Unauthorized, invalid response, 403 nginx hastebin


#1

My domain is:
slothy.cloud (subdomain paste.slothy.cloud)

I ran this command:
sudo certbot --authenticator webroot --installer nginx

It produced this output:
IMPORTANT NOTES:

My web server is:
nginx 1.10.3

The operating system my web server runs on is:
Linux 4.14.34-v7+ (Rasbian Light on a Raspberry Pi)

I can login to a root shell on my machine:
yes

I’m using a control panel to manage my site:
no

I already have a working le certificate made with certbot on another subdomain (safe.slothy.cloud) but on paste.slothy.cloud it doesnt seem to work.

This is the nginx config for paste.slothy.cloud:

upstream hastebin {
server 127.0.0.1:8831;
}

map $sent_http_content_type $charset {
~^text/ utf-8;
}

server {
listen 80;
listen [::]:80;

    server_name paste.slothy.cloud;
    charset $charset;
    charset_types *;
    location / {
            add_header Access-Control-Allow-Origin *;
            root /var/www/paste.slothy.cloud/html;
            try_files $uri @proxy;
    }

    location @proxy {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://hastebin;
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_redirect off;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
            proxy_request_buffering off;
            proxy_connect_timeout 10080s;
            proxy_send_timeout 10080s;
            proxy_read_timeout 10080s;
    }

}


#2

You appear to have some kind of security rule that is blocking requests to paths that begin with a period ( . ).

$ curl -i paste.slothy.cloud/.causes-403
HTTP/1.1 403 Forbidden
Server: nginx/1.10.3
Date: Sat, 26 May 2018 10:33:35 GMT
Content-Length: 9
Connection: keep-alive
X-RateLimit-Limit: 500
X-RateLimit-Remaining: 491

Forbidden

$ curl -i paste.slothy.cloud/no-dot-no-403
HTTP/1.1 200 OK
Server: nginx/1.10.3
<snip>

This will prevent requests to the Let’s Encrypt /.well-known/acme-validation path from succeeding.


#3

Okay, I added
location ~ /\. { allow all; }

which should allow requests for hidden files…
now I get an error 404…


#4

What webroot did you offer up to Certbot when it asked?

/var/www/paste.slothy.cloud/html ?


#5

For the webroot?
I gave it
/home/pi/haste-server/data

For my other subdomain
/home/pi/lolisafe/uploads
worked just fine


#6

That wouldn’t appear to be consistent with how your virtual host is actually configured:

Try that instead. Or better yet, --authenticator nginx rather than webroot and allow Certbot to figure it out on its own.


#7

okay, so changing the root in the config didnt fix it yet (thanks for bringing that to my attention though, overlooked changing that before).

when instead of running sudo certbot --authenticator webroot --installer nginx

I run sudo certbot --authenticator nginx --installer nginx
but it gives me a new error:

Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.


#8

That’s weird. Old version of Certbot perhaps?

You can try follow the Debian instructions to upgrade. Sometimes Raspbian can be a bit of a problem, you might have better luck using the portable certbot-auto, which keeps itself up to date and has less problems with dependencies.

Alternatively, you can try add this to the end of the Certbot command:

--preferred-challenges http

#9

okay so: --prefferred-challenges http
gives me this error: Performing the following challenges: None of the preferred challenges are supported by the selected plugin
and trying to do it with certbot-auto just gives me the same 404 error as before, i also checked my certbot it seems to be the newest version…


#10

The explanation for the 404 is that your webroot directory is still wrong.

You can make this fairly explicit by adding to nginx

location /.well-known/acme-challenge/ {
    root  /home/pi/haste-server/data;
}

and invoking Certbot with:

--authenticator webroot -w /home/pi/haste-server/data

You can also try creating /home/pi/haste-server/data/.well-known/acme-challenge/test.txt and trying to access it via http://paste.slothy.cloud/.well-known/acme-challenge/test.txt, to prove that the directory correlates to the URL.

Perhaps it just indicates the Raspbian repositories don’t have a recent version. The current certbot --version is 0.24.


#11

okay, doing the first change you suggested with the location rule in the nginx config and then invoking said webroot in the cerbot command fixed it.
also turned out my cerbot version is 0.10.2 so yea, not the newest… '^^

thanks for the help though, have a nice day!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.