Unauthorized 404 on renew

My domain is: sergioloporto.com

I ran this command: certbot renew

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.sergioloporto.com
Type: unauthorized
Detail: 54.37.137.250: Invalid response from http://www.sergioloporto.com/.well-known/acme-challenge/9KBXDgoD1NlOV-NF17-95E3_P2hfDWH0_ccTLwSTr8o: 404

Domain: sergioloporto.com
Type: unauthorized
Detail: 54.37.137.250: Invalid response from http://www.sergioloporto.com/.well-known/acme-challenge/kqvJmbAoh6oIhXBcG0jRBDHl7cnqFOAL2jqExUruWNs: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate sergioloporto.com with error: Some challenges have failed.

My web server is (include version): nginx/1.18

The operating system my web server runs on is (include version): Ubuntu

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

================
This domains was renewing automatically well for years... it stopped.
The only change done was to replace one wordpress blog with another - complete change of files.
The permissions of the blog folder aree the same of the other blogs whoes certificates updated normally: drwxr-xr-x 6 www-data www-data

I kindly ask for help

1 Like

We should have a look at the nginx configuration.

1 Like
server {
        listen 443 ssl;
        listen 80;

        root /var/www/sergioloporto.com;
        index index.php;


        access_log /var/log/nginx/access.log main;
        error_log /var/log/nginx/error.log;

        include /etc/nginx/global.d/*.conf;

        server_name www.sergioloporto.com sergioloporto.com;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_certificate "/etc/letsencrypt/live/sergioloporto.com/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/sergioloporto.com/privkey.pem";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+RSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
#       ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AS256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM HERE I CUT THIS PART HERE, AS IT WAS VERY LONG";
#       add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


        if ($args ~ "^author=\d") { return 403; }

        location ~*  \.(jpg|jpeg|png|gif|ico|css|js|woff)$ {
                expires 365d;
        }


        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/run/php/php-fpm.sock;
#               fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
# fastcgi_param SERVER_NAME $host needs to be added becausae of WPML compatibility - see https://wpml.org/errata/home_ur-not-filtered-correctly-breaking-plugins-like-wp-seo-when-using-languages-in-domains-nginx-only/
                fastcgi_param SERVER_NAME $host;
                include fastcgi_params;
        }
}

And here:

cat /etc/nginx/global.d/*.conf
location = /xmlrpc.php {
       deny all;
       access_log off;
    }



# Deny access to wp-login.php
location = /wp-login.php {
        fastcgi_pass unix:/run/php/php-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SERVER_NAME $host;
        include fastcgi_params;
        limit_req zone=wordpress;
}
set $cache_uri $request_uri;

# POST requests and URLs with a query string should always go to PHP
    if ($request_method = POST) {
        set $cache_uri 'null cache';
    }
    if ($query_string != "") {
        set $cache_uri 'null cache';
    }

    # Don't cache URIs containing the following segments
    if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
                          |wp-.*.php|/feed/|index.php|wp-comments-popup.php
                          |wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
                          |[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {

        set $cache_uri 'null cache';
    }

    # Don't use the cache for logged-in users or recent commenters
    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
                         |wp-postpass|wordpress_logged_in") {
        set $cache_uri 'null cache';
    }

    # Use cached or actual file if it exists, otherwise pass request to WordPress
    location / {
        try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html
                  $uri $uri/ /index.php?$args;
    }

    # Cache static files for as long as possible
    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        expires 365d;
        log_not_found off;
        access_log off;
    }

Doing secure and insecure connections within the same server block is NOT recommended.

3 Likes

I see, however does it prevent the certificate from renewal? It was working for years...

The block shown isn't handling HTTP.
[more reason to remove the "listen 80;"]
As shown by this redirection reply:

curl -Ii www.sergioloporto.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 23 Jan 2023 17:03:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: https://www.sergioloporto.com/
Strict-Transport-Security: max-age=31536000; includeSubdomains;
2 Likes

And I see the same.

>curl -Ii http://www.sergioloporto.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 23 Jan 2023 17:05:47 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.sergioloporto.com/wp-json/>; rel="https://api.w.org/"
>curl -Ii http://www.sergioloporto.com/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 23 Jan 2023 17:05:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: https://www.sergioloporto.com/
Strict-Transport-Security: max-age=31536000; includeSubdomains;

1 Like

How can I fix it? remove port 80 from that virtualhost and add the following?

server {
listen 80;
server_name www.sergioloporto.com sergioloporto.com;
root /var/www/sergioloporto.com;

    rewrite  ^/(.*)$  https://sergioloporto.com/$1 permanent;

}

Yes.

