2 keys_zone=livingreen:1m inactive=48h max_size=10g use_temp_path=off;
fastcgi_cache_path  /var/cache/nginx/fastcgi_proxy_cache/geotech 				 levels=1:2 keys_zone=geotech:1m inactive=48h max_size=10g use_temp_path=off;

fastcgi_cache_key $scheme$host$request_uri$request_method; # very important!

fastcgi_cache_valid any 48h;
  fastcgi_cache_lock on;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
  fastcgi_ignore_headers Vary Cache-Control;  

}

2020-07-02 10:50:36,091:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/conf.d/geotech.conf:
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

    server_name  geotechnicengineering.com www.geotechnicengineering.com;      		
  fastcgi_cache_bypass 1;
  
    root /var/www/html/geotech;
  index  index.php;

  location / {
  	try_files $uri $uri/ /index.php?$args;        
  }
    
  location ~ \.php$ {
  	fastcgi_split_path_info  ^(.+\.php)(/.+)$;
  	fastcgi_index            index.php;
  	#fastcgi_pass             unix:/var/run/php-fpm.sock; 
  	#fastcgi_pass             unix:/tmp/php-fpm.sock; 
      fastcgi_pass             127.0.0.1:9000;
  	fastcgi_cache			 geotech;
  	include                  fastcgi_params;
  	fastcgi_param   PATH_INFO       $fastcgi_path_info;
  	fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }
  
  error_log  /etc/httpd/logs/GeotechErrnginx.log;
  access_log /etc/httpd/logs/GeotechAccessnginx.log;
  
  # Enable ModSecurity on this website
  #modsecurity on;
  #modsecurity_rules_file /etc/nginx/modsec/main.conf;	

location = /.well-known/acme-challenge/1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00{default_type text/plain;return 200 1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00.PMfqMyHutjJ_0pAAv0UTp7CP-3JaIENXUqbYnpHOB1E;} # managed by Certbot

}

2020-07-02 10:50:43,620:INFO:certbot._internal.auth_handler:Waiting for verification…
2020-07-02 10:50:43,622:DEBUG:acme.client:JWS payload:
{}
2020-07-02 10:50:43,626:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/5615647893/UoSstg:
{
“protected”: “eyJub25jZSI6ICIwMTAyc2ZEVG9jekZBdUgwNk14eFREWVFvSXVLS3M4U2tuNnlUdVdjUHpHOFE0MCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNTYxNTY0Nzg5My9Vb1NzdGciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODAxMzg2NzIiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “e30”,
“signature”: “pril7oDxPFVnsue0x2KzgbXA5ruazS52984TO0letdxp1d6Mrx7z9KlsnvHnVTDINsbkHqOYsxt9t5lu51Y7PFXVfOJRHjBxDus0qjel1w90O3mO9PSoqEG9ioS7j90HsnSZxPge2JaYyFNdnN1fHkkKaR2e6MF2PHxRZfExZh2XJFAgxADATYI5ezto7yckb8wwhW3z59BS6S7UWgwfYitIVtW_bINv4kdwBd-X6oKpl1GVqKdgEjXhddDa1t6bkoIHT-1_9qmm4SeT4h7o2bZ3MGiVhd2ENRUCvq09UQzESuBSoBs-272zIp4YlKLIa-6fz4A4QWCc__FKBCY51g”
}
2020-07-02 10:50:43,833:DEBUG:urllib3.connectionpool:“POST /acme/chall-v3/5615647893/UoSstg HTTP/1.1” 200 185
2020-07-02 10:50:43,834:DEBUG:acme.client:Received response:
HTTP 200
content-length: 185
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/5615647893;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/5615647893/UoSstg
boulder-requester: 80138672
date: Thu, 02 Jul 2020 08:50:44 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0101pjXu5IQsC0dMhm-oRX7Y2s20hVSdQtAR7x6-JaRAd6w

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/5615647893/UoSstg”,
“token”: “1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00”
}
2020-07-02 10:50:43,834:DEBUG:acme.client:Storing nonce: 0101pjXu5IQsC0dMhm-oRX7Y2s20hVSdQtAR7x6-JaRAd6w
2020-07-02 10:50:44,841:DEBUG:acme.client:JWS payload:

