Renew certificate nginx http authentication

kasper1985 · January 19, 2018, 12:52pm

I received an e-mail saying that my certificate is about to expire. I tried a manual renewal however getting the below error.

Because of the contents i am hosting (for personal/private use only) i don’t want to temporarily switch off http authentication.

Is there a way to add a “certbot” user for example with a password or another way so that the certificate can be renewed while http authentication is still enabled?

Please let me know if more information is needed e.g. nginx configuration and i can add this to the post. By default i have port 80 blocked since this is forwarded to port 443 by nginx. For the purpose of renewing the certificate i opened port 80 but since it’s insecure i have now closed it again.

Regards

Kasper

My domain is:

servert.homelinuxserver.org

I ran this command:

kasper@Servert:/opt/certbot$ sudo ./certbot-auto renew

It produced this output:

Attempting to renew cert (servert.homelinuxserver.org) from /etc/letsencrypt/renewal/servert.homelinuxserver.org.conf produced an unexpected error: Failed authorization procedure. servert.homelinuxserver.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://servert.homelinuxserver.org/.well-known/acme-challenge/Q28ORfSyv23CwvMreuV9aPRsQXiZF-nRXxBv8IYH50c: "

401 Authorization Required

401 Authorization Required</". Skipping.

My web server is (include version):

nginx version: nginx/1.12.2

The operating system my web server runs on is (include version):
Linux Servert 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64

My hosting provider, if applicable, is:

N/A home server

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes (sudo enabled account)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

bytecamp · January 19, 2018, 1:42pm

You could just disable http authentication for the location /.well-known/acme-challenge/.

kasper1985 · January 19, 2018, 1:55pm

Can you explain how i do this?

I am not an expert on this. I just use this to access my home server from other places then home. Could use some guidance on exactly what to add to the configuration.

Kasper

bytecamp · January 19, 2018, 2:06pm

The first hit while searching “nginx disable http authentication for specific location” in a well known search engine reveals the following article:

kasper1985 · January 19, 2018, 4:41pm

edit: I can now access https://domain/.well-known/acme-challenge without needing a password when i create it in /var/www.

However the certbot renewal still fails with authentication failed.

schoen · January 19, 2018, 6:34pm

Is it the same error as before, or a slightly different error?

kasper1985 · January 19, 2018, 6:58pm

It was exactly the same. I have now commented out about 90% of my nginx configuration leaving only the very basic setup incuding redirecting 80 to 403. the basic authentication has been commented out as well.

A new challenge has arrived: the not found error:

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: servert.homelinuxserver.org
Type: unauthorized
Detail: Invalid response from
http://servert.homelinuxserver.org/.well-known/acme-challenge/A3TfgoBvrQ3QszjAZuXW0wzQc-hrfPVJEZJuD21q7_U:
"
404 Not Found
404 Not Found
"

It is correct that that directory didn’t exit. I was in the understanding certbot would create it for the challenge. However before when the auth was still enabled i created it manually and created a test text file. I was able to download the text file without needing to enter a password. But because certbot still indicated a failure i commented out the reverse proxy parts temporarily so there is no risk for disabling basic auth for the time of the renewal.

I am completely clueless now on what is going on. Should that directory be there? was it created during the first request of the certificate?

Is it at this point not easier to just revoke the current certificate and request a new one?!

Note: the above was done with the command sudo ./certbot-auto renew --dryrun to not use too many resources by all these failures

schoen · January 19, 2018, 6:59pm

Hi @kasper1985,

The output is different because the 401 error has changed to a 404 error. So the underlying reason for the failure is now different—you’re making progress!

Could you take a look in /etc/letsencrypt/renewal/servert.homelinuxserver.org.conf and see what webroot directory it’s trying to use? That directory might be wrong.

kasper1985 · January 19, 2018, 7:02pm

Hi Schoen,

Thank you. this is the webroot dir in that file:

webroot_path = /var/www/html,
[[webroot_map]]
servert.homelinuxserver.org = /var/www/html
can i safely edit that without breaking anything (removing the html part)?

schoen · January 19, 2018, 7:06pm

Yes, you might want to edit both of them because I’m not sure which is being used. (I think webroot_map takes priority over webroot_path when both are present.)

kasper1985 · January 19, 2018, 7:10pm

Awesome thank you that worked!

Any idea why that was configured wrong? I have never touched those files so assume it was done when the cert was requested by the automatic process?

schoen · January 19, 2018, 7:24pm

No, I'm not sure. Normally the webroot directory is chosen and saved based on user input!

kasper1985 · January 19, 2018, 7:27pm

Oops it was a PEBCAK? That is very embarrassing

Thank you for your help!

system · February 18, 2018, 7:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.