Hi, I am just a newby here, installing my first ever BTCpayServer with (offcourse) CertBot and NGiNX
and… then running into the all too familiar (-webroot) cert renewal issues with: unauthorized and lacks sufficient authorization.
What I noticed is that on my implementation with NGiNX running: any access to files without suffix:
thus format: https://www.btcpayserver.net/filename
results in the reversed proxy to search for [filename] files with the famous .html .php etc extensions!
thus: if you put a challenge name without a suffix there … it will never be found!
but if you give you challenge a suffix, like in: https://www.btcpayserver.net/filename.txt
yeah… then it will simply finds and open that file
thus… if you might have encountered complaints about people not being able to renew certificates;
and/or people with errors related to unauthorized
and/or people with errors related to client lacks…
should we give it a try and see if using a suffix in a challenge name could be a solution?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I ran this command: sudo certbot renew --dry-run
with cli.ini:
max-log-backups = 0
rsa-key-size = 2048
authenticator = webroot
webroot-path = /root/btcpayserver/BTCPayServer/wwwroot
It produced this output:
Attempting to renew cert (btcpay.codain.net) from /etc/letsencrypt/renewal/btcpay.codain.net.conf produced an unexpected error: Failed authorization procedure. btcpay.codain.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://btcpay.codain.net/.well-known/acme-challenge/oLdw1819EQ5ypBpGXBV5fBHVUgHx9hRma4-hvnJ7pMg [5.189.158.15]: "Status Code: 404; Not Found ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/btcpay.codain.net/fullchain.pem (failure)
My web server is (include version): btcpayserver with NGinX
The operating system my web server runs on is (include version): Ubuntu 18.10
My hosting provider, if applicable, is: contabo.com
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): some with webmin, most in shell
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0
For further explanation, I have done the following on my setup:
I created 2 files in the wwwroot of BTCpayServer (with NGiNX active):
a0b1c2d3e4f5g6h7test AND a0b1c2d3e4f5g6h7test.txt
When using: http(s)://btcpay.codain.net/a0b1c2d3e4f5g6h7test => Status Code: 404; Not Found
When using: http(s)://btcpay.codain.net/a0b1c2d3e4f5g6h7test.txt => shows content of file (and no error!)
I believe that the webroot challenge check experiences the same issue.