Unexpected error

Help
1

My domain is:
rinatrix.com

I ran this command:
I'm following a tutorial to create a dockerized django-react-postgres-nginx program and putting it on an AWS EC2 instance (Docker-Compose for Django and React with Nginx reverse-proxy and Let’s encrypt certificate | React and Django Tutorial). The instance works and the app works. I am trying to get a certificate with

sudo ./init-letsencrypt.sh

Before all the outputs... I tried a bunch of other people suggestions from this website, including enabeling IPv6 on AWS (didn't help).

It produced this output:

###Downloading recommended TLS parameters ...

###Creating dummy certificate for rinatrix.com ...
/snap/docker/2343/lib/python3.6/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.backends import default_backend
Creating app_certbot_run ... done
Generating a RSA private key
.........................+++++
...+++++
writing new private key to '/etc/letsencrypt/live/rinatrix.com/privkey.pem'

###Starting nginx ...
/snap/docker/2343/lib/python3.6/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.backends import default_backend
Recreating app_db_1 ... done
Recreating app_backend_1 ... done
Recreating app_nginx_1 ... done

###Deleting dummy certificate for rinatrix.com ...
/snap/docker/2343/lib/python3.6/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.backends import default_backend
Creating app_certbot_run ... done

###Requesting Let's Encrypt certificate for rinatrix.com ...
/snap/docker/2343/lib/python3.6/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.backends import default_backend
Creating app_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f3a35fcb910>, 'Connection to acme-staging-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

###Reloading nginx ...
/snap/docker/2343/lib/python3.6/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.backends import default_backend
2023/03/01 03:53:42 [emerg] 30#30: cannot load certificate "/etc/letsencrypt/live/rinatrix.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/rinatrix.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/rinatrix.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/rinatrix.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

/var/log/letsencrypt/letsencrypt.log

023-03-01 03:28:14,944:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?sna>
2023-03-01 03:28:15,194:DEBUG:certbot._internal.main:certbot version: 2.3.0
2023-03-01 03:28:15,194:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot>
2023-03-01 03:28:15,194:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2023-03-01 03:28:15,194:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntr>
2023-03-01 03:28:15,209:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-01 03:28:15,211:DEBUG:certbot._internal.display.obj:Notifying user: No certificates found.

nginx settings (default.conf)

server {
    listen 80;
    server_name rinatrix.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name rinatrix.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/rinatrix.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rinatrix.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 20M;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
    }

    location /api {
        try_files $uri @proxy_api;
    }

    location /djangoadmin {
        try_files $uri @proxy_api;
    }

    location /rest-auth {
        try_files $uri @proxy_api;
    }
    location /api-auth {
        try_files $uri @proxy_api;
    }
#     location /admin {
#         try_files $uri @proxy_api;
#     }

    location @proxy_api {
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass   http://backend:8000;
    }

    location /django_static/ {
        autoindex on;
        alias /app/backend/nabuconnect/django_static/;
    }
}

My web server is (include version):

AWS

The operating system my web server runs on is (include version):

Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-1028-aws x86_64)

My hosting provider, if applicable, is:
This might be what I put above. Apologies.

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.3.0

a call that someone else had asked someone for before

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 -servername acme-v02.api.letsencrypt.org | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)

Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 31 18:46:12 2022 GMT; NotAfter: Mar 31 18:46:11 2023 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
DONE

ANother one someone asked for

curl -I https://acme-staging-v02.api.letsencrypt.org/directory 1
HTTP/2 200
server: nginx
date: Wed, 01 Mar 2023 02:51:29 GMT
content-type: application/json
content-length: 830
cache-control: public, max-age=0, no-cache
replay-nonce: 8F05dUwO77RKfWonpF1v2XMGIUEXo-yk3aJgVhFc1GK7g24
x-frame-options: DENY
strict-transport-security: max-age=604800

curl -LIv4

curl -LIv4 https://acme-v02.api.letsencrypt.org/

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.2 (OUT), TLS header, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=acme-v02.api.letsencrypt.org
  • start date: Feb 28 22:32:51 2023 GMT
  • expire date: May 29 22:32:50 2023 GMT
  • subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
  • issuer: C=US; O=Let's Encrypt; CN=R3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multiplexing
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • Using Stream ID: 1 (easy handle 0x559d8434c550)
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

HEAD / HTTP/2
Host: acme-v02.api.letsencrypt.org
user-agent: curl/7.81.0
accept: /

  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    < HTTP/2 200
    HTTP/2 200
    < server: nginx
    server: nginx
    < date: Wed, 01 Mar 2023 04:47:28 GMT
    date: Wed, 01 Mar 2023 04:47:28 GMT
    < content-type: text/html
    content-type: text/html
    < content-length: 1540
    content-length: 1540
    < last-modified: Thu, 23 Jun 2022 21:25:45 GMT
    last-modified: Thu, 23 Jun 2022 21:25:45 GMT
    < etag: "62b4da59-604"
    etag: "62b4da59-604"
    < x-frame-options: DENY
    x-frame-options: DENY
    < strict-transport-security: max-age=604800
    strict-transport-security: max-age=604800

<

curl curl -LIv6

curl -LIv6 https://acme-v02.api.letsencrypt.org/

  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
  • connect to 2606:4700:60:0:f53d:5624:85c7:3a2c port 443 failed: Connection timed out
  • Failed to connect to acme-v02.api.letsencrypt.org port 443 after 130939 ms: Connection timed out
  • Closing connection 0
    curl: (28) Failed to connect to acme-v02.api.letsencrypt.org port 443 after 130939 ms: Connection timed out
2

Hi @natrix, and welcome to the LE community forum :slight_smile:

Why is that in your config?:

Are you in the right container?
What shows?:
certbot certificates

I'm starting to doubt:

You must have a working HTTP site before you can use HTTP-01 authentication to obtain a cert for it.

3 Likes
3

certbot certificats says there are no certificates.

I included those .pem because they were in the tutorial.

