The Certificate Authority failed to download the temporary challenge files created by Certbot

Help
#1

Hi all, I am currently trying to set up a reverse proxy so that my Overseerr (among other containers) are accessible for other users of my media server. I am very new to all of this so I will do my best to explain what I have done, thank you for your patience if I am not particularly adept at explaining my issue.

I am attempting to generate the certificate using Nginx-Proxy-Manager-Official Container from mgutts repository on UnraidOS 6.9.2, my domain is hosted with Google Domains. I have a DDNS setup with DDclient, and I have a CNAME record of overseer.kesutu.net pointing to kesutu.net for data.

I have forwarded my ports on 80 and 443 on my router to the Static IP of my server.

I have attached the logs of the issue below, I have scoured the internet for a myriad of answers and I cannot find one that provides a solution. I think one guy generated his own OpenSSL certificate and imported and bypassed the certificate generation.

Some have suggested it may be a permissions issue, if so I am not sure how to resolve it as I am very new to Docker containers and I as far as I can understand it, I have mounted the volume correctly and the file has been created and permission of the folder is set to 0777.

My domain is: overseer.kesutu.net

I ran this command: On Nginx Proxy Manager, I attempted to create a new proxy host with the following settings (on advice of the overseerr documentation)

Domain Name: overseerr.kesutu.net
Scheme: http
Forward Hostname / IP: 192.168.50.200
Forward Port: 5055
Cache Assets: Yes
Block Common Exploits: Yes

SSL Certificate: Request a new SSL Certificate
Force SSL: Yes
HTTP/2 Support: Yes

It produced this output:

