Unable to get a certificate

mstrdrvr · June 14, 2017, 9:40pm

My domain is: aliasflavius.tech

I ran this command:

sudo ./certbot-auto certonly --webroot --webroot-path=/usr/share/nginx/html -d aliasflavius.tech -d www.aliasflavius.
tech

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aliasflavius.tech
http-01 challenge for www.aliasflavius.tech
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. aliasflavius.tech (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://aliasflavius.tech/.well-known/acme-challenge/tWbQtgpYEc1hRpczojbLHnFtgzCfSeQrOpmqG2GiyrY: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.aliasflavius.tech (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.aliasflavius.tech/.well-known/acme-challenge/Zy8mCPz_BL2TAaYCiF4wvROIj64LnnXgNk2moJ1dm_Y: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: aliasflavius.tech
   Type:   unauthorized
   Detail: Invalid response from
   http://aliasflavius.tech/.well-known/acme-challenge/tWbQtgpYEc1hRpczojbLHnFtgzCfSeQrOpmqG2GiyrY:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.aliasflavius.tech
   Type:   unauthorized
   Detail: Invalid response from
   http://www.aliasflavius.tech/.well-known/acme-challenge/Zy8mCPz_BL2TAaYCiF4wvROIj64LnnXgNk2moJ1dm_Y:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.12.0

The operating system my web server runs on is (include version): Ubuntu 14.04 trusty

My hosting provider, if applicable, is: Scaleway

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

schoen · June 14, 2017, 9:50pm

Hi @mstrdrvr,

Could you make a test file in /usr/share/nginx/html/.well-known/acme-challenge/test.txt and then see if you can access it as http://aliasflavius.tech/.well-known/acme-challenge/test.txt? If you can’t, you’ll need to fix your nginx configuration and/or selection of webroot path so that you can.

mstrdrvr · June 14, 2017, 9:59pm

I created the test file, but I get a 404 in the browser.
When trying to access just /.well-known on the domain I get a 403, which is probably a permissions issue.

Server configuration is

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ /.well-known {
                allow all;
                root /usr/share/nginx/html;
        }
}

mnordhoff · June 14, 2017, 10:03pm

Maybe. You'll get the same error when you try to visit a directory that has no index file and has autoindex off. It's not necessarily a problem.

What does Nginx's error.log say about it?

