Type: unauthorized Detail: Invalid response from

Help
42

Yes, exactly!
https://your.domain/.well-known/acme-challenge/* > /home/letsencrypt/challenge/*
https://your.domain/* > proxy

1 Like
43

do i needs a different path per subdomain or can use same for all?

1 Like
44

Same path is good.
We aren't trying to secure the files stored there [which are public].
We are trying to ensure no one can use that path to reach anything else.

Let's test run one domain:

certbot certonly \
--webroot -w /home/letsencrypt/challenge/ \
-d alpha.sign-art.app \
--dry-run -v

1 Like
45

This gave me the following:

certbot certonly \
> --web-root -w /home/letsencrypt/challenge/ \
> -d alpha.sign-art.app \
> --dry-run -v
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --web-root
1 Like
46

it should be --webroot

1 Like
47

I tried for alpha.sign-art.app but got the unauthorized again, this one isnt a reverse proxy but also don't have the "location ~ /.well-known" should i add it?

server {

  root /home/crashbdx/alpha.sign-art.app/dist;
  #root /home/crashbdx/maintenance;
  index index.html;

  server_name alpha.sign-art.app;

  location / {
    #try_files $uri $uri/ =404;
    try_files $uri $uri/ /index.html;
  }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/alpha.sign-art.app/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alpha.sign-art.app/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = alpha.sign-art.app) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  server_name alpha.sign-art.app;
    listen 80;
    return 404; # managed by Certbot

}

By the way is it location ~ /.well-known/acme-challenge { or location ~ /.well-known {

2 Likes
48

Cheers @griffin :beers:
Good :eyes: ! ! !
[and welcome to the challenge]

image

1 Like
49

more specific is better:
Use:
location ~ /.well-known/acme-challenge {

1 Like
50

Ok so i also add it in my server block in alpha.sign-art.app since its not there right?

2 Likes
51

Definitely.
It is safe to add to all blocks.

1 Like
52

Added it and tried again and now getting this:

     IMPORTANT NOTES:
     - The following errors were reported by the server:

       Domain: alpha.sign-art.app
       Type:   dns
       Detail: During secondary validation: DNS problem: SERVFAIL looking
       up A for alpha.sign-art.app - the domain's nameservers may be
       malfunctioning
1 Like
53

Well that must be a momentary failure:

sign-art.app    nameserver = donna.ns.cloudflare.com
sign-art.app    nameserver = nicolas.ns.cloudflare.com

CloudFlare DNS is one of the better ones out there.

Try it again.

1 Like
54

- The dry run was successful.

:smiley: :grinning: :smile: :grin: :heart_eyes: :smiling_face_with_three_hearts: :star_struck:

Very cool, so i can try it for real now? then add the path in all other nginx config?

2 Likes
55

Yes, remove:
--dry-run -v
and get a real renewed cert!

1 Like
56 
  Certificate Name: alpha.sign-art.app
    Domains: alpha.sign-art.app
    Expiry Date: 2021-05-05 07:39:02+00:00 (VALID: 89 days)

Thanks a lot! will repeat that process for others then, correct?

2 Likes
57

Yes.
Once the ones below 30 days are all renewed, then you can --dry-run test the ones above 30 days.
Then after they all renew (or pass the dry-run tests), you need to deal with automation.
You can check what may already be there with:
sudo crontab -l
or
sudo crontab -u root -l
and also
sudo systemctl list-timers | grep -i cert

1 Like
58

Ok, i'll first repeat for all of the config then i'll be ba

2 Likes
59

I only have one that give me trouble when i try this:

sudo certbot certonly --webroot -w /home/letsencrypt/challenge/ -d preprod.sign-art.app --dry-run -v

Config:

server {

  root /home/user/mainnet/sign-art.app-1/dist;
  #root /home/user/maintenance;
  index index.html;

  server_name preprod.sign-art.app;

  location / {
    #try_files $uri $uri/ =404;
    try_files $uri $uri/ /index.html;
  }

    location ~ /.well-known/acme-challenge {
       root /home/letsencrypt/challenge;
       allow all;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/preprod.sign-art.app/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/preprod.sign-art.app/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = preprod.sign-art.app) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    server_name preprod.sign-art.app;
}

ERROR

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: preprod.sign-art.app
   Type:   unauthorized
   Detail: Invalid response from
   http://preprod.sign-art.app/.well-known/acme-challenge/sD_4BKh1pJC1lYY-FR2wBP87zR4I2J1-WlVLai6voAU
   [2606:4700:3032::6815:10db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
   <html class=\"no-js ie6 oldie\" lang=\"en-US\">
   <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like
60

Show the config that you fixed and works.

And show output of:
nginx -t

1 Like
61

nginx -t:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

mainnet.sign-art.app (dry run works):

server {

  root /home/user/mainnet/sign-art.app-2/dist;
  #root /home/user/maintenance;
  index index.html;

  server_name mainnet.sign-art.app;

  location / {
    #try_files $uri $uri/ =404;
    try_files $uri $uri/ /index.html;
    #auth_basic "Restricted Content";
    #auth_basic_user_file /etc/nginx/.htpasswd;
  }

    location ~ /.well-known/acme-challenge {
       root /home/letsencrypt/challenge;
       allow all;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mainnet.sign-art.app/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mainnet.sign-art.app/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = mainnet.sign-art.app) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name mainnet.sign-art.app;
}

preprod.sign-art.app (dry run fail):

server {

  root /home/user/mainnet/sign-art.app-1/dist;
  #root /home/user/maintenance;
  index index.html;

  server_name preprod.sign-art.app;

  location / {
    #try_files $uri $uri/ =404;
    try_files $uri $uri/ /index.html;
  }

    location ~ /.well-known/acme-challenge {
       root /home/letsencrypt/challenge;
       allow all;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/preprod.sign-art.app/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/preprod.sign-art.app/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = preprod.sign-art.app) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    server_name preprod.sign-art.app;
}
1 Like