You're right about the working. I realized it was on my host that it worked without an issue but not AWS. I changed it to development, removed the certbot service, and now if I curlt localhost --> it gives the homepage httml although it doesn't work in a web browser. I installed nginx outside of the contianer and it put up the nginx welcome page for rinatrix.com so the DNS appears to be ok.

I guess I got to get this working. Any idea what might be causing this issue where it works locally on AWS but not thogh a browser?

4

I see none of it working:

curl -Ii http://rinatrix.com/
curl: (56) Recv failure: Connection reset by peer

curl -Ii http://www.rinatrix.com/
curl: (6) Could not resolve host: www.rinatrix.com
3 Likes
5

FYI - Only Port 80 is open

Presently I am seeing this:

$ nmap -Pn rinatrix.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-01 22:04 UTC
Nmap scan report for rinatrix.com (3.138.94.177)
Host is up (0.082s latency).
rDNS record for 3.138.94.177: ec2-3-138-94-177.us-east-2.compute.amazonaws.com
Not shown: 997 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  closed https
8000/tcp closed http-alt

Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds

$ nmap -Pn www.rinatrix.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-01 22:04 UTC
Nmap scan report for www.rinatrix.com (3.138.94.177)
Host is up (0.054s latency).
rDNS record for 3.138.94.177: ec2-3-138-94-177.us-east-2.compute.amazonaws.com
Not shown: 997 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  closed https
8000/tcp closed http-alt

Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds

$ curl -Ii http://rinatrix.com/.well-known/acme-challenge/sometestfile                                               HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Mar 2023 22:08:23 GMT
Content-Type: text/html
Content-Length: 2289
Last-Modified: Wed, 01 Mar 2023 22:03:42 GMT
Connection: keep-alive
ETag: "63ffcbbe-8f1"
Accept-Ranges: bytes

$ curl -Ii http://www.rinatrix.com/.well-known/acme-challenge/sometestfile                                           HTTP/1.1 200 OK
Server: nginx
Date: Wed, 01 Mar 2023 22:08:28 GMT
Content-Type: text/html
Content-Length: 2289
Last-Modified: Wed, 01 Mar 2023 22:03:42 GMT
Connection: keep-alive
ETag: "63ffcbbe-8f1"
Accept-Ranges: bytes
6

Ok so now the HTTP works. The problem now is when I try to get my staging certificates, I get an error.

My new nginx default.conf is as follows (I commented out the .pem lines as seen in a different forum here).


server {
    listen 80;
    # listen [::]:80;
    server_name rinatrix.com www.rinatrix.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    # listen [::]:443 ssl http2;
    server_name rinatrix.com www.rinatrix.com;
    server_tokens off;

    # ssl_certificate /etc/letsencrypt/live/rinatrix.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/rinatrix.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 20M;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
    }

    location /api {
        try_files $uri @proxy_api;
    }

    location /djangoadmin {
        try_files $uri @proxy_api;
        rewrite ^([^.]*[^/])$ $1/ permanent;
    }

    location /rest-auth {
        try_files $uri @proxy_api;
    }
    location /api-auth {
        try_files $uri @proxy_api;
    }
#     location /admin {
#         try_files $uri @proxy_api;
#     }

    location @proxy_api {
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass   http://backend:8000;
    }

    location /django_static/ {
        autoindex on;
        alias /app/backend/nabuconnect/django_static/;
    }
}

When I run sudo ./init-letsencrypt.sh I get:

Existing data found for rinatrix.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done
Generating a RSA private key
....+++++
.................................................................................+++++
writing new private key to '/etc/letsencrypt/live/rinatrix.com/privkey.pem'
-----

### Starting nginx ...
Recreating app_db_1 ... done
Recreating app_backend_1 ... done
Recreating app_nginx_1   ... done

### Deleting dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done

### Requesting Let's Encrypt certificate for rinatrix.com ...
Creating app_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for rinatrix.com and www.rinatrix.com
Performing the following challenges:
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain rinatrix.com
Challenge failed for domain www.rinatrix.com
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: rinatrix.com
  Type:   unauthorized
  Detail: 3.138.94.177: Invalid response from http://rinatrix.com/.well-known/acme-challenge/6N1oPwiDwUaIYQkVNj9lT8OelXfeBv8VwJ-Nk6TzUFk: "<!doctype html><html lang=\"en\"><head><meta charset=\"utf-8\"/><link rel=\"icon\" href=\"/nabu_short.png\"/><meta name=\"viewport\" conte"

  Domain: www.rinatrix.com
  Type:   unauthorized
  Detail: 3.138.94.177: Invalid response from http://www.rinatrix.com/.well-known/acme-challenge/rxSPnWiZaMDPNbiv8Sr09mfitA8b7Qhip5fjEgqTmD8: "<!doctype html><html lang=\"en\"><head><meta charset=\"utf-8\"/><link rel=\"icon\" href=\"/nabu_short.png\"/><meta name=\"viewport\" conte"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

### Reloading nginx ...
2023/03/02 22:31:01 [notice] 29#29: signal process started

The nginx log:

