Unauthorized error when trying to get a certbot certificate

PaschalCO · January 30, 2021, 10:38pm

I ran this command: certbot certonly --webroot --webroot-path=/var/www/html/naijawiz.com -d naijawiz.com -d www.naijawiz.com

It produced this output:

Failed authorization procedure. naijawiz.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://naijawiz.com/.well-known/acme-challenge/KxPWitlh57ahLiYrihm7tNdaXUQiJTbncyGg4uvN6bw [161.22.44.119]: "<!doctype html><html class=\"no-js\" lang=\"en\" dir=\"ltr\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"I", www.naijawiz.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.naijawiz.com/.well-known/acme-challenge/j96FsvpbAOeeX2CkiBn-JWiQZNHk-59NU6J4OpGiI3o [161.22.44.119]: "<!doctype html><html class=\"no-js\" lang=\"en\" dir=\"ltr\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"I"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: naijawiz.com
   Type:   unauthorized
   Detail: Invalid response from
   http://naijawiz.com/.well-known/acme-challenge/KxPWitlh57ahLiYrihm7tNdaXUQiJTbncyGg4uvN6bw
   [161.22.44.119]: "<!doctype html><html class=\"no-js\" lang=\"en\"
   dir=\"ltr\"><head><meta charset=\"utf-8\"><meta
   http-equiv=\"X-UA-Compatible\" content=\"I"

   Domain: www.naijawiz.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.naijawiz.com/.well-known/acme-challenge/j96FsvpbAOeeX2CkiBn-JWiQZNHk-59NU6J4OpGiI3o
   [161.22.44.119]: "<!doctype html><html class=\"no-js\" lang=\"en\"
   dir=\"ltr\"><head><meta charset=\"utf-8\"><meta
   http-equiv=\"X-UA-Compatible\" content=\"I"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Docker (Ubuntu 18.04 64Bits)

My hosting provider, if applicable, is: Bluehost

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

sahsanu · January 30, 2021, 11:57pm

Hello @PaschalCO,

Seems your web server is not serving the challenge files that Let's Encrypt needs to validate that you control the domain.

The first thing that you should do is create a test file and check that you can get it with your browser.

mkdir -p /var/www/html/naijawiz.com/.well-known/acme-challenge/
echo "This is a test file" > /var/www/html/naijawiz.com/.well-known/acme-challenge/test-le

Once done try to get it:

http://naijawiz.com/.well-known/acme-challenge/test-le
http://www.naijawiz.com/.well-known/acme-challenge/test-le

If you can see the text This is a test file then the web root you are using is the right one and your web server works fine. If you can't reach the files then you should review your web server conf.

Docker is not a web server.

Cheers,
sahsanu

PaschalCO · January 31, 2021, 12:06am

Hello @sahsanu . Thanks a lot for your reply. I've done the test you indicated and actually I'm being redirected to my applications's 404 error page. Any further suggestions?

Sorry my web server is. nginx.

sahsanu · January 31, 2021, 12:17am

Paste here the nginx conf for your domain.

PaschalCO · January 31, 2021, 12:20am

server {
        listen 80;
        listen [::]:80;
        server_name naijawiz.com www.naijawiz.com;
        location ~ /\.well-known/acme-challenge/ {
                root /var/www/html/naijawiz.com;
                try_files $uri $uri/ =404;
                allow all;
                break;
        }
}

sahsanu · January 31, 2021, 12:38am

I see no problem with your server block, just to be sure I've tested it on my own server and it works fine to serve http challenges.

Anyway, seems you are not using nginx to serve your site:

$ curl -IkL http://naijawiz.com/.well-known/acme-challenge/test-le                                                                                     
HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Accept-Ranges: bytes
Content-Security-Policy: default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:
Date: Sun, 31 Jan 2021 00:35:17 GMT
Connection: keep-alive
Content-Language: en-US
X-Frame-Options: DENY
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Sun, 24 Jan 2021 19:37:33 GMT
X-Content-Type-Options: nosniff
Feature-Policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'self'; payment 'none'
Content-Length: 4263
Content-Type: text/html;charset=utf-8

Are you sure nginx is up and running and you are not using any other web server to serve your site like node.js?

PaschalCO · January 31, 2021, 12:46am

I'm pretty sure I'm using nginx yes. But if there's any further tests you'd like me to do please do let me know.

sahsanu · January 31, 2021, 12:54am

If you were using nginx we should see a header Server: nginx and it doesn't appear so I'm afraid you are using node.js to server your site.

Check what is listening on port 80.

sudo netstat -ptan | grep ':80'

or

sudo ss -tpln | cat | grep ':80'

PaschalCO · January 31, 2021, 12:57am

I get this:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      16172/nginx: master 
tcp6       0      0 :::80                   :::*                    LISTEN      16172/nginx: master

sahsanu · January 31, 2021, 12:59am

And you are not forwarding port 80 to another port or another machine?

PaschalCO · January 31, 2021, 1:08am

Actually now you mentioned it I did docker ps and got this:

sahsanu · January 31, 2021, 1:12am

Then you should find a way to write the challenges into your docker and modify --webroot-path with the right path.

I've never used docker so I can't help here.

PaschalCO · January 31, 2021, 1:34am

All right thanks for your help.

rg305 · January 31, 2021, 3:30am

Is that correct?:

I see 80 going to 8080 (not to 80).

What shows:
sudo netstat -pant | grep 8080

system · March 2, 2021, 3:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.