Issue with Certbot Authentication for Domain

Hello,

I'm having trouble obtaining an SSL certificate for my domain igsus.dev using Certbot. Below are the details of my setup and the issues I'm facing:

Domain: igsus.dev

Web Server: Nginx 1.18.0

Operating System: Ubuntu 22.04

Certbot Version: 1.21.0

Issue: I ran the command to request a certificate using Certbot, but it failed with the following error:

Challenge failed for domain igsus.dev
http-01 challenge for igsus.dev

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: igsus.dev
  Type:   unauthorized
  Detail: Invalid response from http://igsus.dev/.well-known/acme-challenge/cZeRZWGBAI8XyD1BlSgkDEzzUswJ4uhqL_7M2YFzXPc: 404

Nginx Configuration: Here is the relevant configuration for the server in /etc/nginx/sites-available/volunteer :

server {
    listen 80;
    server_name igsus.dev www.igsus.dev;
    return 301 https://$host$request_uri;
    #root /var/www/gus-app;

    gzip on;
    gzip_proxied any;
    gzip_comp_level 5;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_min_length 256;

    location /_next/static/ {
        alias /var/www/gus/.next/static/;
        expires 365d;
        access_log off;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

This configuration is correctly included in Nginx. However, I can access the site via the IP address but not through the domain igsus.dev. A dig command confirms that igsus.dev resolves correctly.

Logs: The Certbot log shows an error indicating that the temporary Nginx configuration changes made by Certbot could not be verified. The challenge directory was not found, resulting in a 404 error.

Could you please assist me in resolving this issue? Any help or guidance would be greatly appreciated.

Thank you!

2 Likes

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

Therein lies your problem. Fix that and you should be able to get a certificate.

I'll add more later when I have time. Others may jump-in in the meantime.

4 Likes

What shows?:

nginx -T

2 Likes

This is the output

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

No, that's the output of the lowercase t, not the output of the requested uppercase T.

2 Likes

Oh! ma bad, it throwing a lot of information

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-available/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-available/volunteer:
server {
    listen 80;
    server_name igsus.dev www.igsus.dev;
    return 301 https://$host$request_uri;
    #root /var/www/volunteer-app;

    gzip on;
    gzip_proxied any;
    gzip_comp_level 5;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_min_length 256;

    location /_next/static/ {
        alias /var/www/volunteer/.next/static/;
        expires 365d;
        access_log off;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Something is not being shown from that full config...
I get:

curl -Ii www.igsus.dev
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Wed, 04 Sep 2024 12:48:25 GMT
Content-Length: 19

Which overrides, and omits, the "Server:" response.

OR

Your system is not the one responding at the IP for those names.
To this end, please show the output of:
curl -4 ifconfig.me

2 Likes

When you try the https:// URI, you'd see a self-signed cert with CommonName "TRAEFIK DEFAULT CERT". So I guess there's a Traefik reverse proxy listening on port 443 on that IP address.

It's around the same result as with HTTP, but for some reason the headers are now all lowercase instead of uppercase first letter.

3 Likes

this the output after write the command

root@vultr:~# curl -4 ifconfig.me
207.246.75.36root@vultr:~#

Well, that IP matches DNS:

Name:    igsus.dev
Address: 207.246.75.36
Aliases: www.igsus.dev

[So, that's a good thing]

The error seems to be with how TRAEFIK is handling the ACME requests.

3 Likes

I’m unsure where this Traefik came from, as I haven’t added anything related to it. I only bought the domain on GoDaddy and pointed it to the server. I’ve tried to find any related files but haven’t found anything. If this is causing the issue, is there a way to revoke that certificate or take similar action?

Revoking the cert won't do anything to correct this problem.

Let's ensure your server is at the right IP.
From the server, show the output of:
curl -4 ifconfig.io

3 Likes

after write the command

root@vultr:~# curl -4 ifconfig.io
207.246.75.36
root@vultr:~# dig igsus.dev

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> igsus.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;igsus.dev.                     IN      A

;; ANSWER SECTION:
igsus.dev.              300     IN      A       207.246.75.36