2022-04-03 02:02:56,112:DEBUG:certbot._internal.main:certbot version: 1.25.0
2022-04-03 02:02:56,112:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-04-03 02:02:56,112:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-25', '--agree-tos', '--authenticator', 'webroot', '--email', 'kesutu@live.com.au', '--preferred-challenges', 'dns,http', '--domains', 'overseerr.kesutu.net']
2022-04-03 02:02:56,112:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-03 02:02:56,122:DEBUG:certbot._internal.log:Root logging level set at 30
2022-04-03 02:02:56,123:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-04-03 02:02:56,125:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x14ccb00a5828>
Prep: True
2022-04-03 02:02:56,126:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x14ccb00a5828> and installer None
2022-04-03 02:02:56,126:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2022-04-03 02:02:56,129:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/479034450', new_authzr_uri=None, terms_of_service=None), 70ed5ca3963386c9cd986b3a95bba8d4, Meta(creation_dt=datetime.datetime(2022, 4, 2, 3, 40, 28, tzinfo=), creation_host='86bac4368e76', register_to_eff=None))>
2022-04-03 02:02:56,129:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-04-03 02:02:56,152:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-04-03 02:02:56,778:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-04-03 02:02:56,778:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 09:02:56 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"EFZHvKX8rAw": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-04-03 02:02:56,779:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for overseerr.kesutu.net
2022-04-03 02:02:56,781:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
2022-04-03 02:02:56,801:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
2022-04-03 02:02:56,802:DEBUG:acme.client:Requesting fresh nonce
2022-04-03 02:02:56,802:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-04-03 02:02:57,007:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-04-03 02:02:57,008:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 09:02:56 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001PJ_k-VDhUtLjcTc1qcfUHMpuCV0ENUykI6yR7HHvHqc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2022-04-03 02:02:57,008:DEBUG:acme.client:Storing nonce: 0001PJ_k-VDhUtLjcTc1qcfUHMpuCV0ENUykI6yR7HHvHqc
2022-04-03 02:02:57,008:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "overseerr.kesutu.net"\n }\n ]\n}'
2022-04-03 02:02:57,009:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDFQSl9rLVZEaFV0TGpjVGMxcWNmVUhNcHVDVjBFTlV5a0k2eVI3SEh2SHFjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "JUnhHE9Krch8Lkbzpl57pXc7N_lSZb2IFOJU9VgGths59lHdR11QD8egHBDni8zmyTkOQPhItqSFZrprpMmEWTpmP85LEeTtoUZAQHVkqjlh_1P6Rv3HlF4LX7iieEbs3Gp20pB5gTLlolp1nCzTqAkt5fveVs7wYDkU-31zBCaiIZAIEw__vpTs7TrElS05ejAAh-ZsPTS0sBvfmeqVHkif2yC03SFGbQt0qB2uXWBud2glo3LO86ea4-bzjKvxFON6_5AJNIEB2CJmpLb7m1R6jGuwLLL5echKHptUOmARkGOJPaGdQztC5oXJNce5DaDhQu1IeBkKUAm_xXt9bA",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm92ZXJzZWVyci5rZXN1dHUubmV0IgogICAgfQogIF0KfQ"
}
2022-04-03 02:02:57,248:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 343
2022-04-03 02:02:57,248:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 03 Apr 2022 09:02:57 GMT
Content-Type: application/json
Content-Length: 343
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/479034450/76934905890
Replay-Nonce: 0002tOO5a7_gQnrbJyto_t5XQQkYUfECM_Gd7jCOMwhNPKQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2022-04-10T09:02:57Z",
"identifiers": [
{
"type": "dns",
"value": "overseerr.kesutu.net"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/94342177390"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/479034450/76934905890"
}
2022-04-03 02:02:57,249:DEBUG:acme.client:Storing nonce: 0002tOO5a7_gQnrbJyto_t5XQQkYUfECM_Gd7jCOMwhNPKQ
2022-04-03 02:02:57,249:DEBUG:acme.client:JWS payload:
b''
2022-04-03 02:02:57,250:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/94342177390:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDJ0T081YTdfZ1FucmJKeXRvX3Q1WFFRa1lVZkVDTV9HZDdqQ09Nd2hOUEtRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My85NDM0MjE3NzM5MCJ9",
"signature": "xbStB_QGZeqY00YU-oxcl1aWWIquftUONKgdsyQlSx2nGQn27hEN9WI549z4fIJW7NIotyBT7YJNoCvLClLq8EH5lFWXJEJpSmHSvRh-oy9g1kdKvzB8_J172YSPpGqNpu2kharajzeBcaKVD-I-YB6ZPO7tlTEtuQ4DFfuBe-ixjvpPp2aZgFjxZHX9pgJda8lj3hGNofLLFxsSOawAba5UJl9CHrP6z5lPzptWC9prV63nbsXb5pba5aD5uVmCi4He4Tnq9a5Xk9cn68Ceh1lwizj5AqE2I_8ZhLTWlP5FW5AJGxvVYz6_ec1yyl1wwzLYF_v6DltnJpl628JVAw",
"payload": ""
}
2022-04-03 02:02:57,462:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/94342177390 HTTP/1.1" 200 801
2022-04-03 02:02:57,462:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 09:02:57 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001vbKyGRFMKr1Wk45-saPD_XFyvS1GN-48-02y8mIMibI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "overseerr.kesutu.net"
},
"status": "pending",
"expires": "2022-04-10T09:02:57Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94342177390/ZgG1Qg",
"token": "xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94342177390/MLQQlg",
"token": "xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94342177390/sHy3gQ",
"token": "xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ"
}
]
}
2022-04-03 02:02:57,462:DEBUG:acme.client:Storing nonce: 0001vbKyGRFMKr1Wk45-saPD_XFyvS1GN-48-02y8mIMibI
2022-04-03 02:02:57,463:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-04-03 02:02:57,463:INFO:certbot._internal.auth_handler:http-01 challenge for overseerr.kesutu.net
2022-04-03 02:02:57,463:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2022-04-03 02:02:57,463:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2022-04-03 02:02:57,465:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ
2022-04-03 02:02:57,465:DEBUG:acme.client:JWS payload:
b'{}'
2022-04-03 02:02:57,466:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/94342177390/ZgG1Qg:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDF2Ykt5R1JGTUtyMVdrNDUtc2FQRF9YRnl2UzFHTi00OC0wMnk4bUlNaWJJIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My85NDM0MjE3NzM5MC9aZ0cxUWcifQ",
"signature": "YApRK1TXjuCgh6HV4mVkX2u9cOOFzEQtVvXBkDvVGX9qNxnrKCmTtKyUWpGjFVYi_stX88FdH0dtLwfZEhwJWxP5UdII8wZ5NTv1fnGytpAgXeMHfCN_s7nE5KX-ucfzNNDXAXfiU0TPThG_h-5Ol4OSOI5IkO0hJV2JNZIb0QR4HuFMT5qqnNG8SQAdCz1LEownWY7xGIMaYDSZ-f_lQsL9f7OXP1JVmSOhys3YteedTIzgebZtoIVbzdWL2cIrW-_C6uiLKxZFkXpHtUhTHxdnh5wOkR5yGKaNMNarnPa8_Pq___16rqugrK3_FYNxSWUu5HrI8M0hHwCBWaf0ZA",
"payload": "e30"
}
2022-04-03 02:02:57,676:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/94342177390/ZgG1Qg HTTP/1.1" 200 186
2022-04-03 02:02:57,676:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 09:02:57 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/94342177390;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/94342177390/ZgG1Qg
Replay-Nonce: 00026pYFQOf1V4Vy9BUnJjFi1-UKrfpRQoevcKW5WiR-6AE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94342177390/ZgG1Qg",
"token": "xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ"
}
2022-04-03 02:02:57,676:DEBUG:acme.client:Storing nonce: 00026pYFQOf1V4Vy9BUnJjFi1-UKrfpRQoevcKW5WiR-6AE
2022-04-03 02:02:57,677:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-04-03 02:02:58,678:DEBUG:acme.client:JWS payload:
b''
2022-04-03 02:02:58,679:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/94342177390:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDI2cFlGUU9mMVY0Vnk5QlVuSmpGaTEtVUtyZnBSUW9ldmNLVzVXaVItNkFFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My85NDM0MjE3NzM5MCJ9",
"signature": "Yxc8zuFS0o_mw1DWBHlYpHL5qBUFXXgRGLSvCG5oaH_dlJSCcs_2PVhW3xUgGSWTKorpBsr3HeBNlQ0ew1a5bzHmHt_XAGqslkAOjQ8lgC98yQfkBCxmcm5kE4gAQlgo5u2IvmUSGv2DMYFSNX_vzcq3Wc2RfrwUddfwkw1oN23M4e6UlsKitmHcwqul4DiI6t-kGit64psNfiqKGeORt5xGKKlbdBF4SQJWkQcMt6dga6883wEZRk2D1TnR8F32P17N_A999bhNWTVuncTT5lC1UrQnIMaUJUWV1yTe8oDUmSgTY_gne0Fq4kOR9uJcIH6n2qCBFKEvbG1yW-mvTg",
"payload": ""
}
2022-04-03 02:02:58,889:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/94342177390 HTTP/1.1" 200 1045
2022-04-03 02:02:58,889:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 09:02:58 GMT
Content-Type: application/json
Content-Length: 1045
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001hrYNv6r0F7Gzk_XUubef-bnQQ2_cR5NqK4PbSIubYec
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "overseerr.kesutu.net"
},
"status": "invalid",
"expires": "2022-04-10T09:02:57Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://overseerr.kesutu.net/.well-known/acme-challenge/xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ [202.65.69.50]: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94342177390/ZgG1Qg",
"token": "xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ",
"validationRecord": [
{
"url": "http://overseerr.kesutu.net/.well-known/acme-challenge/xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ",
"hostname": "overseerr.kesutu.net",
"port": "80",
"addressesResolved": [
"202.65.69.50"
],
"addressUsed": "202.65.69.50"
}
],
"validated": "2022-04-03T09:02:57Z"
}
]
}
2022-04-03 02:02:58,889:DEBUG:acme.client:Storing nonce: 0001hrYNv6r0F7Gzk_XUubef-bnQQ2_cR5NqK4PbSIubYec
2022-04-03 02:02:58,890:INFO:certbot._internal.auth_handler:Challenge failed for domain overseerr.kesutu.net
2022-04-03 02:02:58,890:INFO:certbot._internal.auth_handler:http-01 challenge for overseerr.kesutu.net
2022-04-03 02:02:58,890:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: overseerr.kesutu.net
Type: unauthorized
Detail: Invalid response from http://overseerr.kesutu.net/.well-known/acme-challenge/xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ [202.65.69.50]: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2022-04-03 02:02:58,951:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-03 02:02:58,951:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-04-03 02:02:58,951:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-04-03 02:02:58,951:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/xlsVElrDbWdLZ8117w3T9idGJgiljwf5KlKb4QNRZeQ
2022-04-03 02:02:58,952:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2022-04-03 02:02:58,952:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1715, in main
return config.func(config, plugins)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1574, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 139, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 441, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-04-03 02:02:58,953:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version):

