Struggle with nginx & .well-known/acme-challenge

crystaldea · June 9, 2018, 4:07pm

Nginx config:

gist.github.com

https://gist.github.com/kleuter/9524c9b87c308bcbe08a915eb0bf3e7d

nginx.conf

server {
  
  listen 443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/crystalbit.be/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/crystalbit.be/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/crystalbit.be/fullchain.pem;
  include /etc/nginx/my_ssl_params.conf;
  server_name crystalbit.be;
  access_log /home/xpisik/logs/crystalbit.be-access-nginx.log;
  error_log /home/xpisik/logs/crystalbit.be-error-nginx.log;

This file has been truncated. show original

I placed test.html file inside /var/www/letsencrypt/.well-known/acme-challenge and it opens fine as you can see:
http://crystalbit.be/.well-known/acme-challenge/test.html

When I try to renew the certificate using the following command
sudo -H ./letsencrypt-auto certonly --webroot --renew-by-default -w /var/www/letsencrypt -d crystalbit.be -d www.crystalbit.be

I get this response:

- The following errors were reported by the server:

   Domain: www.crystalbit.be
   Type:   unauthorized
   Detail: Invalid response from
   http://www.crystalbit.be/.well-known/acme-challenge/dfXk_w8OwpiO7Bne_osVYlE0Tmy7BgBiJ9Jimf9nPY0:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: crystalbit.be
   Type:   unauthorized
   Detail: Invalid response from
   http://crystalbit.be/.well-known/acme-challenge/FUVQZLjsmBE5WHEMOJxBr4fel1EixB2H4P_OmFw6fkU:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

jmorahan · June 9, 2018, 4:22pm

The AAAA DNS records for crystalbit.be and www.crystalbit.be seem to be pointing to an Apache server. Check that you’ve got the right IPv6 address.

crystaldea · June 9, 2018, 5:10pm

Thanks for the reply, here’s what I got:
sshot-2018-06-09-%5B19-10-07%5D

jmorahan · June 9, 2018, 5:14pm

Yes, I get the same. But is 2600:3c01::f03c:91ff:fe69:5ca0 actually the correct IPv6 address for your server? I guess it isn’t because when I try to access your site via IPv6 I see an “Apache2 Ubuntu Default Page”, whereas you said you’re using nginx (and indeed if I access your site over IPv4 I see a “Welcome to nginx” page).

You need to find out the correct IPv6 address for your server and set the AAAA records to that. Or if you don’t have an IPv6 address, remove the AAAA records entirely.

mnordhoff · June 9, 2018, 5:18pm

The two IP addresses do seem to be the same VPS.

And the Apache page is being served by Nginx.

Server: nginx/1.10.3 (Ubuntu)

So it might be that the DNS is correct, but the Nginx configuration need to be adjusted. Maybe some of the server blocks are missing IPv6 listen directives.

jmorahan · June 9, 2018, 5:20pm

Interesting! I don’t have IPv6 here so I was using a proxy that unfortunately doesn’t show me the headers

crystaldea · June 9, 2018, 5:32pm

Thank you very much guys! This helped:
listen 80;
listen [::]:80 ipv6only=on;

stevenzhu · June 9, 2018, 11:43pm

Hi,

You might want to remove "ipv6only=on", because your server now would only serve IPV6 and disable ipv4...(Al least that's my version of Nginx do)

Thank you

mnordhoff · June 9, 2018, 11:46pm

It's fine if you have IPv4 and IPv6 listen directives.

ipv6only is on by default in more recent versions of Nginx.

system · July 9, 2018, 11:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.