nginx_1    | 18.217.136.52 - - [02/Mar/2023:22:30:58 +0000] "GET /.well-known/acme-challenge/6N1oPwiDwUaIYQkVNj9lT8OelXfeBv8VwJ-Nk6TzUFk HTTP/1.1" 200 2289 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nginx_1    | 18.217.136.52 - - [02/Mar/2023:22:30:58 +0000] "GET /.well-known/acme-challenge/rxSPnWiZaMDPNbiv8Sr09mfitA8b7Qhip5fjEgqTmD8 HTTP/1.1" 200 2289 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nginx_1    | 34.221.246.20 - - [02/Mar/2023:22:30:58 +0000] "GET /.well-known/acme-challenge/6N1oPwiDwUaIYQkVNj9lT8OelXfeBv8VwJ-Nk6TzUFk HTTP/1.1" 200 2289 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nginx_1    | 23.178.112.106 - - [02/Mar/2023:22:30:58 +0000] "GET /.well-known/acme-challenge/6N1oPwiDwUaIYQkVNj9lT8OelXfeBv8VwJ-Nk6TzUFk HTTP/1.1" 200 2289 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nginx_1    | 23.178.112.107 - - [02/Mar/2023:22:30:58 +0000] "GET /.well-known/acme-challenge/rxSPnWiZaMDPNbiv8Sr09mfitA8b7Qhip5fjEgqTmD8 HTTP/1.1" 200 2289 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nginx_1    | 34.221.246.20 - - [02/Mar/2023:22:30:58 +0000] "GET /.well-known/acme-challenge/rxSPnWiZaMDPNbiv8Sr09mfitA8b7Qhip5fjEgqTmD8 HTTP/1.1" 200 2289 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: signal 1 (SIGHUP) received from 29, reconfiguring
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: reconfiguring
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: using the "epoll" event method
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: start worker processes
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: start worker process 35
nginx_1    | 2023/03/02 22:31:02 [notice] 28#28: gracefully shutting down
nginx_1    | 2023/03/02 22:31:02 [notice] 28#28: exiting
nginx_1    | 2023/03/02 22:31:02 [notice] 28#28: exit
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: signal 17 (SIGCHLD) received from 28
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: worker process 28 exited with code 0
nginx_1    | 2023/03/02 22:31:02 [notice] 1#1: signal 29 (SIGIO) received

/var/log/letsencrypt/letsencrypt.log is empty.

I put 'Test-File' in the container at /var/www/certbot/

http://rinatrix.com/.well-known/acme-challenge/Test-File

When I go to it it just shows my javascrip site.

I have the site up in detached mode so you all can see.

7

Here is what I see with curl

$ curl -Ii http://rinatrix.com/.well-known/acme-challenge/Test-File
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 02 Mar 2023 22:46:30 GMT
Content-Type: text/html
Content-Length: 2289
Last-Modified: Wed, 01 Mar 2023 22:03:42 GMT
Connection: keep-alive
ETag: "63ffcbbe-8f1"
Accept-Ranges: bytes
1 Like
8

Any thought then why certbot is failing?

9

This nginx configuration is not the one that is actually running.

If it was, then visiting the domain should result in a 301 redirect, right?

Instead, we see your website:

$ curl -i rinatrix.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 02 Mar 2023 23:42:42 GMT
Content-Type: text/html
Content-Length: 2289
Last-Modified: Wed, 01 Mar 2023 22:03:42 GMT
Connection: keep-alive
ETag: "63ffcbbe-8f1"
Accept-Ranges: bytes

<!doctype html><html lang="en">...snip...

So the effective nginx configuration is different to the one you've posted.

3 Likes
10

So I see what my issue was, I was loading the wrong folder. Now it's set to use those nginx settings.

Currently what I get is:

ubuntu@ip-172-31-38-5:~/app$ sudo ./init-letsencrypt.sh 
Existing data found for rinatrix.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done
Generating a RSA private key
.............+++++
...................................+++++
writing new private key to '/etc/letsencrypt/live/rinatrix.com/privkey.pem'
-----

### Starting nginx ...
Recreating app_db_1 ... done
Recreating app_backend_1 ... done
Recreating app_nginx_1   ... done

### Deleting dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done

### Requesting Let's Encrypt certificate for rinatrix.com ...
Creating app_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for rinatrix.com and www.rinatrix.com
Performing the following challenges:
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain rinatrix.com
Challenge failed for domain www.rinatrix.com
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: rinatrix.com
  Type:   connection
  Detail: 3.138.94.177: Fetching http://rinatrix.com/.well-known/acme-challenge/UDa0ndOx0wD4DACuhn4ClBoxQi6cSMMgD7Qy1Ww44-I: Connection refused

  Domain: www.rinatrix.com
  Type:   connection
  Detail: 3.138.94.177: Fetching http://www.rinatrix.com/.well-known/acme-challenge/ggfpMVMcIFuITfPTIC3KkaEe1Lrqy_3tZ9cVR9foSYg: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

### Reloading nginx ...

and

nginx_1    | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
nginx_1    | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
nginx_1    | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
nginx_1    | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
nginx_1    | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_1    | 2023/03/03 02:17:40 [emerg] 1#1: no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/default.conf:16
nginx_1    | nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/default.conf:16
app_nginx_1 exited with code 1

/var/log/letsencrypt/letsencrypt.log doesn't exist

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certificates found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Now nginx just keeps restarting becasue what appears to me, it cannot find a certificate. I honestly don't know what to do to try to fix this.

I did just try commenting out the 443 server part and I get.

ubuntu@ip-172-31-38-5:~/app$ curl -i rinatrix.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 03 Mar 2023 02:30:37 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://rinatrix.com/

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

I don't know if it helps but hopefully it can help give some pointers.

11

These can't be commented out, otherwise the nginx configuration becomes invalid.

It looks like the script generates a self-signed certificate in order to get around this:

So maybe try uncommenting those lines.

3 Likes
12

current settings:

server {
    listen 80;
    # listen [::]:80;
    server_name rinatrix.com www.rinatrix.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    # listen [::]:443 ssl http2;
    server_name rinatrix.com www.rinatrix.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/rinatrix.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rinatrix.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 20M;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
    }

    location /api {
        try_files $uri @proxy_api;
    }

    location /djangoadmin {
        try_files $uri @proxy_api;
        rewrite ^([^.]*[^/])$ $1/ permanent;
    }

    location /rest-auth {
        try_files $uri @proxy_api;
    }
    location /api-auth {
        try_files $uri @proxy_api;
    }
#     location /admin {
#         try_files $uri @proxy_api;
#     }

    location @proxy_api {
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass   http://backend:8000;
    }

    location /django_static/ {
        autoindex on;
        alias /app/backend/nabuconnect/django_static/;
    }
}

Output from sudo ./init-letsencrypt.sh

ubuntu@ip-172-31-38-5:~/app$ sudo ./init-letsencrypt.sh 
Existing data found for rinatrix.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done
Generating a RSA private key
..+++++
.........................+++++
writing new private key to '/etc/letsencrypt/live/rinatrix.com/privkey.pem'
-----