The operating system my web server runs on is (include version): Unraid OS 6.9.2

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.25.0

#2

Does your nginx server know that?

1 Like
#3

Hi 9peppe,

Thank you for responding.

I am unsure of how I would check whether the underlying Nginx server underneath the Nginx Proxy Manager GUI knows knows that it is "Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains."

1 Like
#4

You check the nginx config for any line resembling

root /path/to/some/directory;

1 Like
#5

This is my nginx.conf file, I do not see anything that resembles what you've stated above.

# Unraid

user  root;
worker_processes  1;

pid /var/run/nginx.pid;


events {
    worker_connections  1024;

    # Accept as many connections as possible after getting a notification about a new connection
    multi_accept on;

    # Which polling method we should use for multiplexing clients on to threads. If you’re using Linux 2.6+, you should use epoll.
    use epoll;
}


# Default error log file
# (this is only used when you don't override error_log on a server{} level)
#
# limetech - here we write log messages to the raw socket where rsyslogd is listening.
# Another way to do it is with this line:
#  error_log syslog:server=localhost,nohostname;
# and then also uncomment these two lines in /etc/rsyslog.conf:
#  #$ModLoad imudp  # provides UDP syslog reception
#  #$UDPServerRun 514 # start a UDP syslog server at standard port 514
# Not sure which method is better...
#
error_log syslog:server=unix:/dev/log,nohostname;


http {

    ##
    # Basic Settings
    ##

    # Hide nginx version information.
    server_tokens off;

    # Define the MIME types for files.
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # How long to allow each connection to stay idle; longer values are better
    # for each individual client, particularly for SSL, but means that worker
    # connections are tied up longer. (Default: 65)
    keepalive_timeout 20;

    # Speed up file transfers by using sendfile() to copy directly
    # between descriptors rather than using read()/write().
    sendfile        on;

    # Tell Nginx not to send out partial frames; this increases throughput
    # since TCP frames are filled up before being sent out. (adds TCP_CORK)
    tcp_nopush      on;

    # Tell Nginx to enable the Nagle buffering algorithm for TCP packets, which
    # collates several smaller packets together into one larger packet, thus saving
    # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY)
    tcp_nodelay     on;

    # Turn off buffering for proxy requests to be able to support 'flush' during progress updates
    proxy_buffering off;

    client_header_timeout 20;
    client_body_timeout 20;
    send_timeout 20;
    fastcgi_read_timeout 120s;
    fastcgi_keep_conn on;

    types_hash_max_size 2048;
    client_max_body_size 20m;

