An error occurs during the challenge:

Type: unauthorized
Detail: Invalid response from
http://app.test.ru/.well-known/acme-challenge/Tcz1WXPz5Q-CjQlAIzJ2Y69langzO-zTfjxKF5UDyDk:
"

404 Not Found

404 Not Found

---

" ``` ``` There are 2 configs for load balancers: app.conf and lb1.conf **app.conf** ``` upstream lb { server lb1.test.ru; server lb2.test.ru; }

server {
listen 80;
server_name app.test.ru;

location / {
return 301 https://app.test.ru$request_uri;
}

location /.well-known/acme-challenge/ {proxy_pass http://lb;}

    }

**lb1.conf**

upstream backend {
server app1.test.ru;
server app2.test.ru;
check interval=1000 rise=1 fall=2 timeout=1000 type=http;
check_http_send "GET /status HTTP/1.0\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
}

server {
listen 80;
server_name app1.test.ru;

access_log /var/log/nginx/log.access.log themain;

location / {return 201;}
location /status {return 200;}
}

server {
listen 80;
server_name app2.test.ru;

access_log /var/log/nginx/log.access.log themain;

location / {return 202;}
location /status {return 200;}
}

server {
listen 80;
server_name lb1.test.ru;

location /.well-known/acme-challenge {root /opt/www/acme;}

location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://backend;
}
}

on the second load balancers app.conf is the same
**lb2.conf**

upstream backend {
server app1.test.ru;
server app2.test.ru;
check interval=1000 rise=1 fall=2 timeout=1000 type=http;
check_http_send "GET /status HTTP/1.0\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
}

server {
listen 80;
server_name app1.test.ru;

access_log /var/log/nginx/log.access.log themain;

location / {return 201;}
location /status {return 200;}
}

server {
listen 80;
server_name app2.test.ru;

access_log /var/log/nginx/log.access.log themain;

location / {return 202;}
location /status {return 200;}
}

server {
listen 80;
server_name lb2.test.ru;

location /.well-known/acme-challenge {proxy_pass http://lb1.test.ru;}

location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://backend;
}
}

2 app1 and app2 servers (identical):

server {
listen 80;

location / {
set_real_ip_from unix:;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_pass http://127.0.0.1:8080;
}
}

I start receiving with the sudo letsencrypt cert only --dry-run --webroot -w /opt/www/acmed command app.test.ru
i am tested curl 
- - [12/Nov/2021:18:32:36 +0000] "GET /.well-known/acme-challenge/12345.txt HTTP/1.1" 404 162 "-" "curl/7.68.0"

Using:

and requesting:
http://app.test.ru/.well-known/acme-challenge/12345.txt
would send that request to...
Which do you think?:
/opt/www/acmed/12345.txt
OR
/opt/www/acmed/.well-known/acme-challenge/12345.txt
OR
to http://backend/12345.txt
OR
some other place

Where did you place your 12345.txt file?
[ I guess = wrong place = /opt/www/acmed/12345.txt ]

this is a typo when I wrote the text, when requesting I use /opt/www/acme
the file is located in a directory on the server /opt/www/acme/.well-known/acme-challenge/12345.txt

Which server? You have 2 and they process requests alternately due to your nginx load balancer configuration.

So, if you run Certbot on server1 (lb1) you will get a request to app.test.ru from the Lets Encrypt (LE) server. Then nginx will route that to lb1 or lb2 depending on which one processed the last request to app.test.ru. If nginx routes the LE request to lb1 it would work but if nginx routed it to lb2 it would fail to find the challenge file.

Every server that can respond to the http challenge request from Lets Encrypt must respond in the same way. This requires special care when setting up load balancers.

One way is to use DNS authentication. See the Certbot docs for the DNS systems that are supported.

Other ways are to have a dedicated server for Certbot and then copy the certs to each load balancer server. Or, place the certs in a "secrets" location and have each LB server load certs from this location on startup and once a day or something like that.

Try placing other files in those other locations.
And see if any can be reached.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.