Type: unauthorized Detail: Invalid response from

My domain is: https://thewthr.app

I ran this command: sudo /usr/local/bin/certbot-auto renew

It produced this output:

   Domain: thewthr.app
   Type:   unauthorized
   Detail: Invalid response from
   https://thewthr.app/.well-known/acme-challenge/Oo8zNzMTQJFsR38wRcf9pck2qViDQR6MQX7Jz3xo8ag
   [2606:4700:3035::681f:41ae]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
   <html class=\"no-js ie6 oldie\" lang=\"en-US\">
   <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

My web server is: Nginx 1.14.1

The operating system my web server runs on is: CentOS 8

My hosting provider is: Vultr

I can log in to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: Certbot 1.5.0

thewthr.app.conf:

server {
    listen      80;
    listen      [::]:80;
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;

    server_name thewthr.app;
    root        /var/www/thewthr.app;

    include     snippets/base-noloc.conf;
    include     snippets/letsencrypt.conf;
    include     snippets/ssl.conf;

    ssl_certificate             /etc/letsencrypt/live/thewthr.app/fullchain.pem;
    ssl_certificate_key      /etc/letsencrypt/live/thewthr.app/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/thewthr.app/chain.pem;
}

server {
    listen      80;
    listen      [::]:80;
    listen      443 ssl http2;
    listen      [::]:443 ssl http2;

    server_name  *.thewthr.app;

    include     snippets/letsencrypt.conf;
    include     snippets/ssl.conf;

    ssl_certificate              /etc/letsencrypt/live/thewthr.app/fullchain.pem;
    ssl_certificate_key      /etc/letsencrypt/live/thewthr.app/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/thewthr.app/chain.pem;

    return 301 $scheme://thewthr.app$request_uri;
}

letsencrypt.conf:

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

ssl.conf:

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA38$
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

Although that might be technically possible, it is very difficult to accomplish successfully.
You should separate your HTTP from your HTTPS sections.

This has worked for 3 years straight… I’m so sick of Let’s Encrypt changing up everything all the damn time. What changes do you suggest?

Excuse me?

I don't think LE changed anything in your code.
And you kind of contradict yourself by saying

So which is it?

Until you get that sorted out...

The code shown fails to explain how an HTTP://your.domain/.well-known/acme-chalenge/{file-name} request gets redirected to HTTPS.

Perhaps the redirect (and maybe the "problem") exists within:

[a file that LE surely did NOT create]

Without the full code, nor more helpful LE log details, it is near to impossible to be certain why this is failing.

I might have worded this confusingly.

This specific part of the configuration has stayed the same for about 3 years and through countless renewals of countless domains.

However, every time I update the certbot/renew my certs it does not work anymore and I either have to spend hours researching which configuration detail I have to adjust this time or just rm certbot and all certs and then generate them anew.

Maybe we should just get it right (once and for all).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.