Suddenly acme-challenge Invalid response

I added allow all; afterwards. The location = /.well-known/acme-challenge/uWKvs1DxO part adds certbot for the challange and removes it afterwords. But without the allow all; it is not working.

1 Like

That’s expected if your default is otherwise.
LE can’t login to get the file.

1 Like

When you add “allow all;” within “{ braces }”, it will only be applied to things within those “{ braces }” - not to the entire system.

So in the case of:

location = /.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA{
default_type text/plain;
allow all;
return 200 uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA.09aCJ3tIiWYvz2SggLO1SKbjjSGTWiZYGed8VquwcOA;
} # managed by Certbot

It will only be applied to that one file.
[but that would be a very manual modification going forward]

And as for the (more reasonable) location:
[which would/should replace the other location statement altogether]

  location ~ /.well-known {
      allow all;
  }

I would secure that by clarifying that as:

  location ~ /.well-known/acme-challenge {
      allow all;
      root /some/dedicated/path/for/challenges/only;
      try_files $uri =405;
  }

Hope that helps.
Cheers from Miami :beers:

1 Like

Okay, my server.conf looks now like this:

server {
	listen	80;
	listen	443 ssl http2;
	listen	[::]:80;
	listen	[::]:443 ssl http2;
	server_name	domain.de;


	client_max_body_size 132m;
	root /home/project/website;
	index index.php;
	try_files $uri $uri/ index.php?$args;
	ssl_certificate /etc/letsencrypt/live/domain.de/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/domain.de/privkey.pem; # managed by Certbot
	ssl_trusted_certificate /etc/letsencrypt/live/domain.de/chain.pem;

	location ~ /.+\.php$ {
		try_files $uri /index.php;
		fastcgi_index index.php;
		fastcgi_pass unix:/run/php/php7.0-fpm.sock;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
		fastcgi_param SCRIPT_NAME $fastcgi_script_name;
	}
	
	
	location ~ /.well-known/acme-challenge {
		allow all;
		root /home;
		try_files $uri =405;
	}


	if ($scheme != "https") {
		return 301 https://$host$request_uri;
	} # managed by Certbot
}

I get still the same error as before.

I sure hope this is not what you are using:
root /home

That aside, why are you listening to HTTP and HTTPS in the same block?

	listen	80;
	listen	443 ssl http2;
	listen	[::]:80;
	listen	[::]:443 ssl http2;

Although that might be possible, it can lead to trouble quickly.

1 Like

Any news?

1 Like

Not sure if this will help but it appears you need to update your client software so that you are using ACMEv2 compatible client challenges? I just know Letsencrypt servers were whining at me, and wouldn't let me use my v1 client software with their v2 version server, until I upgraded my client software. So you could drop back to using their v1 server (specified in the cli.ini file) although if I remember correctly, the official cutoff date for ACME v1 challenges is June 1!

I am just guessing however so ymmv.... Marc...

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.