    # server_names_hash_bucket_size 64;
    server_name_in_redirect off;
    port_in_redirect off;



    ##
    # Logging Settings
    ##

    # Format to use in log files
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    # Default log file
    # (this is only used when you don't override access_log on a server{} level)
    # access_log /var/log/nginx/access.log;
    access_log  off;



    ##
    # Gzip Settings
    ##

    # Disable Gzip compression to support 'flush' progress updates
    gzip off;



    ##
    # SSL Settings
    ##

    # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
    # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
    # SSLv3 removed due to POODLE exploit and CRIME attack
    # 3DES removed due to SWEET32 attach
    ssl_protocols              TLSv1.3 TLSv1.2;
    ssl_ciphers                "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!3DES";
    ssl_ecdh_curve             secp384r1;
    ssl_prefer_server_ciphers  on;
    ssl_dhparam                /etc/nginx/dhparam.pem;

    # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
    # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
    # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
    # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
    ssl_session_cache    shared:SSL:1m;  # a 1mb cache can hold about 4000 sessions
    ssl_session_timeout  10m;
    ssl_session_tickets  off;

    # Ok to use concatenated pem files; nginx will do the right thing.
    ssl_certificate          /etc/ssl/certs/unraid_bundle.pem;
    ssl_certificate_key      /etc/ssl/certs/unraid_bundle.pem;
    ssl_trusted_certificate  /etc/ssl/certs/unraid_bundle.pem;


    map $http_upgrade $connection_upgrade {
        default Upgrade;
        '' close;
    }


    include /etc/nginx/conf.d/*.conf;
}
#6

You need to check those files as well.

1 Like
#7

In /etc/nginx/conf.d I found a file named emhttp-servers.conf. Within it I found the line root /usr/local/emhttp. I am unsure if this is relevant.

Please find below, the conf file.

# Generated by /etc/rc.d/rc.nginx
#
# set root directory for requests
#
root /usr/local/emhttp;
#
# limit the amount of failed auth requests per IP address
#
limit_req_zone $binary_remote_addr zone=authlimit:1m rate=30r/m;
#
# Authentication Settings
#
satisfy any;
allow 127.0.0.1;
allow ::1;
allow unix:;
deny  all;
auth_request /auth_request.php;
#
# define our servers
#
server {
    #
    # Listen on local socket for nchan publishers
    #
    listen unix:/var/run/nginx.socket default_server;
    location ~ /pub/(.*)$ {
        nchan_publisher;
        nchan_channel_id "$1";
        nchan_message_buffer_length $arg_buffer_length;
    }
}
server {
    #
    # Port settings for http protocol
    #
    listen *:80 default_server;
    listen [::]:80 default_server;
    location ~ /wsproxy/80/ { return 403; }
    #
    # Default start page
    #
    location = / {
        return 302 $scheme://$http_host/Main;
    }
    #
    # Redirect to login page for authentication
    #
    location /login {
        allow all;
        limit_req zone=authlimit burst=20 nodelay;
        try_files /login.php =404;
        include fastcgi_params;
    }
    location /logout {
        allow all;
        try_files /login.php =404;
        include fastcgi_params;
    }
    #
    # Redirect to login page on failed authentication (401)
    #
    error_page 401 @401;
    location @401 {
        return 302 $scheme://$http_host/login;
    }
    #
    # deny access to any hidden file (beginning with a .period)
    #
    location ~ /\. {
        return 404;
    }
    #
    # page files handled by template.php
    #
    location / {
        try_files $uri /webGui/template.php$is_args$args;
    }
    #
    # nchan subscriber endpoint
    #
    location ~ /sub/(.*)$ {
        nchan_subscriber;
        # nchan_authorize_request <url here>
        nchan_channel_id "$1";
        nchan_channel_id_split_delimiter ",";
    }
    #
    # my servers proxy
    #
    location /graphql {
        allow all;
        error_log /dev/null crit;
        proxy_pass http://unix:/var/run/unraid-api.sock:/graphql;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_cache_bypass $http_upgrade;
        proxy_intercept_errors on;
        error_page 502 = @graph502;
    }
    location @graph502 {
        default_type application/json;
        return 200 '{"errors":[{"error":{"name":"InternalError","message":"Graphql is offline."}}]}';
    }
    #
    # websocket proxy
    #
    location ~ /wsproxy/(.*)$ {
        proxy_read_timeout 3600;
        proxy_pass http://127.0.0.1:$1;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    #
    # add Cache-Control headers to novnc
    #
    location ~ /plugins\/dynamix.vm.manager\/novnc/(.*)$ {
        gzip on;
        gzip_disable "MSIE [1-6]\.";
        gzip_types text/css application/javascript text/javascript application/x-javascript;
        add_header Cache-Control no-cache;
    }
    #
    # pass PHP scripts to FastCGI server listening on unix:/var/run/php5-fpm.sock
    #
    location ~ \.php$ {
        include fastcgi_params;
    }
    #
    # enable compression of JS/CSS files
    # if version tag on querystring, tell browser to cache indefinitely
    #
    location ~ \.(js|css)$ {
        gzip on;
        gzip_disable "MSIE [1-6]\.";
        gzip_types text/css application/javascript text/javascript application/x-javascript;
        if ( $args ~ "v=" ) {
            expires max;
        }
    }
    #
    # robots.txt available without authentication
    #
    location = /robots.txt {
        allow all;
    }
    #
    # proxy update.htm and logging.htm scripts to emhttpd listening on local socket
    #
    location = /update.htm {
        keepalive_timeout 0;
        proxy_read_timeout 180; # 3 minutes
        proxy_pass http://unix:/var/run/emhttpd.socket:/update.htm;
    }
    location = /logging.htm {
        proxy_read_timeout 864000; # 10 days(!)
        proxy_pass http://unix:/var/run/emhttpd.socket:/logging.htm;
    }
    #
    # proxy webterminal to ttyd server listening on unix:/var/run/ttyd.sock
    #
    location ~ /webterminal/(.*)$ {
        proxy_read_timeout 864000; # 10 days(!)
        proxy_pass http://unix:/var/run/ttyd.sock:/$1;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    location = /webterminal/auth_token.js {
        return 204;
    }
    #
    # proxy dockerterminal to ttyd server listening on unix:/var/tmp/<container-name>.sock
    #
    location ~ /dockerterminal/(.*)/(.*)$ {
        proxy_read_timeout 864000; # 10 days(!)
        proxy_pass http://unix:/var/tmp/$1.sock:/$2;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    #
    # endpoint for checking if DNS rebinding protection is active
    #
    location = /dnscheck {
        allow all;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        add_header 'Access-Control-Max-Age' 86400;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
    }
}
#8