### Starting nginx ...
Recreating app_db_1 ... done
Recreating app_backend_1 ... done
Recreating app_nginx_1   ... done

### Deleting dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done

### Requesting Let's Encrypt certificate for rinatrix.com ...
Creating app_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for rinatrix.com and www.rinatrix.com
Performing the following challenges:
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain rinatrix.com
Challenge failed for domain www.rinatrix.com
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: rinatrix.com
  Type:   connection
  Detail: 3.138.94.177: Fetching http://rinatrix.com/.well-known/acme-challenge/vcvRRZazjfStfJtJHfZINpW9uHcvEyWVE3A2MkBVRis: Connection refused

  Domain: www.rinatrix.com
  Type:   connection
  Detail: 3.138.94.177: Fetching http://www.rinatrix.com/.well-known/acme-challenge/xT9k4h4cSqd2iX8EAHtxmR9BlsfJzRHuJcI5iJJ8I1M: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

### Reloading nginx ...

nginx output

nginx_1    | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
nginx_1    | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
nginx_1    | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
nginx_1    | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
nginx_1    | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_1    | 2023/03/03 02:41:18 [emerg] 1#1: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/default.conf:24
nginx_1    | nginx: [emerg] open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/default.conf:24
app_nginx_1 exited with code 1
13

Getting closer .. I guess.

Try comment these two, temporarily.

3 Likes
14

Nada... with those commented

server {
    listen 80;
    # listen [::]:80;
    server_name rinatrix.com www.rinatrix.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    # listen [::]:443 ssl http2;
    server_name rinatrix.com www.rinatrix.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/rinatrix.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rinatrix.com/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 20M;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
    }

    location /api {
        try_files $uri @proxy_api;
    }

    location /djangoadmin {
        try_files $uri @proxy_api;
        rewrite ^([^.]*[^/])$ $1/ permanent;
    }

    location /rest-auth {
        try_files $uri @proxy_api;
    }
    location /api-auth {
        try_files $uri @proxy_api;
    }
#     location /admin {
#         try_files $uri @proxy_api;
#     }

    location @proxy_api {
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass   http://backend:8000;
    }

    location /django_static/ {
        autoindex on;
        alias /app/backend/nabuconnect/django_static/;
    }
}

nginx_1    | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
nginx_1    | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_1    | 2023/03/03 02:47:44 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/rinatrix.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/rinatrix.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx_1    | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/rinatrix.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/rinatrix.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
app_nginx_1 exited with code 1

ubuntu@ip-172-31-38-5:~/app$ sudo ./init-letsencrypt.sh 
Existing data found for rinatrix.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done
Generating a RSA private key
..+++++
.............+++++
writing new private key to '/etc/letsencrypt/live/rinatrix.com/privkey.pem'
-----

### Starting nginx ...
Recreating app_db_1 ... done
Recreating app_backend_1 ... done
Recreating app_nginx_1   ... done

### Deleting dummy certificate for rinatrix.com ...
Creating app_certbot_run ... done

### Requesting Let's Encrypt certificate for rinatrix.com ...
Creating app_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for rinatrix.com and www.rinatrix.com
Performing the following challenges:
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain rinatrix.com
Challenge failed for domain www.rinatrix.com
http-01 challenge for rinatrix.com
http-01 challenge for www.rinatrix.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: rinatrix.com
  Type:   connection
  Detail: 3.138.94.177: Fetching http://rinatrix.com/.well-known/acme-challenge/Xdz0PJ8YzAMOBABDEgG6g7YRmfPeSSEag8IIUZHDxrw: Connection refused

  Domain: www.rinatrix.com
  Type:   connection
  Detail: 3.138.94.177: Fetching http://www.rinatrix.com/.well-known/acme-challenge/_WTbBQdNE_ckLo2h9uab9iNvVQaufVC_dGHAG48c4tc: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

### Reloading nginx ...
OCI runtime exec failed: exec failed: cannot exec in a stopped container: unknown
15

So I just figured out how to get into the contianer and run the command to request the certificate in staging... it failed. But now I checked the log in the container and this is what I found. Hopefully it will make sense to you.