Before doing that, we should see where it's being served from now.

Try:
nginx -T | grep -i sergioloporto

3 Likes
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
        rewrite ^/gotohostmonster.php https://www.hostmonster.com/track/sergioloporto/hostingmigliore permanent;
        root /var/www/sergiofoto.pl/sergioloporto.com;
        rewrite ^/portfolio/torcik/ http://sergioloporto.com permanent;
        rewrite ^/portfolio/hummer-limo-na-slub/ http://sergioloporto.com permanent;
        rewrite ^/portfolio/katia-anna/ http://sergioloporto.com permanent;
        rewrite ^/portfolio/adooshka/ http://sergioloporto.com permanent;
        rewrite ^/portfolio/bench/ http://sergioloporto.com permanent;
        root /var/www/sergiofoto.pl/devel.sergioloporto.com;
        server_name devel.sergioloporto.com devel.sergiofoto.it;
# configuration file /etc/nginx/sites-enabled/sergioloporto.com:
        root /var/www/sergioloporto.com;
        server_name www.sergioloporto.com sergioloporto.com;
        ssl_certificate "/etc/letsencrypt/live/sergioloporto.com/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/sergioloporto.com/privkey.pem";

The right one is this root /var/www/sergioloporto.com;
Sergiofoto.pl is where the files from sergioloporto.com where moved to. And in sergioloporto.com there is a brand new blog

It seems like you will need something like:

2 Likes

Added and nginx restarted....

same error:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: sergioloporto.com
  Type:   unauthorized
  Detail: 54.37.137.250: Invalid response from https://www.sergioloporto.com/.well-known/acme-challenge/G_2BDtch1HmNTXpky11czBuY7lHW7ct71YGt8MpX6XA: 404

  Domain: www.sergioloporto.com
  Type:   unauthorized
  Detail: 54.37.137.250: Invalid response from https://www.sergioloporto.com/.well-known/acme-challenge/DKYOl8BZCJNqLX4X1TVlyrxrIdoatvOTWlZM8rJundI: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate sergioloporto.com with error: Some challenges have failed.

Here are debug results from Let's Debug https://letsdebug.net/sergioloporto.com/1346744?debug=y

And what I see with curl for the same URI.

>curl    -Ii http://www.sergioloporto.com/.well-known/acme-challenge/zaE-58xgwJ0Gijo-oPh90Mxk9dMTgIq0LEjX_zWfISQ
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 23 Jan 2023 17:40:38 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://sergioloporto.com/.well-known/acme-challenge/zaE-58xgwJ0Gijo-oPh90Mxk9dMTgIq0LEjX_zWfISQ

>curl -k -Ii https://www.sergioloporto.com/.well-known/acme-challenge/zaE-58xgwJ0Gijo-oPh90Mxk9dMTgIq0LEjX_zWfISQ
HTTP/2 404
server: nginx
date: Mon, 23 Jan 2023 17:40:46 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://www.sergioloporto.com/wp-json/>; rel="https://api.w.org/"


1 Like

And a screen shot from Windows 10 Firefox 109.0 (64-bit) with that URL

1 Like

hmm so it's giving a 404, because that link doesn't exist... there is no .well-known folder in the root

Or possibly just not accessible (like file or directory permissions), unlikely I would guess.

1 Like

I have another site with the exact same permissions and configuration. Also it has:
server {
listen 80;
server_name uzdrawianie.net www.uzdrawianie.net;
root /var/www/uzdrawianie.net;
return 301 https://uzdrawianie.net$request_uri;
}

And this one has a .well-known folder inside and both sergioloporto.com and uzdrawianie.net have the same folder permissions

1 Like

I manually created the folder and a test file. This test file is accessible....

https://sergioloporto.com/.well-known/test.html

And I see it

>curl -Ii http://sergioloporto.com/.well-known/test.html
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 23 Jan 2023 18:10:44 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://sergioloporto.com/.well-known/test.html

>curl -k -Ii https://sergioloporto.com/.well-known/test.html
HTTP/2 200
server: nginx
date: Mon, 23 Jan 2023 18:10:57 GMT
content-type: text/html
content-length: 15
last-modified: Mon, 23 Jan 2023 18:08:49 GMT
etag: "63cecd31-f"
strict-transport-security: max-age=31536000; includeSubdomains;
accept-ranges: bytes

>curl -k  https://sergioloporto.com/.well-known/test.html
this is a test

Go one folder further - acme-challenge
And don't put any period in the test file name.

2 Likes