This is a problem. Put a # at the beginning of each of those three lines.

If you want to keep it, replace it with

location ~ /\.ht {
        return 404;
    }

If it still doesn't work, add

location /.well-known/acme-challenge/ {
    root /data/letsencrypt-acme-challenge;
}
2 Likes
#9

Please see below the edits I have made to my emhttp-servers.conf file. I have restarted Nginx-Proxy-Manager container and upon checking the logs (also below), they appear to still be the same.

# Generated by /etc/rc.d/rc.nginx
#
# set root directory for requests
#
root /usr/local/emhttp;
#
# limit the amount of failed auth requests per IP address
#
limit_req_zone $binary_remote_addr zone=authlimit:1m rate=30r/m;
#
# Authentication Settings
#
satisfy any;
allow 127.0.0.1;
allow ::1;
allow unix:;
deny  all;
auth_request /auth_request.php;
#
# define our servers
#
server {
    #
    # Listen on local socket for nchan publishers
    #
    listen unix:/var/run/nginx.socket default_server;
    location ~ /pub/(.*)$ {
        nchan_publisher;
        nchan_channel_id "$1";
        nchan_message_buffer_length $arg_buffer_length;
    }
}
server {
    #
    # Port settings for http protocol
    #
    listen *:80 default_server;
    listen [::]:80 default_server;
    location ~ /wsproxy/80/ { return 403; }
    #
    # Default start page
    #
    location = / {
        return 302 $scheme://$http_host/Main;
    }
    #
    # Redirect to login page for authentication
    #
    location /login {
        allow all;
        limit_req zone=authlimit burst=20 nodelay;
        try_files /login.php =404;
        include fastcgi_params;
    }
    location /logout {
        allow all;
        try_files /login.php =404;
        include fastcgi_params;
    }
    #
    # Redirect to login page on failed authentication (401)
    #
    error_page 401 @401;
    location @401 {
        return 302 $scheme://$http_host/login;
    }
    #
    # deny access to any hidden file (beginning with a .period)
    #
    # location ~ /\. {
    #    return 404;
    # }
    #
    # page files handled by template.php
    #
    location / {
        try_files $uri /webGui/template.php$is_args$args;
    }
    #
    # nchan subscriber endpoint
    #
    location ~ /sub/(.*)$ {
        nchan_subscriber;
        # nchan_authorize_request <url here>
        nchan_channel_id "$1";
        nchan_channel_id_split_delimiter ",";
    }
    #
    # my servers proxy
    #
    location /graphql {
        allow all;
        error_log /dev/null crit;
        proxy_pass http://unix:/var/run/unraid-api.sock:/graphql;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_cache_bypass $http_upgrade;
        proxy_intercept_errors on;
        error_page 502 = @graph502;
    }
    location @graph502 {
        default_type application/json;
        return 200 '{"errors":[{"error":{"name":"InternalError","message":"Graphql is offline."}}]}';
    }
    #
    # websocket proxy
    #
    location ~ /wsproxy/(.*)$ {
        proxy_read_timeout 3600;
        proxy_pass http://127.0.0.1:$1;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    #
    # add Cache-Control headers to novnc
    #
    location ~ /plugins\/dynamix.vm.manager\/novnc/(.*)$ {
        gzip on;
        gzip_disable "MSIE [1-6]\.";
        gzip_types text/css application/javascript text/javascript application/x-javascript;
        add_header Cache-Control no-cache;
    }
    #
    # pass PHP scripts to FastCGI server listening on unix:/var/run/php5-fpm.sock
    #
    location ~ \.php$ {
        include fastcgi_params;
    }
    #
    # enable compression of JS/CSS files
    # if version tag on querystring, tell browser to cache indefinitely
    #
    location ~ \.(js|css)$ {
        gzip on;
        gzip_disable "MSIE [1-6]\.";
        gzip_types text/css application/javascript text/javascript application/x-javascript;
        if ( $args ~ "v=" ) {
            expires max;
        }
    }
    #
    # robots.txt available without authentication
    #
    location = /robots.txt {
        allow all;
    }
    #
    # proxy update.htm and logging.htm scripts to emhttpd listening on local socket
    #
    location = /update.htm {
        keepalive_timeout 0;
        proxy_read_timeout 180; # 3 minutes
        proxy_pass http://unix:/var/run/emhttpd.socket:/update.htm;
    }
    location = /logging.htm {
        proxy_read_timeout 864000; # 10 days(!)
        proxy_pass http://unix:/var/run/emhttpd.socket:/logging.htm;
    }
    #
    # proxy webterminal to ttyd server listening on unix:/var/run/ttyd.sock
    #
    location ~ /webterminal/(.*)$ {
        proxy_read_timeout 864000; # 10 days(!)
        proxy_pass http://unix:/var/run/ttyd.sock:/$1;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    location = /webterminal/auth_token.js {
        return 204;
    }
    #
    # proxy dockerterminal to ttyd server listening on unix:/var/tmp/<container-name>.sock
    #
    location ~ /dockerterminal/(.*)/(.*)$ {
        proxy_read_timeout 864000; # 10 days(!)
        proxy_pass http://unix:/var/tmp/$1.sock:/$2;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    #
    # endpoint for checking if DNS rebinding protection is active
    #
    location = /dnscheck {
        allow all;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
        add_header 'Access-Control-Max-Age' 86400;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
    }
    #
    # added the below line on the advice of 9peppe on the LetsEncrypt forums
    #
     location /.well-known/acme-challenge/ {
    	root /data/letsencrypt-acme-challenge;
    }
}



