Unable to activate HTTPS for nginx webserver running on DigitalOcean droplet

I am using certbot to activate HTTPS or basically get an SSL certificate.
Here is my nginx config file:

 server {
 listen 80 default_server
 listen [::]:80 default_server

 root /var/www/html
 index index.html index.htm index.nginx-debian.html

server_name quotes.mirrorloops.com

location /{
         try_files $uri $uri/ = 404
 }
 
location /api  {
       proxy_pass http://localhost:3000
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection 'upgrade';
       proxy_set_header Host $host;
       proxy_cache_bypass $http_upgrade;
       }
} 

When I run: “sudo certbot --nginx”
I get the following error:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for quotes.mirrorloops.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. quotes.mirrorloops.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://quotes.mirrorloops.com/.well-known/acme-challenge/5V8cknsLD8jWExIchmZiHuRDaZduIdLAw5rGJQIYtyM [184.168.131.241]: “\n\n\n\n Mirrorloop”

IMPORTANT NOTES:

forgive me if I'm wrong but is this not just asking nginx to return unauthorized ?

It returns 404 if the requested file is not found…isn’t this what is expected?

Hi @goutambseervi

your configuration can't work.

Your ip address ( https://check-your-website.server-daten.de/?q=quotes.mirrorloops.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
quotes.mirrorloops.com A 184.168.131.241
Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC yes 1 0
AAAA yes
www.quotes.mirrorloops.com Name Error yes 1 0

And the answer of your server:

Domainname Http-Status redirect Sec. G
http://quotes.mirrorloops.com/
184.168.131.241 200 9.924 H
https://quotes.mirrorloops.com/
184.168.131.241 200 3.320 N
Certificate error: RemoteCertificateNameMismatch
http://quotes.mirrorloops.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
184.168.131.241 200 0.653
Visible Content: Mirrorloops Quotes

And the certificate:

CN=shortener.secureserver.net, O="Special Domain Services, LLC", 
L=Scottsdale, S=Arizona, C=US, SERIALNUMBER=R17247303, 
OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Arizona, 
OID.1.3.6.1.4.1.311.60.2.1.3=US
	27.09.2018
	27.09.2020
expires in 454 days	
shortener.secureserver.net, www.shortener.secureserver.net - 2 entries

You see: Checking /.well-known/acme-challenge/random-filename there is a http status 200, not the expected http status 404 - Not Found.

Checking that content there is a frame with http://159.65.156.240.

The shortener.secureserver.net is from GoDaddy.

Your A record must point to your ip address 159.65.156.240, so your server answers directly.

Change that, then try it again.

--

PS: You can't use such a "frame redirect" if you want to create an own Letsencrypt certificate. That's a general problem. In most cases, certbot runs on the ip of your domain A or AAAA record.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.