Nginx certbot unauthorized

6M8CcUGR · April 1, 2018, 8:12pm

Hello,
first I have to say I am new to server administration and I’m learning at the moment.

When I run certbot certonly --webroot -d example.com -d www.example.com

I get:

Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.domain.tld (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.tld/.well-known/acme-challenge/***key***: "<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
 "

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to admin@domain.tld.
 - The following errors were reported by the server:

   Domain: www.domain.tld
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain.tld/.well-known/acme-challenge/***key***:
   "<!DOCTYPE html>
   <html>
   <head>
   <title>Welcome to nginx!</title>
   <style>
       body {
           width: 35em;
           margin: 0 auto;
    "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

This is my /etc/nginx/sites-available/default:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        index index.php index.html index.htm index.nginx-debian.html;

        server_name example.com www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        }

        location ~ /\.ht {
                deny all;
        }

        location ~ /.well-known {
                allow all;
        }
}

When I put a test.txt into /var/www/html/.well-known/acme-challenge/ I can successfully access it in my browser.

mnordhoff · April 1, 2018, 8:29pm

What’s the real site?

6M8CcUGR · April 1, 2018, 8:31pm

What do you mean? The real domain name?

mnordhoff · April 1, 2018, 8:36pm

Yes.

And the real subdomain(s).

6M8CcUGR · April 1, 2018, 8:37pm

How does this matter? I don’t want post this here in public.
Subdomain is www.

mnordhoff · April 1, 2018, 8:39pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

6M8CcUGR · April 1, 2018, 8:41pm

Okay so domain is holymoly.wtf (no joke)
But which fields should I fill out? :o

mnordhoff · April 1, 2018, 9:02pm

The Nginx configuration is probably fine. The issue is with the Namecheap URL forwarding service the www subdomain is using.

If you try to access http://www.holymoly.wtf/.well-known/acme-challenge/xxxxxxxx, it redirects to http://holymoly.wtf -- your homepage, not the ACME validation file.

I'd suggest setting up an Nginx virtual host with a working redirect, and then pointing your DNS records at it and disabling the Namecheap URL forwarding.

Something like:

server {
    listen 80;
    listen [::]:80;
    return 301 http://holymoly.wtf$request_uri;
    server_name www.holymoly.wtf;
}

Edit: And remove www.holymoly.wtf from the server_name in your other server block!

Oh -- I'm sorry. I should have edited that out.

The forum software asks a bunch of questions when starting a topic in the "Help" forum, but not the "Server" forum. You'd already answered most of the other ones, so I didn't mean to bring it up.

6M8CcUGR · April 1, 2018, 9:07pm

When I access www.holymoly.wtf it should redirect to the domain without www.
In this case could I keep the namecheap settings and just configure Lets’s Encrypt for the domain without www?

mnordhoff · April 1, 2018, 9:14pm

If you set up Nginx like that, it will.

It's just Nginx would be in charge of the redirect instead of Namecheap.

Yeah.

6M8CcUGR · April 1, 2018, 9:18pm

Just setting it up for the main domain without sub domain just worked fine.
Thank you.

system · May 1, 2018, 9:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.