Renewal failing with 404 on challenges

Here is the previous thread when I had trouble generating my initial certificate: AttributeError: module 'acme.challenges' has no attribute 'TLSSNI01'

One thing I'm noticing is the test file I created in the acme-challenges folder is now no longer accessible and I'm not sure why.

My domain is: outdoorgearalerts.com

I ran this command: /snap/bin/certbot certonly --non-interactive --dry-run --webroot -w /srv/users/serverpilot/apps/outdoorgearalerts/public --register-unsafely-without-email --agree-tos -d outdoorgearalerts.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for outdoorgearalerts.com
Performing the following challenges:
http-01 challenge for outdoorgearalerts.com
Using the webroot path /srv/users/serverpilot/apps/outdoorgearalerts/public for all unmatched domains.
Waiting for verification...
Challenge failed for domain outdoorgearalerts.com
http-01 challenge for outdoorgearalerts.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: outdoorgearalerts.com
   Type:   unauthorized
   Detail: Invalid response from
   http://outdoorgearalerts.com/.well-known/acme-challenge/u4sa9K7kheVf_kws1MZ4dUJMgBWCU_q00isqRuD7PVA
   [45.79.78.13]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.19.6

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS (GNU/Linux 5.8.3-x86_64-linode137 x86_64)

My hosting provider, if applicable, is: Linode using Serverpilot

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

1 Like

If you put a test file in the webroot, can you access that?

I.e. (as root):

mkdir -p /srv/users/serverpilot/apps/outdoorgearalerts/public/.well-known/acme-challenge
echo 1234 > /srv/users/serverpilot/apps/outdoorgearalerts/public/.well-known/acme-challenge/test

And check if http://outdoorgearalerts.com/.well-known/acme-challenge/test works afterwards.

2 Likes

That results in a 404. What is odd is the test files I had created before did work, but not now. I'm a backend developer and not a sysadmin, but if I were to take a guess I'm wondering if since I'm using Serverpilot they updated the nginx config and overwrote something. I don't think that is the case though because I have another domain that is renewing fine.

1 Like

I'm still stuck on this does anyone have any suggestions on some next step? Much appreciated.

1 Like

Well, like you say it sounds like your nginx is no longer configured to serve files out of that webroot. Have you tried using the nginx plugin instead of the webroot plugin? (Is there a reason you chose to use the webroot plugin in the first place?) Can you post your nginx configuration?

1 Like

Your website content management system (wordpress) is intercepting the requests and returning the website's 404 page. You need to either configure nginx to pass ./well-known/acme-challenge requests through to the file system (not to wordpress) or use the certbot nginx plugin to configure much the same thing.

You can also optionally use a wordpress plugin to get Let's Encrypt certs but I've not had much luck with plugins like that in the past.

2 Likes

When looking in the /etc/nginx-sp/vhosts.d/outdoorgearalerts.d/acme.conf file I'm seeing the following:

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    rewrite /.well-known/acme-challenge/(.*) /$1 break;
    root /var/.rwssl/.well-known/acme-challenge/;
}

However I'm not seeing anything in the /var/.rwssl/ directory. Could this be the problem? I'm a bit confused how this worked when I originally generated the certificate but not now.

Well, if I'm reading that right (and I know next-to-nothing about nginx, so I might not be), it sounds like you should be using /var/.rwssl as your webroot in certbot instead of what you had been using.

1 Like

Isn't that part equal to:

    root /var/.rwssl/

?

Looks a bit silly to first remove a part of the path and then later add it again :thinking:

In any case, with or without that weird thing I mention above, you should use /var/.rwssl/ as the webroot-path in certbot indeed as @petercooperjr already mentioned :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.