New Server, New IP address same Domain name

I have destroyed old server droplet on Digital Ocean (which had LE working) and currently configuring new server with same domain name and different IP address. When attempting to install LE on new server got Failed authorization procedure.

I’m assuming that is due to previous configuration on old server.

Details below:

My domain is: inkblotcreations.com

I ran this command:
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/inkblotcreations -d inkblotcreations.com -d www.inkblotcreations.com

It produced this output:
Failed authorization procedure. www.inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.inkblotcreations.com/.well-known/acme-challenge/#######################: inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://inkblotcreations.com/.well-known/acme-challenge/#######################:

IMPORTANT NOTES:

My operating system is (include version):
Ubutu 16.04

My web server is (include version):
Nginx 1.10.0

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Hi @PyCatz,

Did you remove some information from the error message detail about why the response was unauthorized? Usually the CA explains what it got from your server instead of what it was expecting, or why it was unable to connect.

The existence of a previous server or cert shouldn’t affect your ability to get a new one at all, except for rate limiting, and this isn’t a rate limiting error. Apart from rate limiting, the CA doesn’t have any notion of memory of old certificates or authorizations as a reason to prevent new ones.

Hi schoen

Thanks for the info. Now knowing that previous install is not relevant. I reviewed my install notes. Have modified /etc/nginx/sites-available/inkblot so that location for .well-know consistent with address.
-----
server {
listen 80;
server_name inkblotcreations.com www.inkblotcreations.com ;



location ~/var/www/inkblotcreations/.well-known { allow all; }
}

Error is still very similar (slightly less verbose). Full error message is (for same command):

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/inkblotcreations -d inkblotcreations.com -d www.inkblotcreations.com
Failed authorization procedure. www.inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.inkblotcreations.com/.well-known/acme-challenge/QWIWu2NJMSUA_pdoIzDKND8pnHYpARoy24jSyeQ3UPk: "

Not Found

The requested URL /.well-known/acme-challenge/QWIWu2NJMSUA_pdoIzDKND8pnHYpARoy24jSyeQ3UPk was not found on ", inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://inkblotcreations.com/.well-known/acme-challenge/ECCVSP-q3NQDCkNQ0SxeRnhBDt8TrFI3BvtCVgQXRho: "

Not Found

The requested URL /.well-known/acme-challenge/ECCVSP-q3NQDCkNQ0SxeRnhBDt8TrFI3BvtCVgQXRho was not found on "

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.inkblotcreations.com
    Type: unauthorized
    Detail: Invalid response from http://www.inkblotcreations.com
    /.well-known/acme-
    challenge/QWIWu2NJMSUA_pdoIzDKND8pnHYpARoy24jSyeQ3UPk: "

    Not
    Found

    The requested URL /.well-known/acme-
    challenge/QWIWu2NJMSUA_pdoIzDKND8pnHYpARoy24jSyeQ3UPk was not found
    on "

    Domain: inkblotcreations.com
    Type: unauthorized
    Detail: Invalid response from http://inkblotcreations.com/.well-
    known/acme-challenge/ECCVSP-q3NQDCkNQ0SxeRnhBDt8TrFI3BvtCVgQXRho:
    "

    Not Found

    The requested URL /.well-known/acme-challenge
    /ECCVSP-q3NQDCkNQ0SxeRnhBDt8TrFI3BvtCVgQXRho was not found on "

At best, that doesn't do anything. (Nothing visits URLs like http://inkblotcreations.com/xxx/var/www/inkblotcreations/xwell-knownxxx.) At worst, it's a syntactic error and Nginx won't start. (There should be a space between "~" and "/".)

Could you paste the whole Nginx configuration file, without redacting any of it? And the relevant portion of Nginx's error.log, without redacting it either?

(The command "nginx -T" will print your entire configuration in recent versions of Nginx, by the way.)

Your Nginx configuration needs to contain, at minimum, something like:

server {
    listen 80;
    server_name inkblotcreations.com www.inkblotcreations.com;
    root /var/www/inkblotcreations;
}

or

server {
    listen 80;
    server_name inkblotcreations.com www.inkblotcreations.com;
    location /.well-known/acme-challenge/ {
        root /var/www/inkblotcreations;
    }
}

Does something more like that work?

