Unable to get Certbot Certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My situation:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: smovtek.com
Type: unauthorized
Detail: Invalid response from http://smovtek.com/.well-known/acme-challenge/QduYEDr5Ep4EFl35rN6Bc8eIdOiXV2EhF7feUAgUbXU [184.169.229.192]: "\r\n<html xmlns="http"

2

Hi @smovtekwebadmin and welcome to the LE community forum :slight_smile:

Without answers to the form questions, it is difficult to give useful advice.
In short, I only see certbot, webroot, no HTTPS redirection (a good thing), and an IP address.

I would:

  • confirm that is the IP address of your site.
  • use a recommended ACME client for Windows/IIS 10
3

Domain Name is: smovtek.com www.smovtek.com
Command ran: certbot certonly --webroot -v
Output further after few formality steps: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: smovtek.com
Type: unauthorized
Detail: Invalid response from http://smovtek.com/.well-known/acme-challenge/QduYEDr5Ep4EFl35rN6Bc8eIdOiXV2EhF7feUAgUbXU [184.169.229.192]: "\r\n<html xmlns="http"

Web Server: Nginx

OS: Windows Server 2019 Data Center

5

Compare the webroot used with the root used in HTTP vhost config found in the output of nginx -T

I suspect a reverse proxy is in use and it fails to compensate the need for a dedicated challenge path.

1 Like
6

@smovtekwebadmin As Rudy notes, when using nginx as a reverse proxy to IIS it is nginx that you want to respond to the challenge request from the Lets Encrypt server. I sent a test request and it looks like you are passing those requests to IIS.

You would want something like this (just an example):

server {
   (...)
   location /.well-known/acme-challenge/ {
       root /path/of/certbot/webroot/folder;       
   }
   location / {
      # Use location(s) and proxy for IIS as you have it now
   }
 }

If you want specific advice, please run nginx -T and paste results here. Please use the preformatted text option in format menu (or Ctrl-E).

Hope this helps.

3 Likes
7

nginx: the configuration file C:\nginx-1.21.4/conf/nginx.conf syntax is ok
nginx: configuration file C:\nginx-1.21.4/conf/nginx.conf test is successful

configuration file C:\nginx-1.21.4/conf/nginx.conf:

#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

server {
    listen       40;
    server_name  smovtek.com www.smovtek.com;
            #smovtek.com www.smovtek.com
    #charset koi8-r;

    #access_log  logs/host.access.log  main;

            # angular app frontend
    location / {
        root   smovwebplatform-master/dist/smovwebplatform;
        index  index.html index.htm;
    }

            #html

            # node api reserve proxy
            location /api/ {
                    proxy_pass http://127.0.0.1:3000/;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host host;
                    proxy_cache_bypass http_upgrade;
            }

            # angular api reserve proxy
            #location /api/ {
            #       proxy_pass http://localhost:4200/;
            #}


    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

    #secure server certificate
    #server {
    #       listen  443 ssl;
    #       server_name smovtek.com www.smovtek.com;
    #
    #       ssl_certificate         C:\nginx-1.21.4\certweb\certificate.crt;
    #       ssl_certificate_key     C:\nginx-1.21.4\certweb\private.key;
    #
    #       location / {
    #               root   smovwebplatform-master/dist/smovwebplatform;
#       index  index.html index.htm;
    #       }
    #}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#    listen       8000;
#    listen       somename:8080;
#    server_name  somename  alias  another.alias;

#    location / {
#        root   html;
#        index  index.html index.htm;
#    }
#}


# HTTPS server

server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      certificate.crt;
    ssl_certificate_key  private.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   html;
        index  index.html index.htm;
    }
}

}

8

About using nginx as a reserve proxy to IIS.That is not what I am actually doing. IIS is active but not running as I not using it as my web server. It is Nginx that I am using but however getting connection_timeout with my domain name from Godaddy DNS manage in Route53 on aws and has a ec2 Elastic IP.

Still looking to resolve the situation.

9

@smovtekwebadmin Hmmm. Yesterday I got a response from
curl -I http://smovtek.com
that had IIS as the server in the response headers.

Let us focus on nginx.

First, normally the 'listen' on this line should be 80, not 40.

server {
    listen       40;
    server_name  smovtek.com www.smovtek.com;

And, while you do not yet have your public certificates yet for https, you would normally have the server def for port 443 have the same server_name as the port 80 server. You currently have it as localhost

server {
    listen       443 ssl;
    server_name  localhost;

Right now I cannot reach your site on any port.

Yesterday an IIS server responded on port 80 (my http request). So make sure port 80 is available when changing nginx to use it.

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.