Unauthorized invalid response from <domain>/.well-known/acme-challenge/etc

It finished successfully. Sorry for forgetting your alt. command at first.

I’m sorry.
We keep getting derailed and side-tracked and are now going in circles.

You don’t seem to have updated certbot (sufficiently)
nginx is unable to serve the /.well-known/acme-challenge/ test files as instructed.

We are literally getting nowhere fast [and doing it extremely slowly].

Your current choices are (as I see them):

  • put another (newer) system in front of this (old) server to proxy the content via a useable web browser and newer certbot
  • remove and upgrade the current certbot (to snaps version)
  • update the current system
  • upgrade the current system

Probably only #2 is an option, because I don’t have a third computer and BBB only runs on Server 16.04.7 from what I read. Let me see how to upgrade certbot and I’ll be back.

Or swtich to certbot-auto
switch to acme.sh

16.04 is supported by snaps.

  1. Remove the current certbot
    sudo apt remove certbot
  2. remove any unused…leftovers
    sudo apt-get autoremove
  3. install certbot from snaps
    sudo snap install certbot --classic

Ok, got Certbot 1.8 now.

But this change does nothing for nginx version 1.10.3 - that remains
Hopefully 1.8.0 can work better with it.

Allright :crossed_fingers: try:
certbot --nginx

[and walk through the choices]

Also, OpenSSL may need to be checked/updated as well.
[you are only as secure as your weakest link]

Certbot finished fine and sudo apt update says everything’s up to date.

? ? ?
Did you get a cert?
Did it say “Congratulations…”

What about:
openssl version

Yes. Renewed and replaced it. Said Congratulations!

Openssl version: 1.0.2g

You then have to do:
sudo apt upgrade
[update only synchronizes the repositories]

They go hand and hand:
sudo apt update
sudo apt upgrade

Yea, I always do that. sudo apt upgrade says 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

OpenSSL version 1.0.2 is up to update “w”
That’s 16 updates since “g”
See: https://www.openssl.org/news/vulnerabilities-1.0.2.html
And decide if you are OK with using that version.

Well at least that is GOOD NEWS!

1 Like

Wouldn’t hurt to use a new version of Openssl.

Now you need to test that it works. https://…
And ensure it renews automatically.

Yea, morocotagold.gq opens fine with https.

Agreed but you may have to download/compile it yourself.
Not sure… maybe they have a snaps installer - LOL

then check it with SSL Labs:

Rated a big, green A :slight_smile: