Unauthorized invalid response from <domain>/.well-known/acme-challenge/etc

pgenderson · September 14, 2020, 5:08pm

My domain is: morocotagold.gq

I ran this command: sudo certbot --nginx

It produced this output: here (can’t ssh onto my tablet to copy the output for some reason)

My web server is (include version): Nginx 1.18

The operating system my web server runs on is (include version): Ubuntu Server 20.04.1

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.8

Let’s Debug returned no errors and Check-your-websited returned this.

rg305 · September 14, 2020, 7:22pm

I see version 1.10.3

curl -Iki morocotagold.gq
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 14 Sep 2020 19:20:58 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://morocotagold.gq/

pgenderson · September 14, 2020, 7:26pm

My bad, it’s that I’m running two servers (one with BigBlueButton which is for videoconferencing and another that I’m trying to put TURN on (because it helps the main server when people are behind restrictive firewalls)). The BBB server has Nginx 1.10.3 because BBB only works on Ubuntu Server 16.04.7, and my other server has 1.18. I’m trying to install Cerbot on the TURN which has the latest Ubuntu and Nginx.

rg305 · September 14, 2020, 7:28pm

As for the error msg.
It shows a failed HTTPS connection.
This means it was successful at HTTP (and got a redirection - as shown above).
Which means the HTTPS is likely misconfigured…
Just enough is shown to be certain that nginx is configured in a way that has confused certbot (and it hasn’t placed the response file in the proper location).
Please show the HTTPS vhost config for that FQDN.

griffin · September 14, 2020, 7:29pm

Welcome to the Let’s Encrypt Community

I extracted your output image here to make it easier for the community to access:

rg305 · September 14, 2020, 7:30pm

What no cropping, zooming, and image enhancements?
Have you even heard of OCR? - rofl
Hi @griffen

griffin · September 14, 2020, 7:32pm

I actually had to hack imgur’s parameters a little to make it clear and original size then convert it from webp to png.

griffin · September 14, 2020, 7:34pm

Server appears to be returning a 404 page for the challenge file.

griffin · September 14, 2020, 7:36pm

I’m in the midst of running, but I’ll check back with you guys later.

pgenderson · September 14, 2020, 7:46pm

I just put www.morocotagold.gq in my browser and it couldn’t connect, even though morocotagold.gq does. I thought that leaving the Freenom DNS record name blank and only keeping the type, TTL and target was necessary, because its docs say that leaving the ‘name’ field blank assigns the record to my whole domain, but I guess I need to put a www record too. Let me look for that file that another commenter requested.

rg305 · September 14, 2020, 7:49pm

So there are two issues:

DNS problem (with www not resolving to an IP)
nginx proiblem (which is confusing certbot)

I await the nginx code to review…

pgenderson · September 14, 2020, 7:58pm

Contents of /etc/nginx/sites-available/bigbluebutton:

server {
  listen 80;
  listen [::]:80;
  server_name morocotagold.gq;
  
  return 301 https://$server_name$request_uri; #redirect HTTP to HTTPS

}
server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name morocotagold.gq;

    ssl_certificate /etc/letsencrypt/live/morocotagold.gq/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/morocotagold.gq/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;
    
    # HSTS (comment out to enable)
    #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  access_log  /var/log/nginx/bigbluebutton.access.log;

   # Handle RTMPT (RTMP Tunneling).  Forwards requests
   # to Red5 on port 5080
  location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
    proxy_pass         http://127.0.0.1:5080;
    proxy_redirect     off;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

    client_max_body_size       10m;
    client_body_buffer_size    128k;

    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;

    proxy_buffering            off;
    keepalive_requests         1000000000;
  }

  # Handle desktop sharing tunneling.  Forwards
  # requests to Red5 on port 5080.
  location /deskshare {
     proxy_pass         http://127.0.0.1:5080;
     proxy_redirect     default;
     proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
     client_max_body_size       10m;
     client_body_buffer_size    128k;
     proxy_connect_timeout      90;
     proxy_send_timeout         90;
     proxy_read_timeout         90;
     proxy_buffer_size          4k;
     proxy_buffers              4 32k;
     proxy_busy_buffers_size    64k;
     proxy_temp_file_write_size 64k;
     include    fastcgi_params;
  }

  # BigBlueButton landing page.
  location / {
    root   /var/www/bigbluebutton-default;
    index  index.html index.htm;
    expires 1m;
  }

  # Include specific rules for record and playback
  include /etc/bigbluebutton/nginx/*.nginx;

  #error_page  404  /404.html;

  # Redirect server error pages to the static page /50x.html
  #
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   /var/www/nginx-default;
  }
}```

rg305 · September 14, 2020, 7:59pm

Please edit the post and add three backticks above and below it.
Like:
```
your text post
```

[Otherwise it is difficult to read]

pgenderson · September 14, 2020, 8:03pm

Fixed. I feel a bit guilty to be asking these probably noob questions and should probably read a book about how to run servers, because I’m just improvising right now.

griffin · September 14, 2020, 8:06pm

No worries. At least you have the motivation to learn and solve things. That’s incredibly rare around here somedays.

griffin · September 14, 2020, 8:12pm

A tip: you should have a server alias for www that maps and redirects to your bare domain name for canonicalization purposes.

rg305 · September 14, 2020, 8:12pm

The HTTPS section is a bit cluttered and includes an undisclosed amount of additional code:

I think we re better off fixing this in HTTP.
That block is very simple (no complications):

server {
  listen 80;
  listen [::]:80;
  server_name morocotagold.gq;
  return 301 https://$server_name$request_uri; #redirect HTTP to HTTPS
}

Please adjust that as follows:

server {
  listen 80;
  listen [::]:80;
  server_name morocotagold.gq;
  location /.well-known/acme-challenge/ {
    access_log off;
    # send all challenge requests to a newly created/dedicated folder
    root /ACMEchallenges/;
    try_files $uri 405;
  }#location
  return 301 https://$server_name$request_uri; #redirect HTTP to HTTPS
}#server

Note that this method requires the creation of that dedicated challenge folder.
[feel free to change the location to anything you want - but for security, so long as it is only used for this purpose - not a common location]

pgenderson · September 14, 2020, 8:22pm

Where do I create ACMEchallenges? In /etc/nginx/sites-available/bigbluebutton or /var/www/bbb-default?

rg305 · September 14, 2020, 8:26pm

Anywhere you want:
mkdir /ACMEchallenges/ # this will create it at the root
mkdir /etc/ACMEchallenges/ # this will create it within the /etc folder
mkdir /var/IwantTouseAnotherNAME/ # this will create this “other name” at the /var folder
the location placement is not really an issue.
It will have very little information in it (files).
It will take up very little space.
But it MUST be unique - for security reasons.
It could even be /etc/1234567890/qwertyuiop/asdfghjkl/zxcvbnm
You choose and you don’t need to reveal it here.

rg305 · September 14, 2020, 8:31pm

So long as it is in there, certbot will see it and use it.
Furthermore we can use that location to test it even before running certbot
For that, place a test text file in that location:
With something like (adjust accordingly):
echo "test file" >> /ACMEchallenges/test-file-1234
Then we should be able to see that file with:
http://morocotagold.gq/.well-known/acme-challenge/test-file-1234
If so, then all will work - go ahead and run certbot
If that fails, then we must look into the reason(s) for that failure and correct it/them.