.well-known/acme-challenge path access 404

VishalCB · January 4, 2022, 1:18pm

Hey Karan Shah,

Even my website was running without any issues for past 1 Year, Suddenly after 28th Dec 2021, Cert expired and facing same issue as you,
I found that nginx released an update on 29th Dec 2021,
Also found that /.well-known/acme-challenge/ is not accessible,
So i suspect below has changed/stopped working with latest nginx,
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot;
}
I tried placing test.html inside /var/www/certbot location and when hitting the path we only get 404

esrasur · January 4, 2022, 2:52pm

You can only set up the HTTPS part again after you get a certificate and only then you need to enable the redirect again.. .

rg305 · January 4, 2022, 3:35pm

Hi @VishalCB and welcome to the LE community forum

Please show the complete config, with:
nginx -T

VishalCB · January 4, 2022, 9:49pm

Hi @rg305

My nginx config as below,

server {

  listen 80;
  server_name sanyoeng.com www.sanyoeng.com;
  server_tokens off;

  location /.well-known/acme-challenge/ {
      root /var/www/certbot;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
    listen 443 ssl;
    server_name sanyoeng.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/sanyoeng.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sanyoeng.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  location /api/ {
    proxy_pass http://backend:5000;
  }

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
    }

    error_page   500 502 503 504  /50x.html;

  location = /50x.html {
    root   /usr/share/nginx/html;
  }
}

My certificate was working fine till 29th December 2021, And certificate cannot be renewed from that date,

I tried below with nginx config,

Stopped https redirect
Placed a test.html file inside root path /var/www/certbot/ of location /.well-known/acme-challenge/
Couldn't access it (Error 404)
Tried placing the same test.html file to root /usr/share/nginx/html of location /
Can access without any issue
Tried giving the root path of /.well-known/acme-challenge/ same as location / (/usr/share/nginx/htm)
Couldn't access it (Error 404)
Same file in same path can be accessed from location / but not from /.well-known/acme-challenge/

rg305 · January 4, 2022, 11:25pm

I'm sure there is a lot more to the config that you haven't shown.

Try this:
mkdir -p /var/www/certbot/.well-known/acme-challenge/
echo "Test_File-1234" > /var/www/certbot/.well-known/acme-challenge/Test_File-1234

Then (from Internet):
http://sanyoeng.com/.well-known/acme-challenge/Test_File-1234

VishalCB · January 5, 2022, 1:29am

Hi @rg305 ,

Tried creating the folders and files as you suggested,
I can access it via

But its not accessible via
http://www.sanyoeng.com/.well-known/acme-challenge/Test_File-1234
Not sure why nginx not serving www.sanyoeng.com

When renewing certs, it fails for www.sanyoeng.com

MikeMcQ · January 5, 2022, 3:08am

I see you got a new cert for your apex domain although your www domain is not working.

The www.sanyoeng.com DNS points to a different IP group than your apex name. These are related to AWS Global Accelerator. I do not know which one is correct for your setup but they should be consistent. If I had to guess I think your www DNS should be just the one IP that your apex domain uses.

Name:   sanyoeng.com
Address: 52.77.227.176
Name:   www.sanyoeng.com
Address: 3.33.152.147
Name:   www.sanyoeng.com
Address: 15.197.142.173

The responses to the www domain requests were also inconsistent:

curl -i http://www.sanyoeng.com/.well-known/acme-challenge/Test_File-1234
(Note: EC2 related Server header)

HTTP/1.1 404 Not Found
Date: Wed, 05 Jan 2022 02:50:25 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 48
Connection: keep-alive
Server: ip-10-123-122-241.ec2.internal
X-Request-Id: d51895d7-315f-48fa-9cab-d9e981aab459

curl -i https://www.sanyoeng.com/.well-known/acme-challenge/Test_File-1234
(No response - timed out)

VishalCB · January 5, 2022, 8:26am

Thanks @MikeMcQ!

My DNS had a subdomain redirect which resulted in inconsistent ip addresses,
I have managed to get both sanyoeng.com and www.sanyoeng.com to point to same IP.

Now below both can be accessed,
http://sanyoeng.com/.well-known/acme-challenge/Test_File-1234
http://www.sanyoeng.com/.well-known/acme-challenge/Test_File-1234

Now i can able to renew my cacerts with letsencrypt!!

system · February 4, 2022, 8:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot Fails to Renew SSL - 404 on .well-known/acme-challenge Help	18	89	October 23, 2024
Where should /.well-known/acme-challenge/ point? Help	6	13667	August 2, 2020
Certbot.errors Some challenges have failed Help	2	675	August 6, 2020
404 for .well-known/acme-challenge Server	9	37445	August 17, 2017
Certbot - Troubleshooting HTTP-01 Challenge Related Issues Help	23	12332	July 6, 2017

.well-known/acme-challenge path access 404

Related topics