Unauthorized when renewing

Help
1

Im using React and Nginx

My domain is: oraj.bjmp.gov.ph

I ran this command: sudo certbot --nginx -v -d oraj.bjmp.gov.ph --debug-challenges

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for oraj.bjmp.gov.ph
Performing the following challenges:
http-01 challenge for oraj.bjmp.gov.ph

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue
Waiting for verification...
Challenge failed for domain oraj.bjmp.gov.ph
http-01 challenge for oraj.bjmp.gov.ph

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: oraj.bjmp.gov.ph
Type: unauthorized
Detail: 202.90.133.189: Invalid response from http://oraj.bjmp.gov.ph/.well-known/acme-challenge/CE14KPqHdW2ZuvjnmyKzDNAqMC78x0yVtge2_TQupS0: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: Im on-premises

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, using SSH client only

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I tested the site on letsdebug.net and is All Ok

image
image1323×557 29.6 KB

This is site config file

upstream backend {
  server localhost:3000;
}

server {
    server_name oraj.bjmp.gov.ph;

    location / {
        proxy_pass http://backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/oraj.bjmp.gov.ph/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/oraj.bjmp.gov.ph/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = oraj.bjmp.gov.ph) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name oraj.bjmp.gov.ph;
    return 404; # managed by Certbot


}
2

Hi @rollercaster, and welcome to the LE community forum :slight_smile:

I see an Apache server [and it isn't redirecting to HTTPS]:

curl -Ii oraj.bjmp.gov.ph
HTTP/1.1 200 OK
Date: Mon, 18 Nov 2024 12:41:34 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Tue, 29 Jun 2021 16:43:42 GMT
ETag: "2c39-5c5ea4f071278"
Accept-Ranges: bytes
Content-Length: 11321
Vary: Accept-Encoding
Content-Type: text/html
2 Likes
3

Hey @rg305,

I am not using apache2. I am using nginx.

I checked it using 'sudo systemctl status apache2'

it responded 'Unit apache2.service could not be found.'

4

And yet, the Internet sees Apache.

Are you at the right IP?
Is there some other web service/proxy in front of your server?

2 Likes
5

Yes it is the correct IP. Im running a React app as service on port 3000. The weird is it was working fine for like 6 months and now has this problem. The certificate will expire in 17 days.

Can I just delete the certificate and install it again?

6

That would not help at all. A renewal is just a brand new certificate, but with the same hostnames. This renewal fails. If you delete it and try again, that new attempt will fail also.

By the way, the correct command to renew is sudo certbot renew.

And I can confirm Rudy's findings: I too see an Apache webserver. At least, a webserver claiming to be Apache. Not nginx, not "React", whatever that may be.

1 Like
7

Thanks @Osiris and @rg305 for the info. It may be there is another server running on the same port 80 on the IP. Right?

1 Like
8

Yes.
Can you confirm the IP?
curl ifconfig.io

2 Likes
9

It is giving a different IP 202.57.53.147

But what i know this server's port 80 is forwarded to 202.90.133.189

10

Than the DNS zone for your domain should reflect that if you want the public internet to connect directly to that server.

What does that mean?

1 Like
11

My server/vm is on a LAN. Im just port forwarding it to one of our external IPs

It looks like the problem is another vm with apache is also using port 80. I already stopped nginx but still getting that apache page. I need to contact my network admin.

You guys are awesome! I will get you updated on this.

1 Like
12

How does that work? I'm only familiar with port forwarding in a NAT device, which has the public IP, to an internal IP address. Not to an external one?

If you want to have multiple webservers behind a single IP address/port combination (notice port 443 for HTTPS is probably going to be "shared" too), one usually uses virtual hosts in combination with a reverse proxy.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.