Unable to obtain cert for new domain dev.worldbuild.ai

We own the domain and it is correctly pointed at this server's A record. Traffic does reach the correct vhost. It appears that in the log the correct changes are made to the nginx temporary config, but it doesn't appear that it is loaded by nginx prior to the LE verification. The 404s are in the error log as if it is looking for the file within the vhosts's dir. Fails whether or not we are advertising IPv6 in the vhost def.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

dev.worldbuild.ai

I ran this command:

/usr/bin/certbot --nginx -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


....
30: dev.worldbuild.ai


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 30
Requesting a certificate for dev.worldbuild.ai
Performing the following challenges:
http-01 challenge for dev.worldbuild.ai
Waiting for verification...
Challenge failed for domain dev.worldbuild.ai
http-01 challenge for dev.worldbuild.ai

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: dev.worldbuild.ai
Type: unauthorized
Detail: Invalid response from https://dev.worldbuild.ai/.well-known/acme-challenge/NN6TAb4oZo3hdITbo-Ns9p3rtNGi-rT-eEvPAHq_cN0 [45.79.80.150]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx/1.20.1</ce"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Nginx 1.20.1

The operating system my web server runs on is (include version):
CentOS 8.4.2105

My hosting provider, if applicable, is:

Linode

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.20.0

@CowinTom Welcome to the community

It looks like you already have a port 443 server defined for dev.worldbuild.ai. So, you might be better off using the certonly command with --webroot. It will place a challenge file in the server root under /.well-known/acme-challenge/(filename) and instruct the LE server to look for it. The certonly --webroot will not update your nginx conf.

Your current 443 server for dev.worldbuild.ai is returning the wrong certificate (see below). Which is fine for the Certbot certonly step but you would need to update that manually after the certonly completes. Usually Certbot --nginx usually configures nginx servers where there was not a functioning 443 server before so I am guessing since you have one (sort of) something went awry. A person with more experience with that aspect might clarify. In any event, the certonly --webroot will be easier to debug in this case I think.

Your current response to dev.worldbuild.ai returns the cert for dev.afterrisk.org

openssl s_client -connect dev.worldbuild.ai:443 -servername dev.worldbuild.ai

Certificate chain
 0 s:/CN=dev.afterrisk.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

A sample certonly command is:

sudo certbot certonly --webroot -w /nginx/root/dir -d dev.worldbuild.ai --dry-run

Remove --dry-run after testing to produce production cert. Update the server ssl file locations, reload nginx, and you are good.

1 Like

If you have a lot of nginx virtualhosts (which I think you do, since you selected option 30), you could try adding:

--nginx-sleep-seconds 10

to see whether it makes a difference. That has been effective in the past for some users with large nginx configurations.

If you do choose to go with certonly, I highly recommend adding:

--deploy-hook "service nginx reload"

So that you do not need to manually reload nginx every time the certificate renews.

3 Likes

Thanks much @MikeMcQ and @_az -- it worked fine with the certonly. Not sure exactly how I'd worked myself into this point. Thanks for the great support!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.