Invalid response from .well-known/acme-challenge

Dshinji · December 27, 2018, 1:38am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:youland.us

I ran this command:certbot --nginx

It produced this output:

The following errors were reported by the server:
Domain: youland.us
Type: unauthorized
Detail: Invalid response from
http://youland.us/.well-known/acme-challenge/_rQQoKVKSV-I8nUF96A3qbCNJycBIdW041OebOUGQmc:
“<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx/1.15.8</ce”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): nginx 1.15.8

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

mnordhoff · December 27, 2018, 3:30am

Is the website's IP address correct?

youland.us.  600  A  52.53.160.74

It's running on Amazon EC2, not GoDaddy's hosting. (It is using GoDaddy's DNS.)

What did Nginx's error.log show?

What version of Certbot are you using?

Can you post the Nginx configuration, which can be shown by "sudo nginx -T"?

Dshinji · December 27, 2018, 6:39am

Hi, thank you for replying.

Yeah, it’s running on EC2, I can log in to the instance.

I am using cerbot 0.29.1

the output of “sudo nginx -T” is:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

configuration file /usr/local/etc/nginx/nginx.conf:

#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

server {
    #listen       8080;
    #server_name  localhost;
    listen       80;
    server_name  youland.us;

    #charset koi8-r;

    #access_log  logs/host.access.log  main;

    location ~/.well-known/acme-challenge/ {
        allow all;
        root /var/www/html;
    }

    location / {
        root   html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#    listen       8000;
#    listen       somename:8080;
#    server_name  somename  alias  another.alias;

#    location / {
#        root   html;
#        index  index.html index.htm;
#    }
#}


# HTTPS server
#
#server {
#    listen       443 ssl;
#    server_name  localhost;

#    ssl_certificate      cert.pem;
#    ssl_certificate_key  cert.key;

#    ssl_session_cache    shared:SSL:1m;
#    ssl_session_timeout  5m;

#    ssl_ciphers  HIGH:!aNULL:!MD5;
#    ssl_prefer_server_ciphers  on;

#    location / {
#        root   html;
#        index  index.html index.htm;
#    }
#}
include servers/*;

}

configuration file /usr/local/etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

I am not clear where to locate the Nginx’s error.log file.

rg305 · December 27, 2018, 7:03am

The error logs seem to be disabled:

I'm not sure if is makes much difference, but I would remove the ~

as:
location /.well-known/acme-challenge/ {

Also, can you show what is included with:

Or is that folder empty?

Dshinji · December 27, 2018, 7:30am

Hi Rudy,

I changed the “well-known” setting as you suggested, seems it does not work. And the servers file is empty.

Actually there are two “nginx.conf” file, one is located on the directory where nginx is installed, another is on my website repo, I am not sure which one should I update.

When I visit {DOMAIN_NAME}/.well-known/acme-challenge/, it gives me a nginx 404 not found.

rg305 · December 27, 2018, 5:27pm

That is the one in use.

The document root location is not explicit, so I can only assume that it might be:
/etc/nginx/html/
If not, adjust the following as needed:
Please place a test text file into the challenge folder:
mkdir /etc/nginx/html/.well-known
mkdir /etc/nginx/html/.well-known/acme-challenge
echo "Challenge Accepted! - LOL" > /etc/nginx/html/.well-known/acme-challenge/1234

Then we should be able to reach that file (from the Internet) via URL:
http://{YOUR_DOMAIN_NAME}/.well-known/acme-challenge/1234

[This step is crucial]

Dshinji · December 27, 2018, 5:54pm

I make the file as you suggested.

mkdir /etc/nginx/html/.well-known
mkdir /etc/nginx/html/.well-known/acme-challenge
echo "Challenge Accepted! - LOL" > /etc/nginx/html/.well-known/acme-challenge/1234

Since I am using Mac, I changed the “/etc/nginx/html” to “/usr/local/Cellar/nginx/1.15.8/html”, the command shows it successfully created the file, but when I go to http://{YOUR_DOMAIN_NAME}/.well-known/acme-challenge/1234, it keep gives me the “Nginx 404 error”.

Since I am running the wbesite on Amazon EC2 instance, Do I need to do some operation on my local machine or ssh into the EC2?

rg305 · December 27, 2018, 5:56pm

On the machine your domain resolves to.
Whichever IP that is at.

system · January 26, 2019, 6:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.