LetsEncrypt subdomain with nginx config leading to errors

I am trying to make letsencrypt work. I am using Nginx and I am trying to get to work it on example.com and api.example.com, however I am in errors:

Failed authorization procedure. api.example.com (http-01):
urn:acme:error:unauthorized :: The client lacks sufficient
authorization :: Invalid response from
http://api.example.com/.well-known/acme-challenge/aI2FjOr6s6dN07vh6b9MsYVJ22S

My file tree is following:

  1. var/www/html
  2. var/www/example.com/html
  3. var/www/example.com/api -> This doesn’t contain html

And nginx sites-available config file containing the following.

All my CNAME records are working. I also tried nslookup with both api.example.com and example.com.

And to generate certs I gave this command a try:

sudo certbot certonly --webroot --webroot-path=/var/www/example.com/html -d example.com -d www.example.com -d api.example.com -d www.api.example.com

Of corse all example.com-s are my real domains.

What I am missing?

Hi @MaeseppTarvo,

If you create a file /var/www/example.com/html/.well-known/acme-challenge/test.txt, do its contents appear at all of http://example.com/.well-known/acme-challenge/test.txt, http://www.example.com/.well-known/acme-challenge/test.txt, and http://api.example.com/.well-known/acme-challenge/test.txt? If not, your webroot wasn’t specified properly and you’ll have to use a different command and/or web server configuration.

One very likely possibility is that the webroot for api.example.com is different from the webroot for example.com. In that case, you can specify a different webroot for each domain name by preceding the -d with a corresponding -w (where -w is simply the short form for --webroot-path).

@schoen My webroot for api.example.com is public as you can see from the nginx config. I tried the test.txt solution. I see the file from example.com but not from api.example.com. If I go to api.example.com, I get the Can’t establish secure connection error.

May I add public as root path?

Sure, I didn’t quite understand what you meant by “public”. Is that the name of a directory?

For each -d, you can add a -w before giving a path where files for that particular domain name can be placed. It is supposed to be the top level (“web root”) for content on that domain.

@MaeseppTarvo, it should be impossible to get TLS-SNI-01 errors when using --webroot. The webroot authenticator should never trigger the certificate authority to attempt to use this method of validating your control of a domain name. So that’s the first time I’ve ever seen that error in this context. (edit: note that you got a very different error before, related to HTTP-01, as I would expect)

Is it possible that you have some kind of shell alias for certbot or have created an /etc/letsencrypt/cli.ini file?

If not, could you please post the log files from /var/log/letsencrypt? You can change your domain to example.com there if you want (although notice that you’ve left an instance of it in the error message above).

This log is somehow showing that you ran certbot --nginx rather than certbot certonly --webroot -w /var/www/example.com/html/ -d www.example.com -d example.com -w /var/www/example.com/api/public -d api.example.com. Do you remember using this form somehow? There’s no record in this log that you used --webroot.

So, what happens if you create /var/www/workbungee.com/api/public/test.txt? Can you see its contents at http://api.workbungee.com/test.txt?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.