Setting up Let's Encrypt + NGINX reverse proxy error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:plexapp.org

I ran this command:sudo certbot --nginx -d plexapp.org

It produced this output:Failed authorization procedure. plexapp.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://plexapp.org/.well-known/acme-challenge/jipob3VGWBiL6zRTgyNP_uTkNwLcFDHvTRuuPjah1Pk [2606:4700:30::681f:5a69]: "\n\n<!–[if IE 7]> <html class="no-js "

IMPORTANT NOTES:

My web server is (include version): nginx 1.14.0

The operating system my web server runs on is (include version):Ubuntu 18.04

My hosting provider, if applicable, is:Cloudflare

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ajenti

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Following this guide: https://tylermade.net/2017/09/14/the-perfect-reverse-proxy-nginx-ssl-webui-management/

Reverse proxy is working fine but every time I try and run the certbot command I get the same error and Google isn’t giving me a lead in which direction to go.

The latest letsencrypt.log file his here: https://pastebin.com/QgJrkyXE

Hi @erich

there are two different errors.

First, you have ipv4 and ipv6 addresses ( https://check-your-website.server-daten.de/?q=plexapp.org ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
plexapp.org A 104.31.90.105 yes 1 0
A 104.31.91.105 yes 1 0
AAAA 2606:4700:30::681f:5a69 yes
AAAA 2606:4700:30::681f:5b69 yes
www.plexapp.org A 104.31.90.105 yes 1 0
A 104.31.91.105 yes 1 0
AAAA 2606:4700:30::681f:5a69 yes
AAAA 2606:4700:30::681f:5b69 yes

But checking your link

Does your ipv6 work?

Second problem: Your certificate:

CN=sni.cloudflaressl.com, O="CloudFlare, Inc.", L=San Francisco, S=CA, C=US
	13.03.2019
	13.03.2020
expires in 337 days	
plexapp.org, *.plexapp.org, sni.cloudflaressl.com - 3 entries

is from Cloudflare. And you have redirects http -> https, but https doesn’t work, instead there is the typical Cloudflare error:

Visible Content: Error 521 Ray ID: 4c5e6c8b3d12d0ff &bull; 2019-04-11 16:44:14 UTC Web server is down You Browser Working Berlin Cloudflare Working plexapp.org Host Error What happened? The web server is not returning a connection. As a result, the web page is not displaying. What can I do? If you are a visitor of this website: Please try again in a few minutes. If you are the owner of this website: Contact your hosting provider letting them know your web server is not responding. Additional troubleshooting information . Cloudflare Ray ID: 4c5e6c8b3d12d0ff &bull; Your IP : 2a01:238:301b::1229 &bull; Performance &amp; security by Cloudflare

If you want to use Cloudflare, you need a valid certificate. So

  • deactivate Cloudflare and check your ipv6 config
  • create a certificate
  • activate Cloudflare

Now the redirect http -> https and the http status 521 from Cloudflare blocks.

Or use (one time) dns-01 validation to create a certificate manual and install it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.