Nginx webroot authenticator

robwilkerson · April 21, 2016, 4:03pm

Having been screwing with this for an embarrassing number of hours…I need help. I’m trying to install a cert with Nginx using the webroot authenticator and all I keep getting back is 404s.

My webroot is owned by a non-root user. I don’t know whether I’m supposed to do this, but I’ve manually created a .well-known directory, made it owned by me:www-data and then, taking it a step further, opened the perms up to 777.

DNS is pointing to the right box.

The :80 portion of my Nginx config looks like this:

server {
  listen 80;

  server_name api.themand.us;

  location ~ /.well-known {
    access all
  }
}

# ./letsencrypt-auto certonly -a webroot --webroot-path=/opt/www/my-site/www/ -d api.themand.us
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --webroot-path=/opt/www/my-site/www/ -d api.themand.us
Failed authorization procedure. api.themand.us (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.themand.us/.well-known/acme-challenge/gECCqTCbWqwZEuK0bCmhtbE4isYTQizHNe84yUMz_ps [54.236.190.225]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: api.themand.us
   Type:   unauthorized
   Detail: Invalid response from http://api.themand.us/.well-
   known/acme-challenge/gECCqTCbWqwZEuK0bCmhtbE4isYTQizHNe84yUMz_ps

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

For the life of me, I haven’t been able to figure out what I’m missing. Help?!

pfg · April 21, 2016, 5:28pm

Are you sure api.themand.us is pointing to the right IP? I’m seeing a Server: Apache/2 header in the response.

robwilkerson · April 21, 2016, 9:43pm

Sorry, it’s a made up domain. I didn’t want to expose the client any more than I needed to. The IP address in the error message is correct, so DNS seems to be resolving correctly.

Thanks.

jvanasco · April 21, 2016, 9:52pm

The easiest thing to do is to drop a file into that webroot and make sure you can read it via the public internet. the webroot plugin just writes a file into /.well-known/acme-challenge… so you can just do:

touch /opt/www/my-site/www/.well-known/acme-challenge/TEST.txt

and make sure that you can access

my-site.com/.well-known/acme-challenge/TEST.txt

nginx error logs should help you figure out any issues from there

flo · April 22, 2016, 6:57am

Try this:

server {
  listen 80;

  server_name api.themand.us;

  location ~ /.well-known {
    root /opt/www/my-site/www;
    allow all;
  }
}

system · May 22, 2016, 6:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble getting started with Nginx webroot Server	2	1515	May 25, 2016
Issues with nginx Help	8	1545	September 27, 2017
Failed authorization procedure - Nginx - Ubuntu 14.04	4	2883	March 21, 2016
Failed authorization procedure Debian 8 Nginx Help	14	2620	January 14, 2018
Webroot unauthorized, possibly because of drupal	3	2735	December 24, 2015

Nginx webroot authenticator

Related topics