Problem with generating certificate behind a proxy

I would appreciate some assistance in finding why certbot is not able to generate certificates for us on a RedHat 7 server.

certbot certonly --webroot -w /var/www -d epwprs.dpw.gov.za --test-cert

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for epwprs.dpw.gov.za
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. epwprs.dpw.gov.za (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://epwprs.dpw.gov.za/.well-known/acme-challenge/Cb1TTHNV2nYCPSdbtGmY5hmK1ZaUq-cpLKYLLnXP6Y4 [164.151.131.52]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: epwprs.dpw.gov.za
    Type: unauthorized
    Detail: Invalid response from
    http://epwprs.dpw.gov.za/.well-known/acme-challenge/Cb1TTHNV2nYCPSdbtGmY5hmK1ZaUq-cpLKYLLnXP6Y4
    [164.151.131.52]: “\r\n404 Not
    Found\r\n<body bgcolor=“white”>\r\n

    404
    Not Found

    \r\n

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

We have checked, and AAAA DNS record no AAAA record found for that domain.
However, when I tested http://www.webdnstools.com/dnstools/check-domain-results it indicated that it could not find an authoritative name server. Would that cause certbot to fail?

Domain Check Results

Running domain configuration checks for epwprs.dpw.gov.za…
General Name Server Tests
Test Detail Result
Name Servers Exist Received answer from ns2.dpw.gov.za
The name servers for this domain are: Pass

Could not find an authoritative name server.

Hi @WillemvdW

there is an older check of your domain (created yesterday - https://check-your-website.server-daten.de/?q=epwprs.dpw.gov.za ):

Your basic dns settings:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
epwprs.dpw.gov.za C iproxy1.dpw.gov.za yes 1 0
A 164.151.131.52 yes
www.epwprs.dpw.gov.za Name Error yes 1 0

And

Domain	Nameserver	NS-IP
www.epwprs.dpw.gov.za
	•  ns1.dpw.gov.za
		
dpw.gov.za
	•  ns1.dpw.gov.za
		•

	•  ns2.dpw.gov.za
		•

That looks ok.

CNAME says, that iproxy1.dpw.gov.za handles the request. Is this the server you run your certbot?

The url-check:

Domainname Http-Status redirect Sec. G
http://epwprs.dpw.gov.za/
164.151.131.52 503 0.394 S
Service Unavailable
https://epwprs.dpw.gov.za/
164.151.131.52 500 2.064 N
Internal Server Error
Certificate error: RemoteCertificateNameMismatch
http://epwprs.dpw.gov.za/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
164.151.131.52 500 0.400 S
Internal Server Error
Visible Content: ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: http://epwprs.dpw.gov.za/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. Some possible problems are: An Internet connection needed to access this domains origin servers may be down. All configured parent caches may be currently unreachable. The administrator may not allow this cache to make direct connections to origin servers. Your cache administrator is webmaster . Generated Mon, 29 Apr 2019 21:13:45 GMT by iproxy1.dpw.gov.za (squid)

That’s a typical proxy error. The first instance works, but the instance behind the proxy doesn’t work.

Oh - rechecked your domain, now it looks better ( https://check-your-website.server-daten.de/?q=epwprs.dpw.gov.za ):

Domainname Http-Status redirect Sec. G
http://epwprs.dpw.gov.za/
164.151.131.52 200 0.400 H
https://epwprs.dpw.gov.za/
164.151.131.52 200 1.834 N
Certificate error: RemoteCertificateNameMismatch
http://epwprs.dpw.gov.za/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
164.151.131.52 404 0.397 A
Not Found
Visible Content: 404 Not Found nginx/1.12.2

Now the main configuration works.

So find the webroot of that answering nginx and use that with the webroot option.

Hi

CNAME says, that iproxy1.dpw.gov.za handles the
request. Is this the server you run your certbot?

No, that is the proxy server.

Willem

Sorry, the answer was incomplete.

Certbot should run on that ip or behind that ip.

nginx/1.12.2

So find that instance, then the webroot.

Then use it:

certbot run -a webroot -i nginx -w rootOfThatnginx -d epwprs.dpw.gov.za

Hi,

  We were able to resolve this. Thanks so much for your support.

For the record and others, this was the problem and how it was
resolved.

  1. We did not get the example of the syntax running webroot and

nginx. The example that you provided was very helpful. You might
want to consider adding that to the documentation.

  2. Our nginx configuration was also incorrect. (This was set up

to be used with other update methods)

for LetsEncrypt auth

    location ^~ /.well-known/acme-challenge {
      alias /var/www/letsencrypt;
      allow all;
    }
  The configuration that worked was
    location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
    root /var/www/letsencrypt;
}
Finally, certbot run -a webroot -i nginx -w /var/www/letsencrypt -d epwprs.dpw.gov.za --test-cert
did the trick.
using the instructions provided here:
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.