Ubuntu 16.04 + nginx + certbot gives 404's

My domain is: lolmewn.nl

I ran this command: certbot certonly --webroot --agree-tos --no-eff-email --email lolmewn@gmail.com -w /var/www/letsencrypt -d www.lolmewn.nl -d lolmewn.nl

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lolmewn.nl
http-01 challenge for lolmewn.nl
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /var/www/letsencrypt/.well-known/acme-challenge
Failed authorization procedure. www.lolmewn.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.lolmewn.nl/.well-known/acme-challenge/GHMYgALPOAqJeqX1hBvVjHvId6_dJu2rU-Z--r71wds: "

404 Not Found

Not Found

<p", lolmewn.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lolmewn.nl/.well-known/acme-challenge/veE0Adz3uFX_Kt1fpf_7Mmed5d1i8gc5XBnl1RpVru8: " 404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: x

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

Furthermore, I set this up: http://lolmewn.nl/.well-known/acme-challenge/test
I am following this tutorial: How to setup Let's Encrypt for Nginx on Ubuntu 18.04 (including IPv6, HTTP/2 and A+ SSL rating) · GitHub which includes nginx config files for certbot. If required, I can attach the debug logs, but they are quite lengthy.

PS: This is a fresh server, almost nothing installed on it.

What is the corresponding filesystem path to this file?

Hi!
The path is: /var/www/letsencrypt/.well-known/acme-challenge

You host offers IPv4 and IPv6 configuration and does not respond equally via both protocols. Since LE's preference is IPv6, the request ends up in a 404:

$ telnet 2a0b:7280:100:0:4f3:36ff:fe00:208a 80
Trying 2a0b:7280:100:0:4f3:36ff:fe00:208a...
Connected to 2a0b:7280:100:0:4f3:36ff:fe00:208a.
Escape character is '^]'.
GET /.well-known/acme-challenge/test HTTP/1.1
Host: lolmewn.nl

HTTP/1.1 404 Not Found

$ telnet 188.68.51.208 80
Trying 188.68.51.208...
Connected to 188.68.51.208.
Escape character is '^]'.
GET /.well-known/acme-challenge/test HTTP/1.1
Host: lolmewn.nl

HTTP/1.1 200 OK

You have to fix your webserver configuration (or drop the AAAA record from your domain).

4 Likes

Ah, didn’t update the AAAA records. Updated them now with the proper IPv6 addresses and got my certificates! Thanks a lot for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.