Let's Encrypt with Django, Gunicorn and Nginx

zserhan · March 10, 2023, 4:48pm

I ran this command:
sudo certbot -v --nginx -d soletlab-dev.com -d www.soletlab-dev.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for soletlab-dev.com and www.soletlab-dev.com
Performing the following challenges:
http-01 challenge for soletlab-dev.com
http-01 challenge for www.soletlab-dev.com
Waiting for verification...
Challenge failed for domain soletlab-dev.com
Challenge failed for domain www.soletlab-dev.com
http-01 challenge for soletlab-dev.com
http-01 challenge for www.soletlab-dev.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: soletlab-dev.com
Type: unauthorized
Detail: 129.219.89.70: Invalid response from http://soletlab-dev.com/.well-known/acme-challenge/VvFY_f5kKF4366djLetfa6p868vpID4ImlNCf692BS8: 503

Domain: www.soletlab-dev.com
Type: unauthorized
Detail: 129.219.89.70: Invalid response from http://www.soletlab-dev.com/.well-known/acme-challenge/E02RlC4kEOagAwbHjLPH-1lWKi48_4oIzcGZBBaRo7w: 503

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more detail

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Additional Info

The web app runs normally on http (port 80)
My web app is Django. I set it up using both gunicorn and nginx. I basically followed this tuturial from Digital Ocean: How To Set Up Django with Postgres, Nginx, and Gunicorn on Ubuntu 22.04 | DigitalOcean. So my "sites available" pretty much looks like the tutorial version.
The project files are located at /home/user/Project. All users have full rwx permission to this file.
one of the many things I tried: to my nginx/sites-available: I added

    location /.well-known/ {
        root /home/user/Project;
    }

Bruce5051 · March 10, 2023, 4:59pm

Hello @zserhan, welcome to the Let's Encrypt community.

Do you have a Palo Alto Firewall?

$ curl -Ii http://soletlab-dev.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 10 Mar 2023 16:57:23 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

Indicates possibly a Palo Alto Firewall; note the HTTP/1.1 503 Service Unavailable

$ curl -Ii http://soletlab-dev.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 503 Service Unavailable
Content-Type: text/html; charset=UTF-8
Content-Length: 2094
Connection: close
P3P: CP="CAO PSA OUR"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

Also using Let's Debug show an ERROR Block By Firewall https://letsdebug.net/soletlab-dev.com/1402974

Bruce5051 · March 10, 2023, 5:06pm

Please see Palo Alto firewall users with failing HTTP-01 challenges: enable "acme-protocol"

zserhan · March 10, 2023, 5:17pm

Thank you! I'll check this.

jvanasco · March 10, 2023, 5:43pm

My suggestion for a quick troubleshoot is to try running Certbot against the Staging API in standalone mode. That just means Certbot will spin up it's own HTTP server on Port 80 and do everything. If that works, you probably have a configuration issue against Nginx; if it doesn't, you probably have an upstream firewall problem as @Bruce5051 suggested.

You can also try hosting a file under ./well-known/acme-challenge, ensure it is visible for a local request, and then try to access that from outside the network. If you see it locally but not externally, firewall issue. IMHO testing with standalone is easier, because it only requires turning off nginx for the test and you don't have to debug any setup.

zserhan · March 10, 2023, 6:22pm

@jvanasco Thanks for the suggestion! I didn't think to that before. I ran it in standalone mode and it showed the same error. So it's likely a firewall problem! I am working with IT to allow 'acme-protocol' on the firewall. I'll see if that solves the problem

rg305 · March 13, 2023, 9:55pm

This post proved that:

system · April 12, 2023, 9:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot http-01 challenge, failed to verify the temporary nginx conf Help	5	52	August 23, 2024
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Help	10	906	September 14, 2023
Challenge failed Help	19	613	July 28, 2023
Unable to get certificate via certbot nginx Help	9	875	December 8, 2023
Some challenges have failed on Nginx Help	5	350	June 22, 2024

Let's Encrypt with Django, Gunicorn and Nginx

Related topics