Well-known/acme-challenge/test gives 404

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/zh6KGGNQ43IkdCyrlv3Y3ucauVdt4-EDVfpMGPU8y30: "\n<html xmlns=“http:”

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: example.com
  Type: unauthorized
  Detail: Invalid response from
  http://example.com/.well-known/acme-challenge/zh6KGGNQ43IkdCyrlv3Y3ucauVdt4-EDVfpMGPU8y30:
  "\n<html
  xmlns=“http:”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

curl -X GET -I http://example.com/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 07:39:37 GMT
Content-Type: text/html
Content-Length: 11812
Connection: keep-alive
Last-Modified: Mon, 18 Nov 2013 21:26:36 GMT
Accept-Ranges: bytes

Hi @awsdevopro

if you have trouble to use http-01 - validation, a lot of domain + command - specific errors are possible.

So please answer the following questions of the #help - category:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Moved to “Help”.

certbot --version
certbot 0.26.1

I ran the following command
sudo certbot certonly -d klock-in.com -d www.klock-in.com
[sudo] password for reza:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.klock-in.com
http-01 challenge for klock-in.com
Input the webroot for www.klock-in.com: (Enter ‘c’ to cancel): /itconquest/smallsites/sites-src/klock-in.com/app-landing

Select the webroot for klock-in.com:

1: Enter a new webroot
2: /itconquest/smallsites/sites-src/klock-in.com/app-landing

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. klock-in.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://klock-in.com/.well-known/acme-challenge/HIiosp7RzLandqokbDFi1INMrbaOorSYTu7tvqLJ-iw: "\n<html xmlns=“http:”

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: klock-in.com
  Type: unauthorized
  Detail: Invalid response from
  http://klock-in.com/.well-known/acme-challenge/HIiosp7RzLandqokbDFi1INMrbaOorSYTu7tvqLJ-iw:
  "\n<html
  xmlns=“http:”

curl -X GET -I http://klock-in.com/.well-known/acme-challenge/test
HTTP/1.1 404 Not Found
Server: nginx/1.14.1
Date: Mon, 28 Jan 2019 09:52:28 GMT
Content-Type: text/html
Content-Length: 11812
Connection: keep-alive
Last-Modified: Mon, 18 Nov 2013 21:26:36 GMT
Accept-Ranges: bytes

Using nginx as a reverse proxy

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Server:
Server:
ubuntu/xenial 16.04
Hosting provider:
hostgator
Root login
Yes
I have both whm/cPanel
certbot version: certbot 0.26.1

There are two different nginx running ( https://check-your-website.server-daten.de/?q=klock-in.com ):

Your non www sends http, your www is redirected to https. The wrong certificate isn't a problem, Letsencrypt ignores that.

But is your webroot really correct with this setting?

Perhaps remove the redirect http -> https of your www version (directory /.well-known), so both requests (www + non-www) are answered from the same server.

Changed and this is my rest configs. It’s my docker-container configs. All other websites are working fine with the same configs, but this one isn’t working.

in my vhost:

klock-in.com.conf

<VirtualHost *:80>
ServerName klock-in.com
Redirect permanent / http://www.klock-in.com

and

www.klock-in.com.conf

<VirtualHost *:80>
ServerName www.klock-in.com
DocumentRoot /var/www/klock-in.com

and getting the following error

sudo certbot certonly -d klock-in.com -d www.klock-in.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.klock-in.com
http-01 challenge for klock-in.com
Input the webroot for www.klock-in.com: (Enter ‘c’ to cancel): /itconquest/smallsites/sites-src/klock-in.com/app-landing

Select the webroot for klock-in.com:

1: Enter a new webroot
2: /itconquest/smallsites/sites-src/klock-in.com/app-landing

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. klock-in.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://klock-in.com/.well-known/acme-challenge/OdEnty1OtZvpgzLmrM3spVnKbwyPnTtNptAySB_b988: "\n<html xmlns=“http:”

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: klock-in.com
  Type: unauthorized
  Detail: Invalid response from
  http://klock-in.com/.well-known/acme-challenge/OdEnty1OtZvpgzLmrM3spVnKbwyPnTtNptAySB_b988:
  "\n<html
  xmlns=“http:”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

There is again a mixed configuration:

Two different servers answer, nginx/1.14.1 and nginx/1.11.10.

I don’t think they use the same webroot.

Now changed and only kept the following

<VirtualHost *:80>
ServerName klock-in.com
ServerAlias www.klock-in.com
DocumentRoot /var/www/klock-in.com

Now you have created a loop. Check your domain https://check-your-website.server-daten.de/?q=klock-in.com - my tool is online and free.

Loop - it's impossible to use this site

Looks like your non-www has a cPanel-certificate:

CN=mail.klock-in.com
	04.12.2018
	04.03.2019
	autodiscover.klock-in.com, cpanel.klock-in.com, 
klock-in.com, klock-in.sandbox3000.com, mail.klock-in.com, 
webdisk.klock-in.com, webmail.klock-in.com, whm.klock-in.com, 
www.klock-in.sandbox3000.com - 9 entries

Your www-version uses the wrong certificate:

CN=klock-in.com
	16.10.2018
	14.01.2019
expired	klock-in.com - 1 entry

Perhaps you should only create a certificate with the www-domain name.

It does work. Thank you.

Yep, now your www certificate

CN=www.klock-in.com
	28.01.2019
	28.04.2019
	www.klock-in.com - 1 entry

is new.

If you use cPanel (with your non-www), it’s always the best to use the integrated cPanel-solution.

How can I do klock-in.com new certificate if I want to?

2 posts were split to a new topic: 404 from .well-known/challenge

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.