Letsencrypt certonly unauthorized nginx transmission & netdata

HirIMogul · January 14, 2017, 9:00am

Please fill out the fields below so we can help you better.

My domain is:
mogul.network
torrent.mogul.network for my torrents
cloud.mogul.network for my cloud, etc.

I ran this command:

sudo sudo letsencrypt certonly -a webroot --webroot-path=/var/www -d mogul.network -d i.mogul.network -d hir.i.mogul.network -d cloud.mogul.network -d torrent.mogul.network -d netdata.mogul.network -d archive.mogul.network -d mail.mogul.network

It produced this output:

Failed authorization procedure. netdata.mogul.network (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://netdata.mogul.network/.well-known/acme-challenge/FJGOnOh9Fe23eVU3PlDUtBOSxg22eW-YvoHuHKbTBBc: "<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</", torrent.mogul.network (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://torrent.mogul.network/.well-known/acme-challenge/-X_yYF4LjQ2Iz7TxUlEoVTxXzP0PDTkl-OMZZgvq_4M [5.158.135.200]: 401

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: netdata.mogul.network
   Type:   unauthorized
   Detail: Invalid response from http://netdata.mogul.network/.well-
   known/acme-challenge/FJGOnOh9Fe23eVU3PlDUtBOSxg22eW-YvoHuHKbTBBc:
   "<html>
   <head><title>401 Authorization Required</title></head>
   <body bgcolor="white">
   <center><h1>401 Authorization Required</"

   Domain: torrent.mogul.network
   Type:   unauthorized
   Detail: Invalid response from http://torrent.mogul.network/.well-
   known/acme-challenge/-X_yYF4LjQ2Iz7TxUlEoVTxXzP0PDTkl-OMZZgvq_4M
   [5.158.135.200]: 401

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My operating system is (include version):
Ubuntu 16.04.1 LTS

My web server is (include version):
nginx version: nginx/1.10.0 (Ubuntu)

My hosting provider, if applicable, is:
Its hosted on my own server.

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Additional configs

Because it might help to narrow down the problem I also add the “sites-enabled” config files for transmission and netdata

transmission

server {
    listen 80;
    server_name torrent.mogul.network;
    return 301 https://$server_name$request_uri;

}
server {
    listen 443 ssl http2;
    include snippets/ssl-mogul.network.conf;
    include snippets/ssl-params.conf;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    server_name torrent.mogul.network;

    location / {
        proxy_read_timeout 300;
        proxy_pass_header  X-Transmission-Session-Id;
        proxy_set_header   X-Forwarded-Host   $host;
        proxy_set_header   X-Forwarded-Server $host;
        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_pass         http://127.0.0.1:9091/transmission/web/;
    }
    location /rpc {
        proxy_pass         http://127.0.0.1:9091/transmission/rpc;
    }

    location /upload {
        proxy_pass         http://127.0.0.1:9091/transmission/upload;
    }
}

netdata

upstream backend {
    # the netdata server
    server 127.0.0.1:19999;
    keepalive 64;
}

server {
    listen 80;
    server_name netdata.mogul.network;
    return 301 https://$server_name$request_uri;

}
server {
    listen 443 ssl http2;
    include snippets/ssl-mogul.network.conf;
    include snippets/ssl-params.conf;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    server_name netdata.mogul.network;

    auth_basic "Protected";
    auth_basic_user_file passwords;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

Both transmission and netdata ask for credentials (login) to access. I don’t know how to create the certificates while having the credentials still in place.

All other sub domains seem to work well. E.g cloud.mogul.network for nextcloud. I tried to find a solution with google and also found a guy using Nginx, transmission & letsencrypt. But I don’t understand how he/she could create (and renew) the certificates.

I hope someone give me the right hint. I might be just blind.
Thank you very much.

Hir i Mogul

TCM · January 14, 2017, 9:03am

Simple, you can't. You need to exclude the challenge directory from HTTP auth.

HirIMogul · January 14, 2017, 9:06am

Could you guide me to a how to or tutorial? I have no idea how to exclude it.

EDIT:
I tried to follow this advice and set an exception in my transmission site config via

location ~ /.well-known { 
    allow all;
}

than I did a force-reload of nginx. I get a new error message (404 instead of 401):

   Domain: torrent.mogul.network
   Type:   unauthorized
   Detail: Invalid response from http://torrent.mogul.network/.well-
   known/acme-challenge/HVBRlImsbtObN1ObLdcGTUxhsWhMDRQCtnK5auZcfmA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

My new nginx site config

server {
    listen 80;
    server_name torrent.mogul.network;
    return 301 https://$server_name$request_uri;

}
server {
    listen 443 ssl http2;
    include snippets/ssl-mogul.network.conf;
    include snippets/ssl-params.conf;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    server_name torrent.mogul.network;

    location ~ /.well-known {
    allow all;
}

    location / {
        proxy_read_timeout 300;
        proxy_pass_header  X-Transmission-Session-Id;
        proxy_set_header   X-Forwarded-Host   $host;
        proxy_set_header   X-Forwarded-Server $host;
        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_pass         http://127.0.0.1:9091/transmission/web/;
    }
    location /rpc {
        proxy_pass         http://127.0.0.1:9091/transmission/rpc;
    }

    location /upload {
        proxy_pass         http://127.0.0.1:9091/transmission/upload;
    }
}

TCM · January 14, 2017, 9:28am

I guess you need to specify a directory for that location. In such situations you should watch all logfiles closely and crank up the logging level if needed.

robertsky · January 29, 2017, 8:08pm

Hi,

I encountered a similar issue. Like what @TCM says, specify a directory in the location ~/.well-known

location ~ /.well-known {
    root /var/www/netdata
    allow all;
}

You should then create .well-known folder in /var/www/netdata.

mnordhoff · January 29, 2017, 10:18pm

You shouldn’t really use “location ~ /.well-known”. It’s a regular expression. It matches completely irrelevant requests like /xwell-knownxxx/xxxx. Which is probably harmless, but still incorrect.

You should use “location /.well-known/acme-challenge/” or if necessary “location ^~ /.well-known/acme-challenge/”.

system · February 28, 2017, 10:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.