2022-04-03 06:06:54,145:DEBUG:certbot._internal.main:certbot version: 1.25.0
2022-04-03 06:06:54,145:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-04-03 06:06:54,145:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-28', '--agree-tos', '--authenticator', 'webroot', '--email', 'kesutu@live.com.au', '--preferred-challenges', 'dns,http', '--domains', 'overseerr.kesutu.net']
2022-04-03 06:06:54,145:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-03 06:06:54,155:DEBUG:certbot._internal.log:Root logging level set at 30
2022-04-03 06:06:54,156:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-04-03 06:06:54,158:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x14ea69138518>
Prep: True
2022-04-03 06:06:54,159:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x14ea69138518> and installer None
2022-04-03 06:06:54,159:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2022-04-03 06:06:54,162:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/479034450', new_authzr_uri=None, terms_of_service=None), 70ed5ca3963386c9cd986b3a95bba8d4, Meta(creation_dt=datetime.datetime(2022, 4, 2, 3, 40, 28, tzinfo=<UTC>), creation_host='86bac4368e76', register_to_eff=None))>
2022-04-03 06:06:54,162:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-04-03 06:06:54,163:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-04-03 06:06:54,804:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-04-03 06:06:54,804:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 13:06:54 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "ejZRjbCfq4E": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-04-03 06:06:54,805:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for overseerr.kesutu.net
2022-04-03 06:06:54,807:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
2022-04-03 06:06:54,809:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
2022-04-03 06:06:54,809:DEBUG:acme.client:Requesting fresh nonce
2022-04-03 06:06:54,809:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-04-03 06:06:55,018:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-04-03 06:06:55,018:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 13:06:54 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002BShhjEcBW-OgUD1jirIWX7aeCVE8x5UG17NRPlnVxxw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-04-03 06:06:55,018:DEBUG:acme.client:Storing nonce: 0002BShhjEcBW-OgUD1jirIWX7aeCVE8x5UG17NRPlnVxxw
2022-04-03 06:06:55,018:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "overseerr.kesutu.net"\n    }\n  ]\n}'
2022-04-03 06:06:55,020:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDJCU2hoakVjQlctT2dVRDFqaXJJV1g3YWVDVkU4eDVVRzE3TlJQbG5WeHh3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "Le_wLCRPsQVljYLDMchyllUrrnrV5_kkTljPQMqWuvoblfXdo4T6MmPqqlYCfyCIYpCzLeyoDSwKIpFmqYzBcRxZh1OigDIwGWU4yK3PgXwPA7Ojyzrc99ib4TTJhVFJksaLvWYorcrRFRnGaTn0tVBqBvHRDybsAq_Zp7UYKJu6FBOC4Lx3wJr1NChiyyYIq77Sy4LsMyARm6KxeDcS7ERGU9ToW9NVTg7XuwMQtzpeOO2ZebLnzH8EmoH1nxVHaDbpI-PPtGakH-s5N1TM3zHXw1AbnrOw-p7AWvktcihv4juicElgr1LOMI949RSjbLme5zv699QD76ZDfwI_sw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm92ZXJzZWVyci5rZXN1dHUubmV0IgogICAgfQogIF0KfQ"
}
2022-04-03 06:06:55,273:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 343
2022-04-03 06:06:55,274:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 03 Apr 2022 13:06:55 GMT
Content-Type: application/json
Content-Length: 343
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/479034450/76981445730
Replay-Nonce: 0001yMZn3rKYXOeJ1K5gpj3Q_GGdsbFAKsMPESYE-teQ9PY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-04-10T13:06:55Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "overseerr.kesutu.net"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/94399180580"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/479034450/76981445730"
}
2022-04-03 06:06:55,274:DEBUG:acme.client:Storing nonce: 0001yMZn3rKYXOeJ1K5gpj3Q_GGdsbFAKsMPESYE-teQ9PY
2022-04-03 06:06:55,274:DEBUG:acme.client:JWS payload:
b''
2022-04-03 06:06:55,275:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/94399180580:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDF5TVpuM3JLWVhPZUoxSzVncGozUV9HR2RzYkZBS3NNUEVTWUUtdGVROVBZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My85NDM5OTE4MDU4MCJ9",
  "signature": "0UBUXg536GUA_v9qFC4-Y3OdJcTCC5ZDRw59QfD67UhsocE3rRPz3V3ONWUi0IUaPsZIeqNvGO9SgnNCPOcjqH0CcPc__f3ACJickIL8thZvnxdwmE_sH0xQGpHh71jnBziTc-AUxMretJrcJYA5H3q0rAz7e_GP6FcZ7wq9fIi5x4sfup13RXEk8uw9V3RbEbAnmCdiVve-VzQ2wiY6Lh3rBFHdhZeoqOO_kcU3hnOrplQ8djNKdEyaa-IG2cZfbl9INeZOlBwr51xTu-n7vBAtu4AnGBDuHI6liPdJ5vtnDD7wSAFsmtHt7ZFXdNazpZ5oZdYEattkNKYsC66UVg",
  "payload": ""
}
2022-04-03 06:06:55,484:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/94399180580 HTTP/1.1" 200 801
2022-04-03 06:06:55,484:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 13:06:55 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002OucPfQ4jkf1cHgdmMGC2X0nHz-o1NMZCPU9TCPeclKk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "overseerr.kesutu.net"
  },
  "status": "pending",
  "expires": "2022-04-10T13:06:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94399180580/13Mdug",
      "token": "-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94399180580/PmyEcQ",
      "token": "-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94399180580/Czgv6g",
      "token": "-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s"
    }
  ]
}