/opt/certbot # cat /var/log/letsencrypt/letsencrypt.log
2023-03-03 04:24:20,465:DEBUG:certbot._internal.main:certbot version: 2.3.0
2023-03-03 04:24:20,466:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2023-03-03 04:24:20,466:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/var/www/certbot', '--email', 'EMAIL@gmail.com', '--agree-tos', '--no-eff-email', '--staging', '-d', 'rinatrix.com', '-d', 'www.rinatrix.com']
2023-03-03 04:24:20,466:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-03 04:24:20,482:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-03 04:24:20,485:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-03-03 04:24:20,488:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fb6f2d63e20>
Prep: True
2023-03-03 04:24:20,488:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fb6f2d63e20> and installer None
2023-03-03 04:24:20,488:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-03-03 04:24:21,036:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/91062074', new_authzr_uri=None, terms_of_service=None), 03d4e5e03e377ee84364ff6182129902, Meta(creation_dt=datetime.datetime(2023, 3, 2, 21, 51, 58, tzinfo=<UTC>), creation_host='f0c13cf0ee90', register_to_eff=None))>
2023-03-03 04:24:21,037:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2023-03-03 04:24:21,042:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2023-03-03 04:24:21,260:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 830
2023-03-03 04:24:21,260:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:21 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "kq-NvzVz3yo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-ietf-acme-ari-00/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-03-03 04:24:21,261:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for rinatrix.com and www.rinatrix.com
2023-03-03 04:24:21,283:DEBUG:acme.client:Requesting fresh nonce
2023-03-03 04:24:21,283:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2023-03-03 04:24:21,328:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-03-03 04:24:21,329:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:21 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: A272PvMWRNGZAi54aMYSzk-74tzJhnCudZy2GeBBFVYq-_g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-03-03 04:24:21,329:DEBUG:acme.client:Storing nonce: A272PvMWRNGZAi54aMYSzk-74tzJhnCudZy2GeBBFVYq-_g
2023-03-03 04:24:21,329:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "rinatrix.com"\n    },\n    {\n      "type": "dns",\n      "value": "www.rinatrix.com"\n    }\n  ]\n}'
2023-03-03 04:24:21,344:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTA2MjA3NCIsICJub25jZSI6ICJBMjcyUHZNV1JOR1pBaTU0YU1ZU3prLTc0dHpKaG5DdWRaeTJHZUJCRlZZcS1fZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "YXPgJxSroLOwnnhvcXFKOH3Q7G7qNYeAU5qlvnwKBGN29jYkLEZt4nMwQp9hN5uUEJMM0lTVTedE4XoF_4R_XpW6L3YklVX0wUe7xPY-DeqD_4SM9yI9jX3WlT60KcgZnozK9hWusWeaw8NVzaytmbF9GChD9N2cjy9Tu4G12tLtrn4hwqexlgJaFfSCbUdIcT-25_OtZ1KXGUFMA9BtAytUlsNHQDhMp-gR3rkpO-HQj4Yj4r3qH_S7k1odSQZeA033wlW3Jlr3U8zGweXIQ_iNflh3VYHewt_80B1DGslRgL3PEWUz8YqjdZ-V1cc53vETrehYe2EDUOskdF0pmuGaR0rgC6lfoh6rOiHmU19f-i8y2jl1yH4vWZ6sjyCawoFJJN_pq4qzSh-lNARfuLSgL_JnGKgZqLwTsnY6ZpG_Vr5NELQO0ZAErYInyEGf9yRdBxLUFaRtX0KmPZLuF5nQkpa-nVMHxC3r60sDxiWOMxYap8I3Epet62RGJIGxpydGtfsF-cXwX0d2vuC8N1NzD12UCAgGAr_FVx7tdnmdOzAwpVeSJ2eJEese131WKk3INvQ2nE5GcAy6Rga3sYp4ZpNNae9fn456Apvg-Y1q9Vop-V-z4dYjCto4MGaR4iOVUpMwjc8o7PRQbTx9qyiznO0UB7glbfFXqDEB3no",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInJpbmF0cml4LmNvbSIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICJ3d3cucmluYXRyaXguY29tIgogICAgfQogIF0KfQ"
}
2023-03-03 04:24:21,419:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 493
2023-03-03 04:24:21,420:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 03 Mar 2023 04:24:21 GMT
Content-Type: application/json
Content-Length: 493
Connection: keep-alive
Boulder-Requester: 91062074
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/91062074/7527152074
Replay-Nonce: B37ChrFMXV9zxLNA8_-eYQ0r-sCHab584DOz2gWwOaXP5VA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-03-10T04:24:21Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "rinatrix.com"
    },
    {
      "type": "dns",
      "value": "www.rinatrix.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342814",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342824"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/91062074/7527152074"
}
2023-03-03 04:24:21,420:DEBUG:acme.client:Storing nonce: B37ChrFMXV9zxLNA8_-eYQ0r-sCHab584DOz2gWwOaXP5VA
2023-03-03 04:24:21,420:DEBUG:acme.client:JWS payload:
b''
2023-03-03 04:24:21,430:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342814:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTA2MjA3NCIsICJub25jZSI6ICJCMzdDaHJGTVhWOXp4TE5BOF8tZVlRMHItc0NIYWI1ODRET3oyZ1d3T2FYUDVWQSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My81NTc4MzQyODE0In0",
  "signature": "sTb28AqRSqP2LGVVUq9PbaMz5IOoWlJAMdwx7fms0E-Q8JKmRPqyniL0Faz1Lt_zUgImKS2J2WWYDZJB4-MN8PK2HbC3gAIsUvgUdSBP4ow5PqFkgkOF45hltBotOnrWzpD22i2ZcBYETjX37mL-6YrX0DXggJUBrg0PnXlSAU1Nnfeo7t0pURV7_U4sMvGU9KsL_iSc4gq6L6JXwUUkeTFipah54hFQ9B2FN5hNLBAfuukVOpjNCwfDl7Zlhn9z4LqfgVSwLeM9yr4OuHy7HYNOpnC2NCSA6jqtkrijN9zI93VICGAx2gZgQvhvetujFsauwBsHEfjPCh_nkTW57Q-axYYFWocZniUNuzEfdGDgjBGayaP85lcX1xJHRvSraiZFmt4zAY1-EN8hSoqJ-l1qyf-9A-ORZ8LnUPaVehYkYlPaUF_4wfn4ELJnK3cBq2m9lXIo8epcGUsxfA_1W03S70uSXqPgBLdHxRfDWZW0Rl8DK2jTYUVHA9jU9DBg8Ejr39ra_ftRUDNHuJCmxctbQVtbCw1p4VcAGdPCheIguR2KqJKmr5lFH7vCe6XXw1O-RGDJhW7ncDWq2zQIqndDpkvN3IikCS-jQivNU9dzbtrppHelzjBGw8UOdulVM408LEKSSyj_oU6FWRSdhKIZSVMca2iUNHo7GcSfJHk",
  "payload": ""
}
2023-03-03 04:24:21,478:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/5578342814 HTTP/1.1" 200 814
2023-03-03 04:24:21,478:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:21 GMT
Content-Type: application/json
Content-Length: 814
Connection: keep-alive
Boulder-Requester: 91062074
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 8F05KrLzi90ee3TXHQbWz6NQ0wl-UcRB1VbNkPWrV1Ad9VQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "rinatrix.com"
  },
  "status": "pending",
