Nginx webroot authenticator


#1

Having been screwing with this for an embarrassing number of hours…I need help. I’m trying to install a cert with Nginx using the webroot authenticator and all I keep getting back is 404s.

My webroot is owned by a non-root user. I don’t know whether I’m supposed to do this, but I’ve manually created a .well-known directory, made it owned by me:www-data and then, taking it a step further, opened the perms up to 777.

DNS is pointing to the right box.

The :80 portion of my Nginx config looks like this:

server {
  listen 80;

  server_name api.themand.us;

  location ~ /.well-known {
    access all
  }
}

# ./letsencrypt-auto certonly -a webroot --webroot-path=/opt/www/my-site/www/ -d api.themand.us
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --webroot-path=/opt/www/my-site/www/ -d api.themand.us
Failed authorization procedure. api.themand.us (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.themand.us/.well-known/acme-challenge/gECCqTCbWqwZEuK0bCmhtbE4isYTQizHNe84yUMz_ps [54.236.190.225]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: api.themand.us
   Type:   unauthorized
   Detail: Invalid response from http://api.themand.us/.well-
   known/acme-challenge/gECCqTCbWqwZEuK0bCmhtbE4isYTQizHNe84yUMz_ps
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

For the life of me, I haven’t been able to figure out what I’m missing. Help?!


#2

Are you sure api.themand.us is pointing to the right IP? I’m seeing a Server: Apache/2 header in the response.


#3

Sorry, it’s a made up domain. I didn’t want to expose the client any more than I needed to. The IP address in the error message is correct, so DNS seems to be resolving correctly.

Thanks.


#4

The easiest thing to do is to drop a file into that webroot and make sure you can read it via the public internet. the webroot plugin just writes a file into /.well-known/acme-challenge… so you can just do:

touch /opt/www/my-site/www/.well-known/acme-challenge/TEST.txt

and make sure that you can access

my-site.com/.well-known/acme-challenge/TEST.txt

nginx error logs should help you figure out any issues from there


#5

Try this:

server {
  listen 80;

  server_name api.themand.us;

  location ~ /.well-known {
    root /opt/www/my-site/www;
    allow all;
  }
}

#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.