Nginx Reverse Proxy

rexs123 · September 23, 2017, 8:55am

I ran this command: certbot --nginx -d i.rexsdev.us

It produced this output:

Failed authorization procedure. i.rexsdev.us (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f3984ab369857a05713fda537ab3973c.4d0b2c0f15fba24bcd4c49021e8c2092.acme.invalid from 107.173.65.127:443. Received 2 certificate(s), first certificate had names "dl.1amdev.com, i.1amdev.com, pb.1amdev.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

       Domain: i.rexsdev.us
       Type:   unauthorized
       Detail: Incorrect validation certificate for tls-sni-01 challenge.
       Requested
       f3984ab369857a05713fda537ab3973c.4d0b2c0f15fba24bcd4c49021e8c2092.acme.invalid
       from 107.173.65.127:443. Received 2 certificate(s), first
       certificate had names "dl.1amdev.com, i.1amdev.com, pb.1amdev.com"

       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A record(s) for that domain
       contain(s) the right IP address.

My web server is (include version): nginx/1.6.2

The operating system my web server runs on is (include version): Debian 8

My hosting provider, if applicable, is: fallout-host.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my ste (no, or provide the name and version of the control panel): No control panel used

Some additional things to note:

I have ran this same setup before and has worked flawlessly on the same machine without changing a thing, just added a few more domains

i have static.ozairpatel.com and i.zyrl.space both working the same command and such, I have added:

location /.well-known/acme-challenge/ {
   root /var/www/html; # Replace with the path to your webroot directory
   default_type text/plain;
}

but no luck.

I am able to access: http://i.rexsdev.us/.well-known/acme-challenge/ both on https (with certificate error) and http, however certbot says the names don’t match up. But this hasn’t been an issue in the past

Thanks,
rexs123

MitchellK · September 23, 2017, 10:58am

Can you try this?

	# ACME Challenge Rule
    location /.well-known {
    	alias /var/www/html/.well-known; # have this as the webroot
  	allow all;
    	default_type "text/plain";
    	autoindex    on;
    }

jared.m · September 23, 2017, 7:22pm

@MitchellK Webroot is not used here - they were using tls-sli-01, not http-01.

That being said this may be tricky with tls-sni-01 because it relies on TLS termination happening on the server running certbot. You probably should use http-01 here. First, you need to point webroot to the web root, not .well-known/acme-challenge. MitchellK’s suggestion should handle this. Then, use the nginx installer with webroot authentication with command:

certbot run -i nginx -a webroot -w /var/www/html -d i.rexsdev.us

rexs123 · September 23, 2017, 9:59pm

Thank you sir, this worked perfectly

MitchellK · September 24, 2017, 6:12pm

Glad you got it sorted

system · October 24, 2017, 6:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.