Nginx 404 new and renew

Help
1

My domain is: prova.g2k.it

I ran this command: certbot --nginx -d prova.g2k.it

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for prova.g2k.it
Using default address 80 for authentication.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. prova.g2k.it (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://prova.g2k.it/.well-known/acme-challenge/YpzHxsfD_23Xd4B5sHyNcdCLINvFXZ8jB4eQhwNxTAc: "

404 Not Found

404 Not Found

"

IMPORTANT NOTES:

My web server is (include version): nginx 1.12.1

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: x

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

In front of nginx I have varnish (varnish port 80, nginx port 443).
varnish is configured with this rule in the top of vcl_recv:

if (req.url ~ “^/.well-known/”) {
return(pass);
}

varnish pass request to nginx (locally, same server).
nginx conf for domain prova.g2k.it is this:

server {
listen 81;
server_name prova.g2k.it;

    root /usr/share/nginx/html;
    index index.html;

    set_real_ip_from   127.0.0.1;
    real_ip_header     X-Forwarded-For;
    real_ip_recursive on;

}

I receive Failed authorization procedure. prova.g2k.it (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response … 404 Not Found … for all domains in this server and not for only new certificate request, but also for renew requests.

I have try to create manually file in /usr/share/nginx/html/.well-known/acme-challenge and request this file from browser and it’s OK.
I have try to set 755 permissions to folder .well-know …

I not understand the problem … many weeks ago all works without problems … but now they do not work anymore neither the new requests nor the renewals.

Can you help me ?
Thanks
Manuel

2

certbot version are 0.22.2

letsencrypt.log error are this:

2018-03-27 12:29:17,377:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1031, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 79, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 154, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 220, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. prova.g2k.it (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://prova.g2k.it/.well-known/acme-challenge/JCh6v7rL-1HokkrlBflYA15NRnc9lgifToWUEJMlA4Y:

3

Hi,

Just wondering…

Have you tried using webroot instead of Nginx extension? (I guess it’s a proxy problem)

Thank you

4

Hello,
ah … if I use command

certbot --webroot --nginx -d prova.g2k.it

certificate request works …

5

Then it (has more chance) to be a proxy issue. (Which I have no clue since although I’m using Nginx I don’t use any proxy or so ever)

Thank you

6

for proxy issue do you mean a bug / problem in my nginx / varnish configuration or a bug / problem in certbot ?

7

My understanding would be that --nginx will attempt to create a nginx block listening on port 80 (because it doesn’t know anything about your Varnish setup and doesn’t realize that the nginx port 81 listener is actually “exposed to the public” on port 80 via the Varnish proxy). By contrast, the --webroot method doesn’t know anything about how the files in that directory get served to the public, just that the user has asserted that they do. :slight_smile:

In that sense, the extra intelligence in --nginx is working against us in configurations like this, because Certbot is parsing your nginx configuration and concluding “I need to add a port 80 listener here” or something of that nature, when in fact in this configuration that’s not so.

I would say @stevenzhu’s advice is right for the time being. Perhaps in the future we should add some kind of “use a specified existing server block listening on a different port, even if you don’t understand why that will work” option to handle cases like this. We have an equivalent option for some other plugins, where you can specify a different port for a challenge based on the existence of a port mapping/forwarding that Certbot itself can’t detect.

By the way, the recommended syntax for what you want to do here is probably -a webroot -i nginx (“authenticator webroot, installer nginx”) rather than --webroot --nginx, since --webroot and --nginx contradict each other in some sense.

8

thanks schoen, very good :wink:

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.