mstrdrvr · June 14, 2017, 10:07pm

2017/06/14 16:25:43 [error] 6155#6155: *1 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:25:43 [error] 6158#6158: *2 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:28:14 [notice] 6181#6181: signal process started
2017/06/14 16:28:19 [error] 6189#6189: *1 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:28:19 [error] 6189#6189: *1 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:28:20 [error] 6189#6189: *2 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:28:20 [error] 6189#6189: *3 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:28:21 [error] 6189#6189: *3 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:28:38 [error] 6189#6189: *4 open() "/var/www/html/.well-known/acme-challenge/pVrk_lSgHIP9t1qTwcF07NPU_TlE6JKpVseYwJVIyUE" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "GE
T /.well-known/acme-challenge/pVrk_lSgHIP9t1qTwcF07NPU_TlE6JKpVseYwJVIyUE HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 16:28:38 [error] 6189#6189: *5 open() "/var/www/html/.well-known/acme-challenge/tDrXAskqE3lHLxv5LFwpXtFtKDrKAh_xL8W5fX3hLYk" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "GE
T /.well-known/acme-challenge/tDrXAskqE3lHLxv5LFwpXtFtKDrKAh_xL8W5fX3hLYk HTTP/1.1", host: "www.aliasflavius.tech"
2017/06/14 21:09:05 [error] 6189#6189: *124 open() "/var/www/html/.well-known/acme-challenge/KoFBRba2HOOnBRFxJdHtlL5GHIHa-4WAF3rUbxlQXh0" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "
GET /.well-known/acme-challenge/KoFBRba2HOOnBRFxJdHtlL5GHIHa-4WAF3rUbxlQXh0 HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:09:05 [error] 6189#6189: *125 open() "/var/www/html/.well-known/acme-challenge/XXaEAfbFDPhKfpdI47KUPr01iPcSW1P18jqslRooP78" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "
GET /.well-known/acme-challenge/XXaEAfbFDPhKfpdI47KUPr01iPcSW1P18jqslRooP78 HTTP/1.1", host: "www.aliasflavius.tech"
2017/06/14 21:21:04 [error] 6189#6189: *134 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:21:24 [error] 6189#6189: *134 "/var/www/html/.well-known/acme-challenge/index.html" is not found (2: No such file or directory), client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/acme-challenge/
HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:21:48 [error] 6189#6189: *136 open() "/var/www/html/.well-known/acme-challenge/jYw2zDXyrIZ5JDX-64uxCBH7porpTzkgqGH5BA1oCRE" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "
GET /.well-known/acme-challenge/jYw2zDXyrIZ5JDX-64uxCBH7porpTzkgqGH5BA1oCRE HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:21:48 [error] 6189#6189: *137 open() "/var/www/html/.well-known/acme-challenge/eiGYdwuqHuBtmj2uOTWFw79SXNbpvydePCn5D3p5UGQ" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "
GET /.well-known/acme-challenge/eiGYdwuqHuBtmj2uOTWFw79SXNbpvydePCn5D3p5UGQ HTTP/1.1", host: "www.aliasflavius.tech"
2017/06/14 21:25:17 [error] 6189#6189: *140 open() "/var/www/html/.well-known/acme-challenge/tWbQtgpYEc1hRpczojbLHnFtgzCfSeQrOpmqG2GiyrY" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "
GET /.well-known/acme-challenge/tWbQtgpYEc1hRpczojbLHnFtgzCfSeQrOpmqG2GiyrY HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:25:18 [error] 6189#6189: *141 open() "/var/www/html/.well-known/acme-challenge/Zy8mCPz_BL2TAaYCiF4wvROIj64LnnXgNk2moJ1dm_Y" failed (2: No such file or directory), client: 66.133.109.36, server: aliasflavius.tech, request: "
GET /.well-known/acme-challenge/Zy8mCPz_BL2TAaYCiF4wvROIj64LnnXgNk2moJ1dm_Y HTTP/1.1", host: "www.aliasflavius.tech"
2017/06/14 21:40:32 [error] 6189#6189: *150 open() "/var/www/html/.well-known/acme-challenge/Zy8mCPz_BL2TAaYCiF4wvROIj64LnnXgNk2moJ1dm_Y" failed (2: No such file or directory), client: 64.71.168.196, server: aliasflavius.tech, request: "
HEAD /.well-known/acme-challenge/Zy8mCPz_BL2TAaYCiF4wvROIj64LnnXgNk2moJ1dm_Y HTTP/1.1", host: "www.aliasflavius.tech"
2017/06/14 21:40:32 [error] 6189#6189: *151 open() "/var/www/html/.well-known/acme-challenge/tWbQtgpYEc1hRpczojbLHnFtgzCfSeQrOpmqG2GiyrY" failed (2: No such file or directory), client: 64.71.168.196, server: aliasflavius.tech, request: "
HEAD /.well-known/acme-challenge/tWbQtgpYEc1hRpczojbLHnFtgzCfSeQrOpmqG2GiyrY HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:50:37 [error] 6189#6189: *159 open() "/var/www/html/.well-known/acme-challenge/test.txt" failed (2: No such file or directory), client: 64.71.168.196, server: aliasflavius.tech, request: "HEAD /.well-known/acme-challenge/te
st.txt HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:50:46 [error] 6189#6189: *160 open() "/var/www/html/.well-known/acme-challenge/test.txt" failed (2: No such file or directory), client: 17.133.7.55, server: aliasflavius.tech, request: "GET /.well-known/acme-challenge/test.
txt HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:51:18 [error] 6189#6189: *161 open() "/var/www/html/.well-known/acme-challenge/test.txt" failed (2: No such file or directory), client: 17.125.82.154, server: aliasflavius.tech, request: "GET /.well-known/acme-challenge/tes
t.txt HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:51:37 [error] 6189#6189: *162 open() "/var/www/html/.well-known/acme-challenge/test.txt" failed (2: No such file or directory), client: 17.142.142.54, server: aliasflavius.tech, request: "GET /.well-known/acme-challenge/tes
t.txt HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:52:17 [error] 6189#6189: *163 open() "/var/www/html/.well-known/acme-challenge/test.txt" failed (2: No such file or directory), client: 17.133.3.119, server: aliasflavius.tech, request: "GET /.well-known/acme-challenge/test
.txt HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:54:57 [error] 6189#6189: *166 directory index of "/var/www/html/.well-known/" is forbidden, client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/ HTTP/1.1", host: "aliasflavius.tech"
2017/06/14 21:55:11 [error] 6189#6189: *166 open() "/var/www/html/.well-known/acme-challenge/test.text" failed (2: No such file or directory), client: 79.117.238.248, server: aliasflavius.tech, request: "GET /.well-known/acme-challenge/t
est.text HTTP/1.1", host: "aliasflavius.tech"

mstrdrvr · June 14, 2017, 10:09pm

I had a Letsencrypt cert installed a few months ago, but then it failed to get renewed. I even had a cron job set up to renew it, but it failed somewhere. So then I tried to update manually, but then the symlinks were broken. So, eventually I decided to just remove Letsencrypt and reinstall it. This time it failed.

Then it gave some nginx errors, so I reinstalled nginx too. Now the domain works fine on http, so there’s no problem with the server, but it fails to install a new Letsencrypt cert.

I have first googled for answers and tried every possible solution I could find, but it didn’t work, so I came here to ask more specifically about the setup I’m using.

schoen · June 14, 2017, 10:21pm

I think this is mapping /.well-known to /usr/share/nginx/html, which is a mistake because Certbot will put the challenge files in /.well-known/acme-challenge under your webroot.

mstrdrvr · June 14, 2017, 10:36pm

I removed that, so I let the server use the default /var/www/html/ path both in /etc/nginx/sites-available/default and in the certbot command using the same webroot path. Then I was able to get a new certificate.

Now I just have to make the server use it.

Thanks for the help !

mstrdrvr · June 14, 2017, 10:39pm

It would help more if these error messages were more specific about what failed, though.

Like

Your webroot path supplied in the argument does not match your mapped server path for the location of /.well-known in /etc/nginx/sites-available/default

schoen · June 14, 2017, 11:04pm

This is difficult to do in this case for an architectural reason: the webroot plugin doesn’t contain any code to examine or parse web server configuration files. It was originally conceived of partly as a way to support those web servers for which we don’t have configuration parsers.

system · July 14, 2017, 11:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.