Unauthorized response no matter what ... =|

My domain is:
www.maytelohace.ml

I ran this command:
(I’ve tried this several ways - using this guide: https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8)

certbot certonly --webroot --agree-tos --no-eff-email --email YOUR@EMAIL.COM -w /var/www/letsencrypt -d www.domain.com -d domain.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.maytelohace.ml
http-01 challenge for maytelohace.ml
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. maytelohace.ml (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://maytelohace.ml/.well-known/acme-challenge/AicOnG01AA65XyZyJztmaISktfZNMQDOY_nUnJZuP34: "

404 Not Found

Not Found

<p", www.maytelohace.ml (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.maytelohace.ml/.well-known/acme-challenge/ryhpcPuPyvzmtPJXo7el9UUvEuHwCqj9R2FCmkN-Sg0: " 404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My web server is (include version):

nginx - 1.12.1-0ubuntu2

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 17.10
Release: 17.10
Codename: artful

My hosting provider, if applicable, is:

Myself - DDNS

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No - it’s basically a fresh server install

Nginx server blocks: (after following guide mentioned perfectly)

server {
listen 80;
listen [::]:80;
#listen 443 ssl http2;
#listen [::]:443 ssl http2;

    server_name maytelohace.ml www.maytelohace.ml;

    include /etc/nginx/snippets/ssl.conf/certbot.conf;

    root /var/www/maytelohace.ml;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;


    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
    #
    #       # With php-fpm (or other unix sockets):
            fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    #       # With php-cgi (or other tcp sockets):
            # fastcgi_pass 127.0.0.1:9000;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #       deny all;
    #}

    location ~ /.well-known {
            allow all;
    }

}

Can you put a test file inside /var/www/maytelohace.ml/.well-known/acme-challenge/ and access it?

Yes, even though the guide I followed instructed me to mkdir /var/www/letsencrypt/.well-known/acme-challenge - I can access the file over the web. It seems like no matter what I do I keep getting the “unauthorized” 404 response from certbot 0.19.0 when I run certbot. I can’t access the .well-known folder from the web I get a 403 again.

My folder permissions look like this: (recursively)

(/var/www)
drwxr-xr-x 4 www-data www-data 4.0K Feb 3 10:47 letsencrypt
drwxr-xr-x 3 www-data www-data 4.0K Feb 2 20:31 maytelohace.ml

It seems like no matter what I do I keep getting the “unauthorized” response from certbot.

What am I missing here… DNS records are correct and I can access the site from outside of my network …

Help. (thank you).

What’s the contents of /etc/nginx/snippets/ssl.conf/certbot.conf?

location ^~ /.well-known/acme-challenge/ {
default_type “text/plain”;
root /var/www/letsencrypt;
}

Could it be this part “bites” with the location directive of certbot.conf? What if you combine both?

I just noticed that I left that part in there. I have been moving things around trying to find anything that will work. I’ve changed folder permissions to 777 thinking I could do that just to obtain the cert, but again, “unauthorized” response from certbot.

I can remove that location directive in the conf file, but I don’t think it’s going to help … (will try really quick)

Yeah, same thing.

I took out the “root” declaration in certbot.conf , then removed the location declaration in the server block like you suggested … then restarted nginx, I ran this command and got the same output …

tvpc@Samsung3DTV:/etc/nginx/snippets/ssl.conf$ cd /
tvpc@Samsung3DTV:/$ sudo certbot certonly --webroot --agree-tos --no-eff-email --email (my email) -w /var/www/maytelohace.ml -d www.maytelohace.ml -d maytelohace.ml
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.maytelohace.ml
http-01 challenge for maytelohace.ml
Using the webroot path /var/www/maytelohace.ml for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. maytelohace.ml (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://maytelohace.ml/.well-known/acme-challenge/MG-SCC2gO4GObijXzNOIiEhb7uo4LZcf4Tzl_lhUQm8:

Hm, I can’t figure it out. =|

There’s no firewall restrictions at any level.

I’m guessing by the lack of response here no one else can figure it out either.

I’m about to just reload the entire OS and start from scratch … =|

It’s weird, I’ve done this before and didn’t have any issues before. It was really easy (or so I thought).

It’s saturday evening in a large part of the world… :wink:

Most of the time, webservers mention the path they were searching for when a file wasn’t found in their error logs. Check your ngingx error logs and if they don’t mention anything useful, up the verbosity of the error logs and try again.

True. Thanks for your help man I’ll check the server logs and certbot log and just keep at it. It’s frustrating when you feel like you’ve checked everything several times over. I’m sure you’ve been here before. =|

I want to get the SSL in place before I drop the site in, you know?

I feel like it’s a permissions issue somewhere but even after chmod 777 on the folders and it still doesn’t go, I’m not sure I feel like that anymore.

I’m sure I’ll find out it’s something really simple, really stupid.

Thanks again.

http://maytelohace.ml/ and http://www.maytelohace.ml/ return different websites over IPv4 and IPv6.

IPv6 is an Apache Windows phpinfo page.

IPv4 is Nginx on Linux and says “Mayte Lo Hace!”.

3 Likes

No crap … REALLY … wtf … … I have an apache instance on another machine… I think you figured it out.

Dude, THANK YOU!

That WAS the problem. Awesome. Thank you again for the extra set of eyes.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.