Unauthorized Error - what is the expected response from the certbot challenge?

My domain is:
abel.works

I ran this command:
sudo ./certbot-auto certonly --non-interactive --email ${CERT_EMAIL} --agree-tos --standalone --domains ${CERT_DOMAIN} --keep-until-expiring --debug

It produced this output:

Domain: abel.works
Type: unauthorized
Detail: Invalid response from
http://abel.works/.well-known/acme-challenge/b4jxv6KqxnmZrC8_6eZEE677UPvWZ8Dg1_v_5hgnwu4
"<!doctype html>\n<html lang=\"en\">\n<head>\n
<base href=\"/\">\n\n <meta charset=\"utf-8\">\n <title>Timetable
Angular</title>\n <meta n"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
Node.js running on 64bit Amazon Linux/4.8.3

My hosting provider, if applicable, is:
AWS Elastic beanstalk

I can login to a root shell on my machine (yes or no, or I don’t know):
No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I used this command --> wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto

My server acts as a backend and also serves an angular app. If the path does not match any of my APIs, then it will serve the angular app.

As I’ve understood from reading the similar errors of this kind, the certbot attempts a challenge to reach the server. Looking at the error, it does, and it’s being served (correctly) the angular app. (Also opened port 443 if that matters.)

This however means the challenge fails. What is the expected response of the challenge? Been at this one problem for the whole afternoon. Appreciate some guidance - thanks.

Brian

Hi @ashrielbrian

checking your domain, perhaps you see the solution ( https://check-your-website.server-daten.de/?q=abel.works ):

Domainname Http-Status redirect Sec. G
http://abel.works/
18.139.60.107 200 0.727 H
http://www.abel.works/
18.139.60.107 200 0.700 H
https://abel.works/
18.139.60.107 -14 10.027 T
Timeout - The operation has timed out
https://www.abel.works/
18.139.60.107 -14 10.027 T
Timeout - The operation has timed out
abel.works is available for purchase - Sedo.com
18.139.60.107 200 0.700
Visible Content: .
 </app-root>|

http + / works. https not, but that's not relevant. But /.well-known/acme-challenge sends a lot of content.

Info: Html-Content with meta and/or script, may be a problem creating a Letsencrypt certificate using http-01 validation

<!doctype html> <html lang="en"> <head> <base href="/"> <meta charset="utf-8"> <title>Timetable Angular</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- reduced for brevity --> <!-- inline spinner styles to be able to display spinner right away --> <style type="text/css"> body, html { height: 100%; } .app-loading { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100%; } .app-loading .spinner { height: 200px; width: 200px; animation: rotate 2s linear infinite; transform-origin: center center; position: absolute; top: 0; bottom: 0; left: 0; right: 0; margin: auto; } .app-loading .spinner .path { stroke-dasharray: 1, 200; stroke-dashoffset: 0; animation: dash 1.5s ease-in-out infinite; stroke-linecap: round; stroke: #ddd; } @keyframes rotate { 100% { transform: rotate(360deg); } } @keyframes dash { 0% { stroke-dasharray: 1, 200; stroke-dashoffset: 0; } 50% { stroke-dasharray: 89, 200; stroke-dashoffset: -35px; } 100% { stroke-dasharray: 89, 200; stroke-dashoffset: -124px; } } </style> <!-- Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-141134302-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-141134302-1', { 'send_page_view': false }); </script> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"> <link href="https://fonts.googleapis.com/css?family=Roboto|Roboto+Condensed" rel="stylesheet"> <link rel="stylesheet" href="https://use.typekit.net/fij5jri.css"> <!-- For code-saver font --> <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.1/css/all.css" integrity="sha384-fnmOCqbTlWIlj8LyTjo7mOUStjsKC4pOpQbqyi7RrhN7udi9RwhKkMHpvLbHG9Sr" crossorigin="anonymous"> <link rel="icon" type="image/x-icon" href="favicon.ico"> <link rel="stylesheet" href="styles.1aadc07444dcd975815c.css"></head> <body> <app-root>. <!-- loading layout replaced by app after startupp --> <div class="app-loading"> <!-- Style logo inside div below, .logo --> <div class="logo"></div> <svg class="spinner" viewBox="25 25 50 50"> <circle class="path" cx="50" cy="50" r="20" fill="none" stroke-width="2" stroke-miterlimit="10"/> </svg> </div> </app-root> <script type="text/javascript" src="runtime.f4976e9fdf54f6f84c4f.js"></script><script type="text/javascript" src="polyfills.73595e80ac16f6619f1b.js"></script><script type="text/javascript" src="scripts.d871263a2df3baf77f0a.js"></script><script type="text/javascript" src="main.c9a7ab40cf65ee5153e4.js"></script></body> </html> 

You have a nginx. There should be a root definition. Is it possible to create an exception, so that path /.well-known/acme-challenge isn't answered by your app?