2022-04-03 06:06:55,484:DEBUG:acme.client:Storing nonce: 0002OucPfQ4jkf1cHgdmMGC2X0nHz-o1NMZCPU9TCPeclKk
2022-04-03 06:06:55,484:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-04-03 06:06:55,484:INFO:certbot._internal.auth_handler:http-01 challenge for overseerr.kesutu.net
2022-04-03 06:06:55,484:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2022-04-03 06:06:55,485:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2022-04-03 06:06:55,486:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s
2022-04-03 06:06:55,487:DEBUG:acme.client:JWS payload:
b'{}'
2022-04-03 06:06:55,487:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/94399180580/13Mdug:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDJPdWNQZlE0amtmMWNIZ2RtTUdDMlgwbkh6LW8xTk1aQ1BVOVRDUGVjbEtrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My85NDM5OTE4MDU4MC8xM01kdWcifQ",
  "signature": "C-KmSVGXGeN0hjhXKsLxVIKpoXyR8etcN5emcKU0wh8FJVlbYmZ9f-WFu7dPMU2tErN-SFNCYKf3-GTQELLOWZcGfNiYiAE-h1THVBUBhDjYCjzP59wes19yFebu0Co2dMRoIqdv2VCk41ZLJ-tNO_n1dEEJVun9-lA3SJbRFCfUAppUfw-wjmhC2OGVLKfMjBiOC341zWWpMK9tAIAIpBH2ISOCWZ25EWrn6L7vQzCXPKdQeuY2dwxCorPjpva_EWqIFwByRSEW3aRZQdwbiHnY821c0Vp0GLgmh7rSDMSpQSaY3l1bynccl2Pg9iZpqKja9vpnk1tZvW4I2pi3aA",
  "payload": "e30"
}
2022-04-03 06:06:55,703:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/94399180580/13Mdug HTTP/1.1" 200 186
2022-04-03 06:06:55,704:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 13:06:55 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/94399180580>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/94399180580/13Mdug
Replay-Nonce: 0001_atHc3BuA0_AM2SdYfF6-zIodaE5wOq2wmICgFeCRME
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94399180580/13Mdug",
  "token": "-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s"
}
2022-04-03 06:06:55,704:DEBUG:acme.client:Storing nonce: 0001_atHc3BuA0_AM2SdYfF6-zIodaE5wOq2wmICgFeCRME
2022-04-03 06:06:55,704:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-04-03 06:06:56,705:DEBUG:acme.client:JWS payload:
b''
2022-04-03 06:06:56,706:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/94399180580:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDc5MDM0NDUwIiwgIm5vbmNlIjogIjAwMDFfYXRIYzNCdUEwX0FNMlNkWWZGNi16SW9kYUU1d09xMndtSUNnRmVDUk1FIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My85NDM5OTE4MDU4MCJ9",
  "signature": "GH0wUmIqaFz2gkb28KI7h70moXzCtgPtrQphaVuxr5eVsRly7usYp5WnlrBQSRrrhm65jYtb_E8wn3OkTyhqb69bZ5gVFdToxfwdKi7PSxPlSn7Rpe381YBGXGs4W5tqxg9o3TCYYYKSDiOv4azMAoZ2NDN6b-U3dPfRS1GBQcUEVKGyA9nPA4f5Hg5yPVT4pel4hut90gGRynjtioo5saNDa-pGAEKVt7Htz8jWysTAbcGuceaad5xNFMszcYG6f05Q2vdnyeJhzNWRy-O2Bj3-mv83wNsCKS6qT3ZS46C0FXTsT3JjLtuT79Ah51dsODI2dPndXhPTgt-y2Vta6g",
  "payload": ""
}
2022-04-03 06:06:56,916:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/94399180580 HTTP/1.1" 200 1045
2022-04-03 06:06:56,916:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 03 Apr 2022 13:06:56 GMT
Content-Type: application/json
Content-Length: 1045
Connection: keep-alive
Boulder-Requester: 479034450
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001sKCAgU-yYQ37LAKSwbRJuV86_EQ8TjZW8LEKWoPa85Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "overseerr.kesutu.net"
  },
  "status": "invalid",
  "expires": "2022-04-10T13:06:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://overseerr.kesutu.net/.well-known/acme-challenge/-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s [202.65.69.50]: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/94399180580/13Mdug",
      "token": "-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s",
      "validationRecord": [
        {
          "url": "http://overseerr.kesutu.net/.well-known/acme-challenge/-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s",
          "hostname": "overseerr.kesutu.net",
          "port": "80",
          "addressesResolved": [
            "202.65.69.50"
          ],
          "addressUsed": "202.65.69.50"
        }
      ],
      "validated": "2022-04-03T13:06:55Z"
    }
  ]
}
2022-04-03 06:06:56,917:DEBUG:acme.client:Storing nonce: 0001sKCAgU-yYQ37LAKSwbRJuV86_EQ8TjZW8LEKWoPa85Y
2022-04-03 06:06:56,917:INFO:certbot._internal.auth_handler:Challenge failed for domain overseerr.kesutu.net
2022-04-03 06:06:56,917:INFO:certbot._internal.auth_handler:http-01 challenge for overseerr.kesutu.net
2022-04-03 06:06:56,917:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: overseerr.kesutu.net
  Type:   unauthorized
  Detail: Invalid response from http://overseerr.kesutu.net/.well-known/acme-challenge/-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s [202.65.69.50]: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2022-04-03 06:06:56,917:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-03 06:06:56,917:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-04-03 06:06:56,917:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-04-03 06:06:56,917:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/-HaYZLW2aivFCtAJ42G0yOHoPIaOCrvtv-tQgOp2b3s
2022-04-03 06:06:56,918:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2022-04-03 06:06:56,918:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1715, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1574, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 139, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 441, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-04-03 06:06:56,918:ERROR:certbot._internal.log:Some challenges have failed.
#10