  "expires": "2023-03-10T04:24:21Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342814/mO1tCg",
      "token": "PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342814/PZPJ5A",
      "token": "PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342814/_dfB9g",
      "token": "PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0"
    }
  ]
}
2023-03-03 04:24:21,479:DEBUG:acme.client:Storing nonce: 8F05KrLzi90ee3TXHQbWz6NQ0wl-UcRB1VbNkPWrV1Ad9VQ
2023-03-03 04:24:21,479:DEBUG:acme.client:JWS payload:
b''
2023-03-03 04:24:21,489:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342824:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTA2MjA3NCIsICJub25jZSI6ICI4RjA1S3JMemk5MGVlM1RYSFFiV3o2TlEwd2wtVWNSQjFWYk5rUFdyVjFBZDlWUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My81NTc4MzQyODI0In0",
  "signature": "Oy_sxqugX_32ngVujsJxDRavZBZuZPia7kL3HGfThPv66CcaJViNp13cj3F5X4VNiPe2gEvlPzbmTnd0UZ0DsfeDLOorpd381HPvueM3XshmB25btwnNpBblzJwAW0ETXBXdGN6Hpe3YS4Ch2b6Y8yL2Xuy3M7f7uo90KioJrV3j_aXgU3fEyEOhPID4Eyua3DxgJgVXuLQAoZ2LZ2fC9ZwsdaIDItGT7-rU46VJ0hBe7-5Mmmoh_os6kn8bLGE7IulVR8yYjkTfKCe1x8e9wCOPMtlrW6bP8TnAyYTO4n61DPfRJN_q6fGuYykHkge3cdhKMxd3Mlk_PjuaXY_WoWVYMOnhjhKU_eI3Ah9ig5rExqks4D30eW6jHc-chaHvxXsac1PXZVo-VRPwXUpt1hTh3pcDyZTtyOCKxYKbfGuJmZxTCTnEVOGzdE6JmuX0nJms7XPbelXuNWRbSHD6-LjreMfTv2P-ReQMPrlIJUwRRMhun0Oks__ZIdXDDYJzcX9enE6k5PBf7yjpSLomgQNBXarvLYHy6bmdeqlOhZdgeuajeV_deQgohz6mGRAufsBNyw7b9lmEULBY8cSyZV1RsF9cXGlZ9RlbO40w9O_k_258pyczo6gCOWmhjyYI2Q8To4Y3xF3v8GkaGzKU11MthDYLCHJdE-vS6_8hQNI",
  "payload": ""
}
2023-03-03 04:24:21,538:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/5578342824 HTTP/1.1" 200 818
2023-03-03 04:24:21,538:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:21 GMT
Content-Type: application/json
Content-Length: 818
Connection: keep-alive
Boulder-Requester: 91062074
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 49942Mld3TNqE40tocC6X8QoHzDCZLyJTs6OWW1UyZSLwcs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.rinatrix.com"
  },
  "status": "pending",
  "expires": "2023-03-10T04:24:21Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342824/tj2LVQ",
      "token": "FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342824/OPLb2w",
      "token": "FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342824/0Mfl-Q",
      "token": "FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA"
    }
  ]
}
2023-03-03 04:24:21,539:DEBUG:acme.client:Storing nonce: 49942Mld3TNqE40tocC6X8QoHzDCZLyJTs6OWW1UyZSLwcs
2023-03-03 04:24:21,539:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-03-03 04:24:21,539:INFO:certbot._internal.auth_handler:http-01 challenge for rinatrix.com
2023-03-03 04:24:21,539:INFO:certbot._internal.auth_handler:http-01 challenge for www.rinatrix.com
2023-03-03 04:24:21,540:INFO:certbot._internal.plugins.webroot:Using the webroot path /var/www/certbot for all unmatched domains.
2023-03-03 04:24:21,540:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
2023-03-03 04:24:21,541:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
2023-03-03 04:24:21,542:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0
2023-03-03 04:24:21,543:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA
2023-03-03 04:24:21,543:DEBUG:acme.client:JWS payload:
b'{}'
2023-03-03 04:24:21,552:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342814/mO1tCg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTA2MjA3NCIsICJub25jZSI6ICI0OTk0Mk1sZDNUTnFFNDB0b2NDNlg4UW9IekRDWkx5SlRzNk9XVzFVeVpTTHdjcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My81NTc4MzQyODE0L21PMXRDZyJ9",
  "signature": "SjEuvxH_gOsvHMKO_Is1T6-nBMTcthH8-q5M09hpB3bNMuhBMqbSkxOna7bIP8gkkwGjjSDUEMeyRWoNWLygMUjnC17D9RY6aeAbiC0H5YZ65iJ7X2ItktgPIUYmhmD2_UuK35JSyYkZSMCHBBs5o7-9pBWgqFR5K0t4TD0Pqo7pwRDfSZM_U-nS9GOmQ7UbgsKBCw0I0VIcm2NO2Ev4Cs4xJoiYMIcLtUpxWyCRjnNWVZGksILeoHjWSi2BLsbNvWl1XELLx6RRYJzCLyPRTd7TQrkSmOCTDSv4Vy6lnoVCQEMi19ROYUpBj4yd03HnKJ3sYmvADVWBr4tnmA2a2hD-9JdwDRRE6Z1OiEkTLT4CyMY6PBI-uVbgoIAkwhPzlpVDeG2eNCNx-cP7CQzk46rVBATAGAtlgCFiZfBANwz_1qqqegu9nI5na54ILBcItd4NW5Za0yETMkoIXuaSJLe53fD3TwzuU6G7RkxOgW9sU-nLM1mDmXb0Fdd6SZG1UcCU9Bx0slL7qHolb0JdhufBB9jafDsUwjdRBHjH3wzpoghPBrwDVZjvfPnlpx56ukYk7_Jth4fc0SfJLv2dfDRMFn8XgsPCSGeJUnPcxdfsMhOcGJ8_wjG2v4mLej_WazcTVbwsYp5lNs0ag11Y6ZuJbyXfhPXxbq1SlMpX8jw",
  "payload": "e30"
}
2023-03-03 04:24:21,603:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/5578342814/mO1tCg HTTP/1.1" 200 193
2023-03-03 04:24:21,604:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:21 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 91062074
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342814>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342814/mO1tCg
Replay-Nonce: B37CcV7xyfPyHRF8kEHf0JbSarzQCJqzaEeNzHyCfVrDSK8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342814/mO1tCg",
  "token": "PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0"
}
2023-03-03 04:24:21,604:DEBUG:acme.client:Storing nonce: B37CcV7xyfPyHRF8kEHf0JbSarzQCJqzaEeNzHyCfVrDSK8
2023-03-03 04:24:21,604:DEBUG:acme.client:JWS payload:
b'{}'
2023-03-03 04:24:21,613:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342824/tj2LVQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTA2MjA3NCIsICJub25jZSI6ICJCMzdDY1Y3eHlmUHlIUkY4a0VIZjBKYlNhcnpRQ0pxemFFZU56SHlDZlZyRFNLOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My81NTc4MzQyODI0L3RqMkxWUSJ9",
  "signature": "D98jge0h7j5xMsmgSnT8tNeMHt69nAOnrQf8vyV9lzZN9hWKrWC-noDcxm8qx-lCEjGb-iVArTZAdO5-fnBd5kkOMTzhRVL8hASL_EQ-9Ns7SjsTrNajhqY5YX54WgXnynXSmsmlVdJFAkNY8FLNa2h2KzRaAN9mGyVVUPltFqpQtAVpZqGVlGq7yLGo6aLxj4GFulvwl3kIcXYoIklEk-aFB-Y9b1apy6wjbB0i-jUOn-0dCPS8oocQpnhHVRqlxoX0EgSyTudLKS0cqjHyxTuu31botLcFuWZwynjPinwtlGfYf6QjwOcOQAe9GDjZwBL8Ct53qYBcvdylwYzRh3uRwgZtuBwh93iU456LDEEhZHUZVy67ZpIfvm_0mpA35bAm5LtM9dmtFfCv0fgTu-8cBwBmByXXMmWb2JmcxTITIBpOZ5vmFuTpkBkA_Ugd3eXiYVlZ2tFGNSuB_N25PgCMPpA6Lkiyw_HuPJd90jh4BzBygz6mWaYbE285bjvUPHrKnnO2kZv-4gllikVEIN4ibIF26RZp1z8ST7vT7aIGc3YmCZ4iNt0dIbxfyszXJsq_RNRAouMk_WdaE4V73NJcuHCNUc0O030if8u--2ZlvbLinhhcHeTM6kfFwSmIJ5OPcRqP9ytp4k0EImHvqsZHIW8tfy6l9s75NgUJZ8w",
  "payload": "e30"
}
2023-03-03 04:24:21,663:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/5578342824/tj2LVQ HTTP/1.1" 200 193