2020-07-02 10:50:44,844:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/5615647893:
{
“protected”: “eyJub25jZSI6ICIwMTAxcGpYdTVJUXNDMGRNaG0tb1JYN1kyczIwaFZTZFF0QVI3eDYtSmFSQWQ2dyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNTYxNTY0Nzg5MyIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84MDEzODY3MiIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “kqHAt9DVDZ_D130D6-V3RnBUjqnkCnVcIpUwEzm1Ly4lbRNgk2EfgM34FSr8lMXYAPiQD1mHpTpNZ_4Oxqd6eyWBmTiy-lNHN1CZauG5Tw-YVzJ7aEmjhkCVD3W2-tUQKjBi1svDG5S2sgbMAyI4Nl-uV-gi19_z84F75wF7z382brVHjnbk5s8a90Zw4Y120BwVyqi3sI_b_3C1dhGiODrU-0EmC9prfoaDQFsNtZv3xXsqNrUY8VtssmjBmzj8jErH4_HCCM8ELvI4drVr4RIHfHdibRRGRfzmsgVxM7QpRBoQAMF2ZIA2hUxtCRftGXdHyHQ1RTPfJD1LudME4Q”
}
2020-07-02 10:50:45,026:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/5615647893 HTTP/1.1” 200 1263
2020-07-02 10:50:45,027:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1263
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 80138672
date: Thu, 02 Jul 2020 08:50:45 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0102zzUpVFBuozxJr_AW0kEcMqceJgnV4i0jfAs0fq7_Ewo

{
“identifier”: {
“type”: “dns”,
“value”: “geotechnicengineering.com
},
“status”: “invalid”,
“expires”: “2020-07-09T08:50:35Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: "Invalid response from http://geotechnicengineering.com/.well-known/acme-challenge/1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00 [5.249.159.133]: “\u003c!DOCTYPE html\u003e\r\n\r\n\u003chtml class=\“no-js\” lang=\“en-US\”\u003e\r\n\r\n\t\u003chead\u003e\r\n\r\n\t\t\u003cmeta charset=\“UTF-8\”\u003e\r\n\t\t\u003cmeta name=\“viewport\” content=\“wi””,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/5615647893/UoSstg”,
“token”: “1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00”,
“validationRecord”: [
{
“url”: “http://geotechnicengineering.com/.well-known/acme-challenge/1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00”,
“hostname”: “geotechnicengineering.com”,
“port”: “80”,
“addressesResolved”: [
“5.249.159.133”
],
“addressUsed”: “5.249.159.133”
}
]
}
]
}
2020-07-02 10:50:45,027:DEBUG:acme.client:Storing nonce: 0102zzUpVFBuozxJr_AW0kEcMqceJgnV4i0jfAs0fq7_Ewo
2020-07-02 10:50:45,028:WARNING:certbot._internal.auth_handler:Challenge failed for domain geotechnicengineering.com
2020-07-02 10:50:45,028:INFO:certbot._internal.auth_handler:http-01 challenge for geotechnicengineering.com
2020-07-02 10:50:45,040:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: geotechnicengineering.com
Type: unauthorized
Detail: Invalid response from http://geotechnicengineering.com/.well-known/acme-challenge/1crHMcQIL-O0SSCjEzoC7PCP9nilAaP1q6otEvomb00 [5.249.159.133]: "\r\n\r\n<html class=“no-js” lang=“en-US”>\r\n\r\n\t\r\n\r\n\t\t<meta charset=“UTF-8”>\r\n\t\t<meta name=“viewport” content=“wi”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-07-02 10:50:45,064:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2020-07-02 10:50:45,064:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-07-02 10:50:45,064:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-07-02 10:50:59,382:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.5.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1101, in run
certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 409, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 343, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 390, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
2020-07-02 10:50:59,468:ERROR:certbot._internal.log:Some challenges have failed.

1 Like

Hi @albgen

looks like you have found a solution. My browser shows a new Letsencrypt certificate. :+1:

1 Like

yep, the problem was with ModSec Module with OWASP rules. When disabling that one, it worked ok.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.