This is strange. Did you reload nginx?

(I know nginx but I'm not familiar with how it's being used on your device)

1 Like
#11

There is no webroot path (-w) listed in the options. Are you prompted to enter it? If I omit it from command line I get prompted.

3 Likes
#12

Well, as far as I assumed, restarting Nginx-Proxy-Manager Docker Container would restart the underlying nginx service. If not, I could try and restart my entire server which would likely reboot nginx as well. I'll give that a try tomorrow morning, it is getting late now. Thank you so much for your assistance so far, I appreciate it.

#13

The arguments, I presume, are generated by the Nginx-Proxy-Manager-Offical Docker Container GUI. I have no idea how I would go about changing the arguments sent by the GUI.

#14

Does that autogenerate the nginx config too?

1 Like
#15

The nginx config was autogenerated by Nginx-Proxy-Manager-Official Docker Container.

I think I will also post this question on the Nginx-Proxy-Manager-Official github page. I came here first because I was using Letsdebug.net to test and it recommended me to ask the question here on this community page.

1 Like
#16

Then there should be some config on an higher level, anything we edited will be overwritten. Proxy-Manager people should know more.

1 Like
#17

Where is the nginx config that covers that name?

1 Like
#18

I have managed to resolve the issue, it was not a permission based issue but rather a Unraid/Docker networking issue.

This update is just for anyone who manages to stumble across this forum with similar circumstances to myself and hopefully this might help you.

What I did was was create a custom Docker network and then put all my Docker containers on it. Please see below link for instructions

Put all my others containers on the same custom network.

Then, in order for Nginx Proxy Manager to start, you have to reroute/port forward port 80 and 443 to a different internal port (I used 8080 and 4443).

Then, upon attempting to request a new LetsEncrypt SSL certificate, everything went smoothly!

Thank you all for the assistance!

1 Like
#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.