Some Challenges have failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jotnok.net

I ran this command:
sudo certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-21" --agree-tos --authenticator webroot --email "myemail@email.com" --preferred-challenges "dns,http" --domains "jotnok.net:5000" --verbose

It produced this output:
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for jotnok.net:5000
Performing the following challenges:
http-01 challenge for jotnok.net
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain jotnok.net
http-01 challenge for jotnok.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: jotnok.net
Type: unauthorized
Detail: 136.36.34.181: Invalid response from Nginx Proxy Manager "<!doctype html><html lang="en" dir="ltr"><meta charset="utf-8"><meta name="viewport" content="width=device-width,user-scal"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Kavita version: 0.7.1.4

The operating system my web server runs on is (include version):
Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Hi @jtommy, and welcome to the LE community forum :slight_smile:

I don't think you can include a port number there.

3 Likes
3

This is the new command I'm trying without the port at the end of the domain:

sudo certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-21" --agree-tos --authenticator webroot --email "myemail@email.com" --preferred-challenges "dns,http" --domains "jotnok.net" --verbose

This is the new error I'm getting:

certbot.errors.PluginError: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
2023-05-04 10:35:15,028:ERROR:certbot._internal.log:Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

4

Are you sure that error is for that command and not some prior attempt?

Because that error message makes no sense with the Certbot certonly --webroot method. Only the Certbot --standalone method will try to bind to port 80. The --webroot and other methods rely on an pre-existing running webserver.

3 Likes
5

What shows?:
netstat -pant | grep -i listen | grep 80

3 Likes
6

# netstat -pant | grep -i listen | grep 80

tcp    0   0 0.0.0.0:80       0.0.0.0:*        LISTEN      139/nginx: master p 
tcp6   0   0 :::80            :::*             LISTEN      139/nginx: master p
7

This is what /tmp/letsencrypt-log/letsencrypt.log says:

2023-05-04 13:15:14,333:DEBUG:acme.client:Storing nonce: 2712cjjAEDN4pRHgFo1HsUdm9jT2UGpTDweblsfzo_CmDHo
2023-05-04 13:15:14,333:INFO:certbot._internal.auth_handler:Challenge failed for domain jotnok.net
2023-05-04 13:15:14,333:INFO:certbot._internal.auth_handler:http-01 challenge for jotnok.net
2023-05-04 13:15:14,334:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: jotnok.net
  Type:   unauthorized
  Detail: 136.36.34.181: Invalid response from http://jotnok.net/.well-known/acme-challenge/RLZ9sXVykARVwecIiQ4aGAHE_Z3Q4qqcVmtcyEojDrM: "<!doctype html><html lang=\"en\" dir=\"ltr\"><head><meta charset=\"utf-8\"><meta name=\"viewport\" content=\"width=device-width,user-scal"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-05-04 13:15:14,335:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-05-04 13:15:14,335:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-05-04 13:15:14,335:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-05-04 13:15:14,335:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/RLZ9sXVykARVwecIiQ4aGAHE_Z3Q4qqcVmtcyEojDrM
2023-05-04 13:15:14,336:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-05-04 13:15:14,336:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-05-04 13:15:14,339:ERROR:certbot._internal.log:Some challenges have failed
8

The Let's Encrypt Server makes that HTTP challenge request to the /.well-known/... URL. Your server is supposed to return the challenge token placed in your server's folder by Certbot.

But, instead, your server is responding with an error message saying the request requires Javascript and the requesting browser doesn't support it. Of course, the Let's Encrypt server is not a browser and does not support JavaScript and does not need to. You need to configure your system to reply with the challenge token. I don't know how you do that with with Kavita server (which is OpenResty/nginx based).

Here is the fuller text of the error which I also get when sending a test request to your server from my own test server (much of the response omitted for readability)

curl -i jotnok.net/.well-known/acme-challenge/TestForum123
HTTP/1.1 200 OK
Server: openresty

<!doctype html><html lang="en" dir="ltr"><head><meta charset="utf-8">
<meta name="viewport" content="width=device-width,user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
...
<meta name="msapplication-config" content="/images/favicons/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link href="/css/main.css?v=2.10.2" rel="stylesheet"></head>
<body><noscript><div class="container no-js-warning">
<div class="alert alert-warning text-center">
<strong>Warning!</strong>
This application requires Javascript and your browser doesn't support it.</div></div>
</noscript><div id="app" class="page"><span class="loader"></span></div><script src="/js/main.bundle.js?v=2.10.2"></script></body></html>
5 Likes
9

But the web root path is not specified in the command.

Please show:
nginx -T | grep -Ei 'listen|server|root'

2 Likes
10 
~# nginx -T | grep -Ei 'listen|server|root'
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
user root;
        server_tokens                 off;
        ssl_prefer_server_ciphers     on;
        server_names_hash_bucket_size 1024;
        log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
include /data/nginx/custom/root[.]conf;
server {
        listen 80;
        listen [::]:80;
        set $server "127.0.0.1";
        server_name localhost-nginx-proxy-manager;
                root /var/www/html;
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        set $server "127.0.0.1";
        server_name localhost;
proxy_pass       $forward_scheme://$server:$port$request_uri;
        # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
        # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
        # there to "webroot".
        # Do NOT use alias, use root! Target directory is located here:
        root /data/letsencrypt-acme-challenge;
#       root /var/www/cerbot;
#       return 301 https://$server_name$request_uri;
server {
        listen 81 default;
        listen [::]:81 default;
        server_name nginxproxymanager;
        root /app/frontend;
server {
  set $server         "192.168.50.150";
  listen 80;
listen [::]:80;
  server_name jotnok.net;
  include /data/nginx/custom/server_proxy[.]conf;
server {
  listen 5000;
listen [::]:5000;
  include /data/nginx/custom/server_stream[.]conf;
  include /data/nginx/custom/server_stream_tcp[.]conf;
11

Sorry, that didn't show enough detail.
Do
nginx -T
and show the entire server section that covers:

2 Likes
12 
# ------------------------------------------------------------
# jotnok.net
# ------------------------------------------------------------

server {
  set $forward_scheme http;
  set $server         "192.168.50.150";
  set $port           5000;

  listen 80;
  listen [::]:80;

  server_name jotnok.net;

# Asset Caching
  include /etc/nginx/conf.d/include/assets.conf;

  # Block Exploits
  include /etc/nginx/conf.d/include/block-exploits.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-3_access.log proxy;
  error_log /data/logs/proxy-host-3_error.log warn;

  location / {
   
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy!
    include /etc/nginx/conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

# configuration file /data/nginx/stream/1.conf:
# ------------------------------------------------------------
# 5000 TCP: 1 UDP: 0
# ------------------------------------------------------------

server {
  listen 5000;
  listen [::]:5000;

  proxy_pass 192.168.50.150:5000;

  # Custom
  include /data/nginx/custom/server_stream[.]conf;
  include /data/nginx/custom/server_stream_tcp[.]conf;
}
13

Above:

Add:

location /.well-known/acme-challenge/ {
    root /some-unique-path/; # make a directory just for challenge files
    try_files $uri $uri/ =404;
}
3 Likes
14

That seems to have fixed it. Thanks for the help.

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.