Type: unauthorized Detail: Invalid response from + Windows OS

My domain is: www.uat.connectedsafetynet.co.uk

I ran this command: certbot certonly --standalone
it asked for the domain name and I enter: www.uat.connectedsafetynet.co.uk

It produced this output:

`C:\Users\pranav\Downloads\praveen>certbot certonly --standalone
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): www.uat.connectedsafetynet.co.uk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.uat.connectedsafetynet.co.uk
Waiting for verification...
e[31mChallenge failed for domain www.uat.connectedsafetynet.co.uke[0m
http-01 challenge for www.uat.connectedsafetynet.co.uk
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

   Domain: www.uat.connectedsafetynet.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://www.uat.connectedsafetynet.co.uk/.well-known/acme-challenge/3pxGQxnB1Edm7X5-sJC66CrTgM2D7Hj_3zScsbT2-I4
   [51.140.47.95]: "<!DOCTYPE html>\r\n<html>\r\n  <head>\r\n
   <title>CSN</title>\r\n    <meta charset=\"utf-8\" />\r\n
   <meta\r\n      name=\"viewport\"\r\n     "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
`

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.6.0

My Nginx config file looks like this:

`
worker_processes 1;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

sendfile        on;
keepalive_timeout  65;


server {
    listen       80;
    server_name  uat.connectedsafetynet.co.uk www.uat.connectedsafetynet.co.uk;
    location / { 
    proxy_pass "http://localhost:3000"; 
}

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }}

}

There is no web root.
You are sending all connections (including the challenge requests) to the “proxy”.

Try excluding the /.well-known/acme-challenge/ requests from being “proxied”.
And also use --webroot with an actual document root path.

how can i exclude the /.well-known/acme-challenge/ requests from being “proxied”.

As an alternative to webroot, you could keep around the --standalone and do something like:

location /.well-known/acme-challenge/ {
    proxy_pass http://localhost:61234/;
}

and then:

certbot certonly -d www.uat.connectedsafetynet.co.uk --standalone --http-01-port 61234 --dry-run

It could be a little simpler if you don’t really have a document root already (such as in the case when you’re proxying to Node).

For extra security, I would use a separate dedicated root folder for the HTTP LE challenge requests.
As follows:

server {

    listen       80;

    server_name  uat.connectedsafetynet.co.uk www.uat.connectedsafetynet.co.uk;

    location /.well-known/acme-challenge/ {
        #You can turn on logging and send it to a dedicated file if you like
        access_log off;
        #You can use any separate dedicated path
        #You may also need to chmod +rw the folder (depending on O/S and security applied)
        root /ACMEchallenges/;
        try_files $uri 405; #or any 40x, I use 405 to be uniquely certain the reply is coming from here
    }#location

    location / { 
        #proxy all other (non LE challenge) requests
        proxy_pass "http://localhost:3000"; 
    }#location

    error_page   500 502 503 504  /50x.html;

    location = /50x.html {
        root   html; # < this should probably be a more specific full path
    }#location

}#server

Note: removed an extra “}” near the bottom, which did not seem to be needed

@_az @rg305 Thanks guys, this worked for me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.