Well-known/acme-challenge/test gives 404

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/zh6KGGNQ43IkdCyrlv3Y3ucauVdt4-EDVfpMGPU8y30: "\n<html xmlns=“http:”

IMPORTANT NOTES:

curl -X GET -I http://example.com/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 07:39:37 GMT
Content-Type: text/html
Content-Length: 11812
Connection: keep-alive
Last-Modified: Mon, 18 Nov 2013 21:26:36 GMT
Accept-Ranges: bytes

Hi @awsdevopro

if you have trouble to use http-01 - validation, a lot of domain + command - specific errors are possible.

So please answer the following questions of the #help - category:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


Moved to “Help”.

certbot --version
certbot 0.26.1

I ran the following command
sudo certbot certonly -d klock-in.com -d www.klock-in.com
[sudo] password for reza:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.klock-in.com
http-01 challenge for klock-in.com
Input the webroot for www.klock-in.com: (Enter ‘c’ to cancel): /itconquest/smallsites/sites-src/klock-in.com/app-landing

Select the webroot for klock-in.com:


1: Enter a new webroot
2: /itconquest/smallsites/sites-src/klock-in.com/app-landing


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. klock-in.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://klock-in.com/.well-known/acme-challenge/HIiosp7RzLandqokbDFi1INMrbaOorSYTu7tvqLJ-iw: "\n<html xmlns=“http:”

IMPORTANT NOTES:


curl -X GET -I http://klock-in.com/.well-known/acme-challenge/test
HTTP/1.1 404 Not Found
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 09:52:28 GMT
Content-Type: text/html
Content-Length: 11812
Connection: keep-alive
Last-Modified: Mon, 18 Nov 2013 21:26:36 GMT
Accept-Ranges: bytes

Using nginx as a reverse proxy

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Server:
Server:
ubuntu/xenial 16.04
Hosting provider:
hostgator
Root login
Yes
I have both whm/cPanel
certbot version: certbot 0.26.1

There are two different nginx running ( https://check-your-website.server-daten.de/?q=klock-in.com ):


Domainname Http-Status redirect Sec. G
http://klock-in.com/
192.185.191.5 301 http://www.klock-in.com/ 0.260 D
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 10:40:22 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 294
Connection: close
Location: http://www.klock-in.com/
http://www.klock-in.com/
76.68.78.122 301 https://www.klock-in.com/ 0.273 A
Server: nginx/1.11.10
Date: Mon, 28 Jan 2019 10:40:23 GMT
Content-Type: text/html
Content-Length: 186
Connection: close
Location: https://www.klock-in.com/
https://klock-in.com/
192.185.191.5 301 http://www.klock-in.com/ 2.590 F
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 10:40:23 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 295
Connection: close
Location: http://www.klock-in.com/
https://www.klock-in.com/
76.68.78.122 200 2.647 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Server: nginx/1.11.10
Date: Mon, 28 Jan 2019 10:40:26 GMT
Content-Type: text/html
Content-Length: 11048
Connection: close
Last-Modified: Mon, 07 Jan 2019 11:29:54 GMT
ETag: "2b28-57edc8c425af2"
Accept-Ranges: bytes
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
http://www.klock-in.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
76.68.78.122 301 https://www.klock-in.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.277 A
Server: nginx/1.11.10
Date: Mon, 28 Jan 2019 10:40:29 GMT
Content-Type: text/html
Content-Length: 186
Connection: close
Location: https://www.klock-in.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
http://klock-in.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
192.185.191.5 404 0.290 A
Not Found
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 10:40:28 GMT
Content-Type: text/html
Content-Length: 11812
Connection: close
Last-Modified: Mon, 18 Nov 2013 21:26:36 GMT
Accept-Ranges: bytes
https://www.klock-in.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 6.140 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Server: nginx/1.11.10
Date: Mon, 28 Jan 2019 10:40:29 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 349
Connection: close

Your non www sends http, your www is redirected to https. The wrong certificate isn't a problem, Letsencrypt ignores that.

But is your webroot really correct with this setting?

Perhaps remove the redirect http -> https of your www version (directory /.well-known), so both requests (www + non-www) are answered from the same server.

Changed and this is my rest configs. It’s my docker-container configs. All other websites are working fine with the same configs, but this one isn’t working.

in my vhost:

klock-in.com.conf

<VirtualHost *:80>
ServerName klock-in.com
Redirect permanent / http://www.klock-in.com

and

www.klock-in.com.conf

<VirtualHost *:80>
ServerName www.klock-in.com
DocumentRoot /var/www/klock-in.com

and getting the following error

sudo certbot certonly -d klock-in.com -d www.klock-in.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.klock-in.com
http-01 challenge for klock-in.com
Input the webroot for www.klock-in.com: (Enter ‘c’ to cancel): /itconquest/smallsites/sites-src/klock-in.com/app-landing

Select the webroot for klock-in.com:


1: Enter a new webroot
2: /itconquest/smallsites/sites-src/klock-in.com/app-landing


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. klock-in.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://klock-in.com/.well-known/acme-challenge/OdEnty1OtZvpgzLmrM3spVnKbwyPnTtNptAySB_b988: "\n<html xmlns=“http:”

IMPORTANT NOTES:

There is again a mixed configuration:

Domainname (3751) Http-Status redirect Sec. G
(24318) • http://klock-in.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
192.185.191.5 404 0.250 A
Not Found
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 11:16:52 GMT
Content-Type: text/html
Content-Length: 11812
Connection: close
Last-Modified: Mon, 18 Nov 2013 21:26:36 GMT
Accept-Ranges: bytes
(24320) • https://www.klock-in.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 6.130 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Server: nginx/1.11.10
Date: Mon, 28 Jan 2019 11:16:53 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 349
Connection: close

Two different servers answer, nginx/1.14.1 and nginx/1.11.10.

I don’t think they use the same webroot.

Now changed and only kept the following

<VirtualHost *:80>
ServerName klock-in.com
ServerAlias www.klock-in.com
DocumentRoot /var/www/klock-in.com

Now you have created a loop. Check your domain https://check-your-website.server-daten.de/?q=klock-in.com - my tool is online and free.

Loop - it's impossible to use this site

Looks like your non-www has a cPanel-certificate:

CN=mail.klock-in.com
	04.12.2018
	04.03.2019
	autodiscover.klock-in.com, cpanel.klock-in.com, 
klock-in.com, klock-in.sandbox3000.com, mail.klock-in.com, 
webdisk.klock-in.com, webmail.klock-in.com, whm.klock-in.com, 
www.klock-in.sandbox3000.com - 9 entries

Your www-version uses the wrong certificate:

CN=klock-in.com
	16.10.2018
	14.01.2019
expired	klock-in.com - 1 entry

Perhaps you should only create a certificate with the www-domain name.

It does work. Thank you.

2 Likes

Yep, now your www certificate

CN=www.klock-in.com
	28.01.2019
	28.04.2019
	www.klock-in.com - 1 entry

is new.

If you use cPanel (with your non-www), it’s always the best to use the integrated cPanel-solution.

How can I do klock-in.com new certificate if I want to?

2 posts were split to a new topic: 404 from .well-known/challenge

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.