Standalone auto renewal 404 failure


#1

My domain is: cyannotes.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cyannotes.com
   Type:   unauthorized
   Detail: Invalid response from
   https://cyannotes.com/.well-known/acme-challenge/0qD5OsLQU0aM_OEwSjcOWmiLWcliPVNsC_Lwd1YwKS8
   [23.239.2.168]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   Domain: www.cyannotes.com
   Type:   unauthorized
   Detail: Invalid response from
   https://cyannotes.com/.well-known/acme-challenge/9--No4wmqANKY0IDq1WXv-rKDhs_dnz5hnhmiJB-YuE
   [23.239.2.168]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx 1.6.2

The operating system my web server runs on is (include version): Ubuntu 14.04 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

First, I created the existing certificate using standalone option, and it worked fine. Second, I can access https://cyannotes.com/.well-known/acme-challenge/test.txt. I think the problem lies in the fact that whatever needs to be created under .well-known/acme-challenge/ directory (e.g. 0qD5OsLQU0aM_OEwSjcOWmiLWcliPVNsC_Lwd1YwKS8 and 9--No4wmqANKY0IDq1WXv-rKDhs_dnz5hnhmiJB-YuE as above) does not get created during the renewal, which leads to 404 not found. The reason I don’t know and hope to find out.

For reference, my renewal parameters inside /etc/letsencrypt/renewal/cyannotes.com.conf are:

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = http-01,
authenticator = standalone
account = blahblahblah
http01_port = 8008

Any idea?


#2

That’s what server you have running on port 443, but not port 80.

Who is on 80? How are you proxying the request to :8008?

sudo ss -tlnp | grep ":80"

#3

Who is on 80?

Haproxy 1.9.4

How are you proxying the request to :8008?

Ah, this could be the problem. At the moment, I’ve not set up anything specific to route requests to :8008 which is used by the renewal process/server. What is the proper way of configuring it in nginx?


#4

You’d configure it in haproxy, since nginx never receives the port 80 requests.

Here’s how I do it in haproxy:

frontend ft_http
        mode http
        bind :80

        acl acl_letsencrypt path_beg /.well-known/acme-challenge/
        use_backend be_certbot if acl_letsencrypt

        use_backend be_nginx # (though you probably do your 301 redirect here)

backend be_nginx
        mode http
        server s_nginx 127.0.0.1:<whatever port nginx runs on>

backend be_certbot
        server s_certbot_standalone 127.0.0.1:8008

#5

Yep, this fixes the problem. Thanks!