Hello,
I'm having trouble obtaining an SSL certificate for my domain igsus.dev
using Certbot. Below are the details of my setup and the issues I'm facing:
Domain: igsus.dev
Web Server: Nginx 1.18.0
Operating System: Ubuntu 22.04
Certbot Version: 1.21.0
Issue: I ran the command to request a certificate using Certbot, but it failed with the following error:
Challenge failed for domain igsus.dev
http-01 challenge for igsus.dev
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: igsus.dev
Type: unauthorized
Detail: Invalid response from http://igsus.dev/.well-known/acme-challenge/cZeRZWGBAI8XyD1BlSgkDEzzUswJ4uhqL_7M2YFzXPc: 404
Nginx Configuration: Here is the relevant configuration for the server in /etc/nginx/sites-available/volunteer
:
server {
listen 80;
server_name igsus.dev www.igsus.dev;
return 301 https://$host$request_uri;
#root /var/www/gus-app;
gzip on;
gzip_proxied any;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 256;
location /_next/static/ {
alias /var/www/gus/.next/static/;
expires 365d;
access_log off;
}
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This configuration is correctly included in Nginx. However, I can access the site via the IP address but not through the domain igsus.dev
. A dig
command confirms that igsus.dev
resolves correctly.
Logs: The Certbot log shows an error indicating that the temporary Nginx configuration changes made by Certbot could not be verified. The challenge directory was not found, resulting in a 404 error.
Could you please assist me in resolving this issue? Any help or guidance would be greatly appreciated.
Thank you!
2 Likes
griffin
September 4, 2024, 3:44am
2
Welcome to the Let's Encrypt Community!
Therein lies your problem. Fix that and you should be able to get a certificate.
I'll add more later when I have time. Others may jump-in in the meantime.
4 Likes
This is the output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Osiris
September 4, 2024, 1:18pm
5
No, that's the output of the lowercase t
, not the output of the requested uppercase T
.
2 Likes
Oh! ma bad, it throwing a lot of information
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-available/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-available/volunteer:
server {
listen 80;
server_name igsus.dev www.igsus.dev;
return 301 https://$host$request_uri;
#root /var/www/volunteer-app;
gzip on;
gzip_proxied any;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 256;
location /_next/static/ {
alias /var/www/volunteer/.next/static/;
expires 365d;
access_log off;
}
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
rg305
September 4, 2024, 4:25pm
7
Something is not being shown from that full config...
I get:
curl -Ii www.igsus.dev
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Wed, 04 Sep 2024 12:48:25 GMT
Content-Length: 19
Which overrides, and omits, the "Server:
" response.
OR
Your system is not the one responding at the IP for those names.
To this end, please show the output of:
curl -4 ifconfig.me
2 Likes
Osiris
September 4, 2024, 4:30pm
8
When you try the https://
URI, you'd see a self-signed cert with CommonName "TRAEFIK DEFAULT CERT". So I guess there's a Traefik reverse proxy listening on port 443 on that IP address.
It's around the same result as with HTTP, but for some reason the headers are now all lowercase instead of uppercase first letter.
3 Likes
this the output after write the command
root@vultr:~# curl -4 ifconfig.me
207.246.75.36root@vultr:~#
rg305
September 4, 2024, 11:49pm
10
Well, that IP matches DNS:
Name: igsus.dev
Address: 207.246.75.36
Aliases: www.igsus.dev
[So, that's a good thing]
The error seems to be with how TRAEFIK is handling the ACME requests.
3 Likes
I’m unsure where this Traefik came from, as I haven’t added anything related to it. I only bought the domain on GoDaddy and pointed it to the server. I’ve tried to find any related files but haven’t found anything. If this is causing the issue, is there a way to revoke that certificate or take similar action?
rg305
September 5, 2024, 12:40am
12
Revoking the cert won't do anything to correct this problem.
Let's ensure your server is at the right IP.
From the server, show the output of:
curl -4 ifconfig.io
3 Likes
after write the command
root@vultr:~# curl -4 ifconfig.io
207.246.75.36
root@vultr:~# dig igsus.dev
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> igsus.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;igsus.dev. IN A
;; ANSWER SECTION:
igsus.dev. 300 IN A 207.246.75.36