Unable to pass acme challenge despite challenge directory being writeable and open for Internet

gram7gram · December 20, 2020, 12:14am

Greetings! I am a fan of your work and love using certbot. I earned some experience working with it but this is the first time I am stuck.

Screencast with a problem is available at https://youtu.be/SM94N7AgN0Y

I have a fresh Ubuntu server with Docker setup with a container that needs the ssl certificate. I mount a local ./https directory into the container, so that cerbot can write in the directory and changes are reflected in the container. I can create any file in the directory and this file is accessible from the Internet without a problem, but the challenge file that certbot creates somehow is not.

Please, guide me towards the solution!

---- Metadata -----

My domain is:
admin.nextfree.com.ua

I ran this command:

certbot certonly \
    --webroot \
    --webroot-path=/var/www/nextfree-web/https \
    -m v.v.sikach@gmail.com \
    -d admin.nextfree.com.ua

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.nextfree.com.ua
Using the webroot path /var/www/nextfree-web/https for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. admin.nextfree.com.ua (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://admin.nextfree.com.ua/.well-known/acme-challenge/MiGdwuN7SI_2NJ82I08myZD0cEmjLGCMYULu9HXEoVo [31.131.22.46]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.nextfree.com.ua
   Type:   unauthorized
   Detail: Invalid response from
   http://admin.nextfree.com.ua/.well-known/acme-challenge/MiGdwuN7SI_2NJ82I08myZD0cEmjLGCMYULu9HXEoVo
   [31.131.22.46]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Node express

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:
-

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is:
0.27.0

schoen · December 20, 2020, 12:17am

Hi @gram7gram,

I'm guessing this is the basis of the issue because when the CA requests http://admin.nextfree.com.ua/.well-known/acme-challenge/example.txt, the web server application looks for the file in /var/www/nextfree-web/.well-known/acme-challenge/example.txt rather than in /var/www/nextfree-web/https/.well-known/acme-challenge/example.txt. That is, the web server application's notion of where the webroot is doesn't match Certbot's notion.

You could fix this by modifying the web server configuration or perhaps just with

cd /var/www/nextfree-web/
sudo mkdir .well-known
cd .well-known
sudo ln -s ../https/.well-known/acme-challenge acme-challenge

schoen · December 20, 2020, 12:19am

Also—having just dealt with another user's difficulty with this part—whenever you succeed in getting the certificate, please make sure it's saved into persistent storage, because there is a rate limit of 5 new duplicate certificates per week. If a container saves its key and certificate files into non-persistent storage and then is re-created more than 5 times per week (under the same hostname), it's likely to hit this limit and be blocked from creating new certificates.

gram7gram · December 20, 2020, 12:33am

@schoen Thank you, sir, for the reply! It makes sense to store certificates outside the container. Certbot is installed on the host machine, so no problems with that.

Regarding your first comment, while using certbot I've assumed certbot fetches the content of the challenge file and does not care for file path of the challenge file. That is indeed a possibility of being my problem... I'll think what can be done

schoen · December 20, 2020, 12:54am

Certbot creates the challenge file at a path based on the one you specify with -d, but the certificate authority will check the challenge file at a path specified by the certificate authority, not by Certbot. For the HTTP-01 challenge method in ACME, this is hard-coded to /.well-known/acme-challenge as seen by the outside world/the public Internet, and not any other user-specified path.

So you have to make sure that someone checking that path from the outside world would find the content of the file there.

system · January 19, 2021, 1:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.