The Certificate Authority failed to download the temporary challenge files created by Certbot -- Connection refused

Help
1

my domain : alsharakagroup.com

command from init-letsencrypt.sh :
docker-compose run --rm --entrypoint "
certbot certonly --webroot -w /var/www/certbot
$staging_arg
$email_arg
$domain_args
--rsa-key-size $rsa_key_size
--agree-tos
--force-renewal" certbot

getting :

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: alsharakagroup.com
  Type:   connection
  Detail: Fetching http://alsharakagroup.com/.well-known/acme-challenge/67_Lwhq8ER4gKyH30TPq37AJK0ELrqxV8lCAiyPhS5E: Connection refused

 Domain: www.alsharakagroup.com
  Type:   connection
  Detail: Fetching http://www.alsharakagroup.com/.well-known/acme-challenge/73aURA5MAtrJPByu6W3chLgMjF5qY7k4_1iV1DmIkLM: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

my nginx server :

server {
    listen 80;
    server_name alsharakagroup.com  www.alsharakagroup.com; 
    server_tokens off;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}


upstream websocket {
    server asgiserver:9000;
}

server {
    listen 443 ssl;
    server_name alsharakagroup.com  www.alsharakagroup.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/alsharakagroup.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/alsharakagroup.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 100M;
    client_body_timeout 300s;
    proxy_set_header X-Forwarded-Proto https;
    
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
    }
    location /api {
        try_files $uri @proxy_api;
    }
    location /auth {
        try_files $uri @proxy_api;
    }
    location /admin {
        try_files $uri @proxy_api;
    }
    location /manager {
        try_files $uri @proxy_api;
    }
    location /ws/ {
        try_files $uri @proxy_websocket;
    }
    location @proxy_api {
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass  http://backend:8000;
    }
    location @proxy_websocket {
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
        resolver 10.108.0.2;
        proxy_pass http://websocket;
    }
    location /django_static/ {
        autoindex on;
        alias /app/backend/server/django_static/;
    }
    location  /media {
        autoindex on;
        alias /app/backend/server/media;
    }
}
2

Hi @Elabbasy00, welcome to the LE community forum :slight_smile:

You will need a working HTTP site before you can secure it (via HTTP authentication).

curl -Iki http://alsharakagroup.com/
curl: (56) Recv failure: Connection reset by peer
3

Do you mean to cancel the certificates part in nginx until it works and then put it back

4

I mean for you to focus on the HTTP and get that working before looking further into the HTTPS side.
That said, can you also show the output of:
certbot certificates

5

Give me a minute and I will make it work in Http and it will still get the same error

6

Please don't use --force-renewal

Please show the output of:
certbot certificates

7

container not work yet to run commands

8

No certificates found.

and now getting:

  Domain: alsharakagroup.com
  Type:   unauthorized
  Detail: Invalid response from http://alsharakagroup.com/.well-known/acme-challenge/elmC2NPAes9BK9agvsu5Cdr2nYGIbJj9JiYSbfTaIFQ [147.182.136.95]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

  Domain: www.alsharakagroup.com
  Type:   unauthorized
  Detail: Invalid response from http://www.alsharakagroup.com/.well-known/acme-challenge/JTyVutcpWOJBC_sjnyiENZhLIKS4Z-XiPlV3IFEgFHs [147.182.136.95]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
9

If there is no certificate, you can't use one (that doesn't exist):

10

@rg305 Good point. I cannot start nginx if a named SSL certificate does not exist (it fails with an error status=1).

@Elabbasy00 Until you have certs, just comment out the 2 lines for ssl_certificate and _key, use sudo nginx -t to test the configuration, and restart nginx. Of course, that wont allow https until you get valid certs, uncomment the lines, and reload nginx.

2 Likes
11

Here is what I did
i comment out ssl_certi and _ket and remove ssl keyword after 443
getting same unauthorized

I've done this before, I've never met things like this

12

Well, you will get to learn new things then :slight_smile:

Seriously, you are making progress. A half-hour ago I got 'connection refused' when using http to connect to your server. But, now it works such that I get a 301 redirect which matches your nginx config you posted.

https still fails but it looks like you should be able to issue certs now with http working. My https try:

curl -Iki https://www.alsharakagroup.com
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Do you still need assistance?

2 Likes
13

Thank you for the response method
now im gatting

 Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
   Domain: alsharakagroup.com
   Type:   unauthorized
   Detail: Invalid response from http://alsharakagroup.com/.well-known/acme-challenge/NhPoNfHpjyrnZzA3xDOvYawnVMhlRgguVLV40FAsySM [147.182.136.95]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
 
   Domain: www.alsharakagroup.com
   Type:   unauthorized
   Detail: Invalid response from http://www.alsharakagroup.com/.well-known/acme-challenge/WT-3fVSWV4mnaDcQniCoblw8OdmFFk5G3yBtG5MeB6c [147.182.136.95]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
 
 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
 
 Some challenges have failed.
 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
 ERROR: 1
1 Like
14

Progress!

Let's try placing a test file in the expected challenge location and see if it can indeed be seen form the Internet.

Something like:
[feel free to adjust according to your system]

echo Test-File-1324 > /var/www/certbot/Test-File-1234

then try (from the Internet):

http://alsharakagroup.com/.well-known/acme-challenge/Test-File-1234

15

getting 404
file location

Screenshot from 2021-09-09 01-51-02
Screenshot from 2021-09-09 01-51-021366×183 28.8 KB

16

Well that explains why the LE validation challenges failed.
Now we need to figure out why and fix it.
Are there any nginx logs we can look at?

17

There is nothing to be surprised about
All reports are clear

18

I wonder...
If it is so clear to you, please tell me where the problem is (and maybe also how to fix it).
Or maybe fixing it is our part in this process.

My methodology is:

  • Find where the problem is
  • Find why the problem occurs
  • Fix the problem

We I only just now know the very first part.
Anything anyone can do to speed that up - please feel free to assist the process.

19

I'm really in a maze
There is nothing to trigger this error

Domain: alsharakagroup.com
Type: unauthorized
Detail: Invalid response from http://alsharakagroup.com/.well-known/acme-challenge/NhPoNfHpjyrnZzA3xDOvYawnVMhlRgguVLV40FAsySM [147.182.136.95]: "

Domain: www.alsharakagroup.com
Type: unauthorized
Detail: Invalid response from http://www.alsharakagroup.com/.well-known/acme-challenge/WT-3fVSWV4mnaDcQniCoblw8OdmFFk5G3yBtG5MeB6c [147.182.136.95]: "

20

EXACTLY!
All things point to that path and yet the file in that path isn't accessible.