2023-03-03 04:24:21,663:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:21 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 91062074
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342824>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342824/tj2LVQ
Replay-Nonce: 8F0588vbl7UZRJETdxQCZ7m6EWBVR4Ad1mOSKXO6HA3PMNs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342824/tj2LVQ",
  "token": "FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA"
}
2023-03-03 04:24:21,664:DEBUG:acme.client:Storing nonce: 8F0588vbl7UZRJETdxQCZ7m6EWBVR4Ad1mOSKXO6HA3PMNs
2023-03-03 04:24:21,664:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-03-03 04:24:22,664:DEBUG:acme.client:JWS payload:
b''
2023-03-03 04:24:22,674:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342814:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTA2MjA3NCIsICJub25jZSI6ICI4RjA1ODh2Ymw3VVpSSkVUZHhRQ1o3bTZFV0JWUjRBZDFtT1NLWE82SEEzUE1OcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My81NTc4MzQyODE0In0",
  "signature": "R47GzGPcC6Y7Frwa3dUo3eXj48UHn56PGkyfT6NishOKyqFugyY4MHZRiwtNFFL4vlq459e17LKD_HyEBayzM39c8hDzKu9T9PSsB1souHG4k6FnOnee-3zfZkIyw3l6_6sXEwAkQDwue-G2AsJ-Js7gmoYb6FcyxymjLyNguiz2sSG7kWWOZSZXF10j7zFLVXNfDNYnkpumj872K4YiwgG1NgFahisTWc1a2OIaS4mtToDwab6iJv3IyfXMCsxG5VptWBtmqD2vIqF0OVSDZHum7wNDSyh27MSZ-reZ6rx6hnf03p07OvvijkO49ZzyeJJhnD1TZg2HQbD8B0uZjj8B74yxywXzP6WKpgeGFSDpYd9y4uQPy4RJsKRxx3umY7_X9zJN9qLNdaETpYh8OVixe24KuZaej5SQuPsWRDksygtXCtOiOgZ0J8rs1dIoH0aKGhggsa9_qvgx-RQlyUaikuYbOiJivVGyoUyGxuW8pmczFzmXBla4HlLDFL-DreYU_HoNe_acwtvpKpioXiHGMAaUzovdCV5kgw_sG4PFDL1h3Je9A6jaWpgwm7T_Ic_Nlwd3IBYvKSQTNwK7CYxX7OJr80npmi_FMWJdSy1UZKlLYBEYWTVAsV8UgbPTe4eK9WPjToSR8DJ37VnEtCSqg5dqncFJFD5x25Y-yuE",
  "payload": ""
}
2023-03-03 04:24:22,725:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/5578342814 HTTP/1.1" 200 1019
2023-03-03 04:24:22,726:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:22 GMT
Content-Type: application/json
Content-Length: 1019
Connection: keep-alive
Boulder-Requester: 91062074
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 4994djjdvmQqAx-c0MMwmciQ1P4VoJeUb5XVVMdWUOXSMss
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "rinatrix.com"
  },
  "status": "invalid",
  "expires": "2023-03-10T04:24:21Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "3.138.94.177: Invalid response from http://rinatrix.com/.well-known/acme-challenge/PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342814/mO1tCg",
      "token": "PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0",
      "validationRecord": [
        {
          "url": "http://rinatrix.com/.well-known/acme-challenge/PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0",
          "hostname": "rinatrix.com",
          "port": "80",
          "addressesResolved": [
            "3.138.94.177"
          ],
          "addressUsed": "3.138.94.177"
        }
      ],
      "validated": "2023-03-03T04:24:21Z"
    }
  ]
}
2023-03-03 04:24:22,726:DEBUG:acme.client:Storing nonce: 4994djjdvmQqAx-c0MMwmciQ1P4VoJeUb5XVVMdWUOXSMss
2023-03-03 04:24:22,726:DEBUG:acme.client:JWS payload:
b''
2023-03-03 04:24:22,735:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5578342824:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTA2MjA3NCIsICJub25jZSI6ICI0OTk0ZGpqZHZtUXFBeC1jME1Nd21jaVExUDRWb0plVWI1WFZWTWRXVU9YU01zcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My81NTc4MzQyODI0In0",
  "signature": "soODHEDr3F_o5-Eim7IxnrBM4cUJJPTVkapOMzujCRBuduyQAYNKoOdI5GtnjEMQhFsEqx3eZPSy0FdYB1P454qwxDtCalXBZP4jfZRyrlm3OLwqsE9cYtvyhubzNPG-C4CSrkVWT0oadtI8_gmGONmpQ7tXjXikNT9NTL9xaAimTzCr0C4kZj-elIrkTuG3bNY4Xz4nhIiLlyyrVNnuhh_hvDbnDZGOWy_EOXzGBJY-niN_6OQmxlqXVgbRW2chWfgLBZEyqOTKNJl5B59jYzUpRBvV9REIS4PDEe-M0O9nMOT8OLp5MsjrnB1_fi9LW2qSBkhZhTrRkYC1f7byUnUv8w8zaDZ1DK94anP90Nf1VQegR74AQ1dcduIm-hpVxbc6YcAFLqXsj4qcmfizDnAbN8dcQ7YJ8oDvueEY9eUCjroCLf-GfGI0EhC1777nmWBFH_fCjtLh9tgdMBhmNG6RQq0DAe8DXOjmtEB3up9opApMWxRJ3zE65LPIU3b8ySftPN6JzaOowF66v_VDPXr3SX0uBDRWGnTWFAOVnwJ2-T2IahC-y4G-tKjcsKmUn-FoMLOGMZvWy39mvoK153UsT3bKp2Y57lns3K21cKIt8jGHYRpuJVrSehB9WlWGMdD427vW1fG5eOdfHH-aV5IxiIzx-s9qR9exn0yRpYU",
  "payload": ""
}
2023-03-03 04:24:22,794:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/5578342824 HTTP/1.1" 200 1035
2023-03-03 04:24:22,794:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 03 Mar 2023 04:24:22 GMT
Content-Type: application/json
Content-Length: 1035
Connection: keep-alive
Boulder-Requester: 91062074
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: A272wzSmOsA29gD9CUo-oVAcR_D9cZzZqHZYRYBAVeVaQYs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.rinatrix.com"
  },
  "status": "invalid",
  "expires": "2023-03-10T04:24:21Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "3.138.94.177: Invalid response from http://www.rinatrix.com/.well-known/acme-challenge/FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/5578342824/tj2LVQ",
      "token": "FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA",
      "validationRecord": [
        {
          "url": "http://www.rinatrix.com/.well-known/acme-challenge/FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA",
          "hostname": "www.rinatrix.com",
          "port": "80",
          "addressesResolved": [
            "3.138.94.177"
          ],
          "addressUsed": "3.138.94.177"
        }
      ],
      "validated": "2023-03-03T04:24:21Z"
    }
  ]
}
2023-03-03 04:24:22,794:DEBUG:acme.client:Storing nonce: A272wzSmOsA29gD9CUo-oVAcR_D9cZzZqHZYRYBAVeVaQYs
2023-03-03 04:24:22,795:INFO:certbot._internal.auth_handler:Challenge failed for domain rinatrix.com
2023-03-03 04:24:22,795:INFO:certbot._internal.auth_handler:Challenge failed for domain www.rinatrix.com
2023-03-03 04:24:22,795:INFO:certbot._internal.auth_handler:http-01 challenge for rinatrix.com
2023-03-03 04:24:22,795:INFO:certbot._internal.auth_handler:http-01 challenge for www.rinatrix.com
2023-03-03 04:24:22,795:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: rinatrix.com
  Type:   unauthorized
  Detail: 3.138.94.177: Invalid response from http://rinatrix.com/.well-known/acme-challenge/PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0: 404