Hi mnordhoff

Thanks for the info (definitely a learning curve)
Have fixed syntactic error and amended Nginx config as per recommendations. Also mkdir the acme-challenge folders under .well-known which weren’t there before. Still have pretty much same error.

Current Status
Command:
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/inkblotcreations -d inkblotcreations.com -d www.inkblotcreations.com

Error message:
Failed authorization procedure. www.inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.inkblotcreations.com/.well-known/acme-challenge/YdWS2sCgZPxy4T0DkeyXltzHnOFb-hHpI8GyMS5XH_s: "

Not Found

The requested URL /.well-known/acme-challenge/YdWS2sCgZPxy4T0DkeyXltzHnOFb-hHpI8GyMS5XH_s was not found on ", inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://inkblotcreations.com/.well-known/acme-challenge/57y1Wy-EPdFgm_NZDzRxUHsBikusR9-b5dRFre6Qolw: "

Not Found

The requested URL /.well-known/acme-challenge/57y1Wy-EPdFgm_NZDzRxUHsBikusR9-b5dRFre6Qolw was not found on "

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.inkblotcreations.com
    Type: unauthorized
    Detail: Invalid response from http://www.inkblotcreations.com
    /.well-known/acme-challenge/YdWS2sCgZPxy4T0DkeyXltzHnOFb-
    hHpI8GyMS5XH_s: "

    Not Found

    The requested URL /.well-
    known/acme-challenge/YdWS2sCgZPxy4T0DkeyXltzHnOFb-hHpI8GyMS5XH_s
    was not found on "

    Domain: inkblotcreations.com
    Type: unauthorized
    Detail: Invalid response from http://inkblotcreations.com/.well-
    known/acme-challenge/57y1Wy-EPdFgm_NZDzRxUHsBikusR9-b5dRFre6Qolw:
    "

    Not Found

    The requested URL /.well-known/acme-challenge
    /57y1Wy-EPdFgm_NZDzRxUHsBikusR9-b5dRFre6Qolw was not found on "

Nginx config:
GNU nano 2.5.3 File: /etc/nginx/sites-available/inkblot

server {
listen 80;
server_name inkblotcreations.com www.inkblotcreations.com 188.166.255.248;
root /var/www/inkblotcreations;

location = /favicon.ico {
    access_log off;
    log_not_found off;
}

location /static/ { root /home/catz/src; }

location / {
    include proxy_params;
    proxy_pass http://unix:/home/catz/src/inkblot.sock;
}

location ~ /var/www/inkblotcreations/.well-known/acme-challenge/ {
    allow all;
}

}

Error log:
2017/03/16 08:14:25 [error] 1914#1914: *205 open() "/usr/share/nginx/html/.well-known/acme-challenge/LkMY7VnJjmzlHdFPfcini7Una_Gmnw$
2017/03/16 08:14:26 [error] 1914#1914: *206 open() "/usr/share/nginx/html/.well-known/acme-challenge/MNbXihiONL4mIA9dn7bgaZePHwIivt$

I don't entirely understand what's happening, frankly.

That's the location block that would apply to requests for /.well-known/acme-challenge/random-stuff.

The server is responding with a 404 Not Found error that isn't generated by Nginx. (The HTML is a little different.) So i guess it's coming from the upstream.

And yet that comes from requests that really were handled by Nginx, but with a different configuration.

When was 08:14? Earlier, before you changed the configuration, or just now?

In any case, try adding a location block like:

    location /.well-known/acme-challenge/ {
        root /var/www/inkblotcreations;
    }

or even just:

    location /.well-known/acme-challenge/ { }
1 Like

Thank you, Done

By having location “/.well-known/acme-challenge/” (less prefix of /var/www/domain/) and having default root directory properly defined towards top of server block (plus fixing other errors that you helped with), was able to save certificate and chain.

Have since configured SSL and have HTTP Strict Transport Security deployed on server.

Onwards and upwards!

1 Like

This was a helpful tip for people who are using proxy_pass for their entire site (they may effectively not have a “webroot” the way people who are serving the site from the filesystem do). @mnordhoff, thanks for the tip; @PyCatz, glad it worked out for you!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.