Then use that root.

certbot run -a webroot certonly -w yourRoot -d abel.works

Hi @JuergenAuer,

Thanks for your reply. I’ve managed to create an exception to the path /.well-known/acme-challenge/*.

I’m still getting a similar error response in my logs:

 AuthorizationError: Some challenges have failed.
 
  Domain: abel.works
  Type:   unauthorized
  Detail: Invalid response from
  http://abel.works/.well-known/acme-challenge/-A0Ny-4Gh3F_2T0ClFBU4rbAXnI469vt-szJTs3dfeE
  [18.139.60.107]: "<!DOCTYPE html>\n<html
  lang=\"en\">\n<head>\n<meta
  charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
  GET /.well-known/"

The GET request seems to have failed. I tested this locally by creating a .well-known directiory, and a subdirectory acme-challenge. I can access the static directory fine with some dummy .txt file. The problem persists…

Am I supposed to create the .well-known directory manually on my root dir? Isn’t it created by the script I run?

The root is not the root of your machine, it's the root of your webserver vHost.

Letsencrypt checks a file in

http://abel.works/.well-known/acme-challenge/random-filename

normally, a website has a "starting directory", that's the root you have to use. So create the two subdirectories

yourRoot/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

http://abel.works/.well-known/acme-challenge/1234

If that works, you have found your correct webroot -> Certbot.

@JuergenAuer,

I’ve done that – you can reach a text file I created at http://abel.works/.well-known/acme-challenge/this/some.txt

I still come up with the error:
AuthorizationError: Some challenges have failed.
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: abel.works
Type: unauthorized
Detail: Invalid response from
http://abel.works/.well-known/acme-challenge/FLHItqkK4wNhfnugkYp5nTIXW5PdFbg8KqC7az6WaA4
[18.139.60.107]: "<!DOCTYPE html>\n<html
lang=\"en\">\n<head>\n<meta
charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
GET /.well-known/"

The path certbot is hitting has been opened up (/.well-known/acme-challenge/). Any file I create within that folder can be accessed statically from the web browser.

Any other hints… This is madddening! I don’t know what else it can be.

p/s for what it’s worth, I use the following script to install/create cert: https://gist.github.com/syamn/8a37d3f0c050d0f9a9d5a0ddab9cb816. I added the --debug flag on command 30.

please remove the subdirectory /this/ and the extension .txt. These files are extensionless, sometimes this is the problem.

If that works, what's the complete path to that file?

And what's the command you have used?

If you use that script, that uses always the same - not working - command. So that can't work.

You have to start Certbot manual, so you can use other parameters.

what’s the complete path to that file?

Complete path to the acme-challenge folder: /var/app/current/.well-known/acme-challenge.

The application source sits inside /var/app/current.
I’ve deleted the subdirectory /this and some.txt.

Will have a go manually and see where I get to.

@JuergenAuer,

I ran the following commands manually:
Installing certbot-auto:

curl -O https://dl.eff.org/certbot-auto
chmod +x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto

Made myself root user:
sudo su -

certbot-auto certonly --standalone -d abel.works -d www.abel.works --debug

And my error remains exactly the same as before.

As written. If you use the same wrong command, that can't work.

Sorry, I don’t quite follow. I’ve been following the manuals here: https://certbot.eff.org/lets-encrypt/pip-nginx and https://coderwall.com/p/e7gzbq/https-with-certbot-for-nginx-on-amazon-linux.

So should I not use certbot-auto? Could you point me in the right documentation? I’ve been staring at the user manuals for some time now

This

is the not working command. The earlier commands are installation commands.

There

I've shared the webroot command, not standalone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.