Server deleted and domain not accessible via public

Hello,

I had set up a server on digital ocean running ubuntu 16.04, LEMP setup. I was able to setup ssl via letsencrypt for thestoicrunner.com and www.thestoicrunner.com

I then deleted the server and installed a new one. This led to use of a different IP address. Now I am am unable to access the website from the web, am I able to re-install the ssl certificate or issue a new one.

When I type in

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/thestoicrunner.com/html -d thestoicrunner.com -d www.thestoicrunner.com

I get the following error message:

    Failed authorization procedure. thestoicrunner.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thestoicrunner.com/.well-known/acme-challenge/sA3JvqdMXjxsaMLfKrXco6tUIl_PnCyYvpdiRJAbWt8: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.thestoicrunner.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.thestoicrunner.com/.well-known/acme-challenge/bgzhawzOSAX0X-N6BAy4eZ__tf3_zNxOTFNjlu_D8Js: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: thestoicrunner.com
   Type:   unauthorized
   Detail: Invalid response from http://thestoicrunner.com/.well-known
   /acme-challenge/sA3JvqdMXjxsaMLfKrXco6tUIl_PnCyYvpdiRJAbWt8:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.thestoicrunner.com
   Type:   unauthorized
   Detail: Invalid response from http://www.thestoicrunner.com/.well-
   known/acme-challenge/bgzhawzOSAX0X-N6BAy4eZ__tf3_zNxOTFNjlu_D8Js:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

What steps do I need to take in order to get the domain up and running again? If I type it in the browser it automatically goes to https even if I type in http

I am new and learning all of this, so looking to better understand it.

Cheers,

Ramiro

The problem is unlikely to have anything to do with the https redirect (or the use of HSTS), but instead with the webroot path. The Let’s Encrypt server will request a file at http://yourserver/.well-known/acme-challenge/something. The path you enter for --webroot-path needs to be what your server serves as that path. You’ve given an incorrect path, so you need to correct it. I’d guess it should be /var/www/thestoicrunner.com/html/.well-known/acme-challenge (and you’d need to make sure those two directories existed), but that may depend on your server configuration.

Okay, I’ll test this out. My current new nginx server is not yet set-up for this domain to redirect to https. Could this be the reason, the public web is unable to connect to the server?

No, the error specifically says http [quote="ram1r0, post:1, topic:23072"]
Detail: Invalid response from http://thestoicrunner.com/.well-known
/acme-challenge/sA3JvqdMXjxsaMLfKrXco6tUIl_PnCyYvpdiRJAbWt8:
[/quote]

so it's not related to https not yet being set-up

I see that .well-known does exist, but acme-challenge not. I created this. Do I still give the path as so:

path=/var/www/thestoicrunner.com/html

or

path=/var/www/thestoicrunner.com/html/.well-know/acme-challenge

The first of those. (/var/www/thestoicrunner.com/html )

Also check, if you add a pure text file at /var/www/thestoicrunner.com/html/.well-known/acme-challenge/test with the word “success” in it … can you reach it at thestoicrunner.com/.well-known/acme-challenge/test in your browser

I added a pure text file at that location. I cannot reach it via my browser. I see that the folders .well-known and acme-challenge are owned by root and not my user. Does this matter?

It could, it depends on the permissions you have set.

Do you get a “404 not found” error though ? or do you get a permissions " you are not allowed" error ? The difference should tell you if permissions or path are the problem.

I get a can’t connect to server error "Safari can’t connect to the server “thestoicrunner.com

Do the logs say you are getting to the site, and indicate any issue ?

For me, I can reach your domain OK

$ curl -I thestoicrunner.com
HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Thu, 24 Nov 2016 09:17:29 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 23 Nov 2016 21:48:42 GMT
Connection: keep-alive
ETag: "58360eba-264"
Accept-Ranges: bytes

but I can’t reach the .well-known folder below that

$ curl -I thestoicrunner.com/.well-known/
HTTP/1.1 404 Not Found
Server: nginx/1.10.0 (Ubuntu)
Date: Thu, 24 Nov 2016 09:17:22 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

Which suggests that you have the webroot path incorrect.

