I ran this command: sudo ./certbot-auto certonly --non-interactive --email ${CERT_EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring --debug
It produced this output:
Domain: abel.works
Type: unauthorized
Detail: Invalid response from
http://abel.works/.well-known/acme-challenge/b4jxv6KqxnmZrC8_6eZEE677UPvWZ8Dg1_v_5hgnwu4
"<!doctype html>\n<html lang=\"en\">\n<head>\n
<base href=\"/\">\n\n <meta charset=\"utf-8\">\n <title>Timetable
Angular</title>\n <meta n"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Nginx
The operating system my web server runs on is (include version): Node.js running on 64bit Amazon Linux/4.8.3
My hosting provider, if applicable, is:
AWS Elastic beanstalk
I can login to a root shell on my machine (yes or no, or I don’t know):
No
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I used this command --> wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto
My server acts as a backend and also serves an angular app. If the path does not match any of my APIs, then it will serve the angular app.
As I’ve understood from reading the similar errors of this kind, the certbot attempts a challenge to reach the server. Looking at the error, it does, and it’s being served (correctly) the angular app. (Also opened port 443 if that matters.)
This however means the challenge fails. What is the expected response of the challenge? Been at this one problem for the whole afternoon. Appreciate some guidance - thanks.
http + / works. https not, but that's not relevant. But /.well-known/acme-challenge sends a lot of content.
Info: Html-Content with meta and/or script, may be a problem creating a Letsencrypt certificate using http-01 validation
<!doctype html> <html lang="en"> <head> <base href="/"> <meta charset="utf-8"> <title>Timetable Angular</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- reduced for brevity --> <!-- inline spinner styles to be able to display spinner right away --> <style type="text/css"> body, html { height: 100%; } .app-loading { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100%; } .app-loading .spinner { height: 200px; width: 200px; animation: rotate 2s linear infinite; transform-origin: center center; position: absolute; top: 0; bottom: 0; left: 0; right: 0; margin: auto; } .app-loading .spinner .path { stroke-dasharray: 1, 200; stroke-dashoffset: 0; animation: dash 1.5s ease-in-out infinite; stroke-linecap: round; stroke: #ddd; } @keyframes rotate { 100% { transform: rotate(360deg); } } @keyframes dash { 0% { stroke-dasharray: 1, 200; stroke-dashoffset: 0; } 50% { stroke-dasharray: 89, 200; stroke-dashoffset: -35px; } 100% { stroke-dasharray: 89, 200; stroke-dashoffset: -124px; } } </style> <!-- Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-141134302-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-141134302-1', { 'send_page_view': false }); </script> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"> <link href="https://fonts.googleapis.com/css?family=Roboto|Roboto+Condensed" rel="stylesheet"> <link rel="stylesheet" href="https://use.typekit.net/fij5jri.css"> <!-- For code-saver font --> <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.1/css/all.css" integrity="sha384-fnmOCqbTlWIlj8LyTjo7mOUStjsKC4pOpQbqyi7RrhN7udi9RwhKkMHpvLbHG9Sr" crossorigin="anonymous"> <link rel="icon" type="image/x-icon" href="favicon.ico"> <link rel="stylesheet" href="styles.1aadc07444dcd975815c.css"></head> <body> <app-root>. <!-- loading layout replaced by app after startupp --> <div class="app-loading"> <!-- Style logo inside div below, .logo --> <div class="logo"></div> <svg class="spinner" viewBox="25 25 50 50"> <circle class="path" cx="50" cy="50" r="20" fill="none" stroke-width="2" stroke-miterlimit="10"/> </svg> </div> </app-root> <script type="text/javascript" src="runtime.f4976e9fdf54f6f84c4f.js"></script><script type="text/javascript" src="polyfills.73595e80ac16f6619f1b.js"></script><script type="text/javascript" src="scripts.d871263a2df3baf77f0a.js"></script><script type="text/javascript" src="main.c9a7ab40cf65ee5153e4.js"></script></body> </html>
You have a nginx. There should be a root definition. Is it possible to create an exception, so that path /.well-known/acme-challenge isn't answered by your app?
Then use that root.
certbot run -a webroot certonly -w yourRoot -d abel.works
Thanks for your reply. I’ve managed to create an exception to the path /.well-known/acme-challenge/*.
I’m still getting a similar error response in my logs:
AuthorizationError: Some challenges have failed.
Domain: abel.works
Type: unauthorized
Detail: Invalid response from
http://abel.works/.well-known/acme-challenge/-A0Ny-4Gh3F_2T0ClFBU4rbAXnI469vt-szJTs3dfeE
[18.139.60.107]: "<!DOCTYPE html>\n<html
lang=\"en\">\n<head>\n<meta
charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
GET /.well-known/"
The GET request seems to have failed. I tested this locally by creating a .well-known directiory, and a subdirectory acme-challenge. I can access the static directory fine with some dummy .txt file. The problem persists…
Am I supposed to create the .well-known directory manually on my root dir? Isn’t it created by the script I run?
I still come up with the error:
AuthorizationError: Some challenges have failed.
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: abel.works
Type: unauthorized
Detail: Invalid response from
http://abel.works/.well-known/acme-challenge/FLHItqkK4wNhfnugkYp5nTIXW5PdFbg8KqC7az6WaA4
[18.139.60.107]: "<!DOCTYPE html>\n<html
lang=\"en\">\n<head>\n<meta
charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
GET /.well-known/"
The path certbot is hitting has been opened up (/.well-known/acme-challenge/). Any file I create within that folder can be accessed statically from the web browser.
Any other hints… This is madddening! I don’t know what else it can be.