  Domain: www.rinatrix.com
  Type:   unauthorized
  Detail: 3.138.94.177: Invalid response from http://www.rinatrix.com/.well-known/acme-challenge/FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-03-03 04:24:22,801:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-03-03 04:24:22,801:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-03-03 04:24:22,801:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-03-03 04:24:22,801:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/PLfQ2ztOc3fU--PtM_Nrus-KMoRxEcmZgr0ql_7bzP0
2023-03-03 04:24:22,802:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/FENLUtlip_H6iGf4sNKvWQqL4UUcHnAy81toIj-yJeA
2023-03-03 04:24:22,809:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-03-03 04:24:22,809:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot', 'console_scripts', 'certbot')())
  File "/opt/certbot/src/certbot/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1862, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1595, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 140, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-03-03 04:24:22,814:ERROR:certbot._internal.log:Some challenges have failed.
16

furthermore, I checked the permissions of "certbot" directory, which is 777. I do see it create the file in VSCode so I don't think that's an issue, but I could be wrong.

17

your server 404ed at certificate request, certbot ordered to put token /var/www/certbot and server should be configed to pick those path: but your docker failed to run becaseu there was no cert file:
this sound some kind of catch-22

3 Likes
18

from init-letsencrypt.sh though it seems it makes a dummy certificate then restarts the system before requesting a certificate.

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo
19

well looks like you turned the docker off so lets get a certificate with standlone auth
does your service accepts ecdsa key?

3 Likes
20

So.... I got it to work (at least in staging). I'm going to be honest, horribly rookie mistake... I didn't give nginx access to the certbot volume.

3 Likes