I have nginx setup as server blocks like so:

server {
listen 80 ;
listen [::]:80 ;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;
    root /var/www/sblocks/thestoicrunner.com/html;
    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;
    server_name thestoicrunner.com www.thestoicrunner.com;
    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            #try_files $uri $uri/ =404;
            try_files $uri $uri/ /index.php$is_args$args;
    }
    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
   location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            #try_files $uri $uri/ =404;
            try_files $uri $uri/ /index.php$is_args$args;
    }
    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
    #       # With php7.0-cgi alone:
    #       fastcgi_pass 127.0.0.1:9000;
    #       # With php7.0-fpm:
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
            deny all;
    }
    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$
    {
    expires max;
    log_not_found off;
    }
    location ~ /.well-known {
    allow all;
    }

}

In this file you have;

Yet you said before you were using

there is a difference of "sblocks" between the two

yes, sorry for the confusion. I have enabled server blocks and am now using

/var/www/sblocks/thestoicrunner.com/html

the permissions and ownership for /.well-known are as these:

drwxr-sr-x 3 root www-data 4096 Nov 24 08:53 .well-known

I ran

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/sblocks/thestoicrunner.com/html -d thestoicrunner.com -d www.thestoicrunner.com

and got the following

Failed authorization procedure. thestoicrunner.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thestoicrunner.com/.well-known/acme-challenge/LeFyDPHLg_fq_r_RE3ocomLJTqaKc2qZkF2z7AzFOGg: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.thestoicrunner.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.thestoicrunner.com/.well-known/acme-challenge/udHdO7xkepwsMz3erphXbC4bjYrbum3gjPnn4BNUP7g: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: thestoicrunner.com
   Type:   unauthorized
   Detail: Invalid response from http://thestoicrunner.com/.well-known
   /acme-challenge/LeFyDPHLg_fq_r_RE3ocomLJTqaKc2qZkF2z7AzFOGg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"
   Domain: www.thestoicrunner.com
   Type:   unauthorized
   Detail: Invalid response from http://www.thestoicrunner.com/.well-
   known/acme-challenge/udHdO7xkepwsMz3erphXbC4bjYrbum3gjPnn4BNUP7g:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

OK, but to go back to where we were …

You created a .well-known/acme-challenge/test file and you can’t reach it in your browser

I can reach your domain, but can not reach the folder .well-known on your server. Hence there is something incorrect about the path or location you have there.

There is no point trying certbot at the current time - when you can’t even check the file in your browser.

Do the logs show the attempt to get to the .well-known location, and give any reason for the error ?

I am new to server setups. Where do I check the logs?

My browser tries to go to https:

https://thestoicrunner.com/.well-known/acme-challenge/test

I also created a file with the .txt extention:

https://thestoicrunner.com/.well-known/acme-challenge/test.txt

I just tried changing ownership to my user instead of root, yet still the same in my browser

your logs will be in /var/log

specifically for nginx they will generally be in /var/log/nginx

Since you haven’t set up https yet, then your browser is giving an error connecting, since you presumably had HSTS set up before on your old server ( telling your browser to always use https )

Thank you. I found an error:

`2016/11/24 09:45:16 [error] 22787#22787: *714 “/var/www/sblocks/html/.well-known/index.php” is not found (2: No such file or directory)

It goes to the default server, which is located in /var/www/sblocks/html/

Should I (1) de-active my default server, (2) change thestoicrunner.com to the default server or (3) change the webroot of the default server?

You shouldn’t need to change anything on there now. I can reach the test on your server

$ curl -i thestoicrunner.com/.well-known/acme-challenge/test 
HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Thu, 24 Nov 2016 10:01:19 GMT
Content-Type: application/octet-stream
Content-Length: 8
Last-Modified: Thu, 24 Nov 2016 09:38:52 GMT
Connection: keep-alive
ETag: "5836b52c-8"
Accept-Ranges: bytes

success

are you running certbot as root ? if so, can you just do a quick test and create
/var/www/sblocks/thestoicrunner.com/html/.well-known/acme-challenge/test2 with owner root ( and some suitable text content )

I changed to webroot of the default browser to /var/www/sblocks/thestoicrunner.com/html

and was able to reach the .well-know folder:

curl -I thestoicrunner.com/.well-known/
HTTP/1.1 403 Forbidden
Server: nginx/1.10.0 (Ubuntu)
Date: Thu, 24 Nov 2016 09:59:45 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

Then, I ran certbot and it worked :smiley:
I will install the new ssl, change the default server back to the old path and see what happens then.

1 Like