While creating a domain ssl i'm getting such error Invalid response from http://mis.veedhyapeeth.com/.well-known/acme-challenge/qqCRu4_lGEw9A-8swkzcqTA88ZiERJsG6__lDJMQVM: 404

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:admin.veedhyapeeth.com

I ran this command:certonly --webroot -w /var/www/certbot --email narendrathapa224@gmail.com -d admin.veedhyapeeth.com -d mis.veedhyapeeth.com --agree-tos

It produced this output:Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: admin.veedhyapeeth.com
certbot | Type: unauthorized
certbot | Detail: 139.59.125.7: Invalid response from http://admin.veedhyapeeth.com/.well-known/acme-challenge/nDEUnWWMozJTk3jH7GnCF1EMqNrZrMlfLPzn7DGWmYQ: 404

My web server is (include version):nginx:1.22-alpine3.17

The operating system my web server runs on is (include version):docker alpine

My hosting provider, if applicable, is:digitalocean

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot-auto --version

2

Welcome @narendra

The 404 means that Certbot placed the challenge token in the webroot path (your /var/www/certbot). But, your nginx server did not return that token to Let's Encrypt when it queried your domain. The LE Server makes this query to prove you control the domain.

Given you mention docker this is likely because the folder that Certbot used isn't shared with the same folder as nginx. Review your docker volume config.

This can also happen with a mis-configured nginx. For example, the nginx root folder in the server block for this domain must be the same as the Certbot webroot path. If it is not then nginx won't find the token to return it to Let's Encrypt (and so gives a 404 Not Found).

If you need help with the nginx config please show output of

sudo nginx -T

a capital T is necessary and the output will be very long

1 Like
3 
server_tokens off;
access_log                /var/log/nginx/admin-veedhya.access.log;
error_log                 /var/log/nginx/admin-veedhya.error.log;
server {
    listen       80;
    listen [::]:80;
    server_name  admin.veedhyapeeth.com www.admin.veedhyapeeth.com;
    client_max_body_size 15M;

    location ~ /.well-known/acme-challenge/ {
        allow all;
        root /var/www/certbot;
    }

    # location / {
    #     return 301 https://$host$request_uri;
    # }
     location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        try_files $uri /index.html;
    }
}

# server {
#     listen 443 default_server ssl http2;
#     listen [::]:443 ssl http2;
#     client_max_body_size 15M;

#     server_name  admin.veedhyapeeth.com www.admin.veedhyapeeth.com;

#     ssl_certificate /etc/nginx/ssl/live/admin.veedhyapeeth.com/fullchain.pem;
#     ssl_certificate_key /etc/nginx/ssl/live/admin.veedhyapeeth.com/privkey.pem;

#     location / {
#         root   /usr/share/nginx/html;
#         index  index.html index.htm;
#         try_files $uri /index.html;
#     }

    
# }

server {
    listen       80;
    listen [::]:80;
    # server_name  admin.veedhyapeeth.com www.admin.veedhyapeeth.com;
    # client_max_body_size 15M;
    server_name mis.veedhyapeeth.com www.mis.veedhyapeeth.com;

    location ~ /.well-known/acme-challenge/ {
        allow all;
        root /var/www/certbot;
    }

    # location / {
    #     return 301 https://$host$request_uri;
    # }

    location / {
        proxy_pass http://mis.veedhyapeeth.com:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# server {
#     listen       443 ssl;
#     listen [::]:443 ssl;
#     server_name  mis.veedhyapeeth.com www.mis.veedhyapeeth.com;
#     client_max_body_size 15M;
#     # server_tokens off;  # Disable server token response

#     ssl_certificate /etc/nginx/ssl/live/mis.veedhyapeeth.com/fullchain.pem;
#     ssl_certificate_key /etc/nginx/ssl/live/mis.veedhyapeeth.com/privkey.pem;

#     location / {
#         proxy_pass http://mis.veedhyapeeth.com:8000;
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_set_header X-Forwarded-Proto $scheme;
#     }
# }


/ #

here is some commented code that i tried and liitle bit rough

1 Like
4

Hmm. The nginx config looks okay.

Are you using docker containers? Have you checked the volume sharing between Certbot and nginx?

2 Likes
5 
  frontend:
    build: 
      context: ./admin-frontend/admin-dashboard
      dockerfile: Dockerfile.prod
    container_name: admin_frontend
    restart: unless-stopped
    ports:
      - 80:80    
    environment:    
      # - ./nginx/nginx.conf:/etc/nginx/nginx.conf  
      - ./certbot/www:/var/www/certbot/:ro
      - ./certbot/conf/:/etc/nginx/ssl/:ro
  certbot:
    image: certbot/certbot
    container_name: certbot
    volumes: 
      - ./certbot/conf:/etc/letsencrypt/:rw
      - ./certbot/www:/var/www/certbot/:rw

here is the volume shared between them

6

Are these expected?:

  1. The environments point to two different paths
  2. The first one has a slash before the colon - none of the others have that slash
1 Like
7

okay tha was my mistakes instead of volume i was writing environment in docker compose but i request a certificate for two domain but got only for one admin.veedhyapeeth.com
:heavy_check_mark: Container certbot Created 0.0s
Attaching to certbot
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Requesting a certificate for admin.veedhyapeeth.com and mis.veedhyapeeth.com
certbot |
certbot | Successfully received certificate.
certbot | Certificate is saved at: /etc/letsencrypt/live/admin.veedhyapeeth.com/fullchain.pem
certbot | Key is saved at: /etc/letsencrypt/live/admin.veedhyapeeth.com/privkey.pem
certbot | This certificate expires on 2024-05-23.
certbot | These files will be updated when the certificate renews.
certbot | NEXT STEPS:
certbot | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See User Guide — Certbot 2.10.0.dev0 documentation for instructions.
certbot |
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | If you like Certbot, please consider supporting our work by:
certbot | * Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
certbot | * Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

what am i doing mistake here

1 Like
8

Please show the complete request.

2 Likes
9 
certbot:
    image: certbot/certbot
    container_name: certbot
    volumes: 
      - ./certbot/conf:/etc/letsencrypt/:rw
      - ./certbot/www:/var/www/certbot/:rw
    command: certonly --webroot -w /var/www/certbot --email narendrathapa224@gmail.com -d admin.veedhyapeeth.com -d mis.veedhyapeeth.com --agree-tos
10

Try that as:
command: certonly --webroot -w /var/www/certbot -d mis.veedhyapeeth.com -d admin.veedhyapeeth.com --agree-tos --email narendrathapa224@gmail.com

1 Like
11

do i have to manually remove the certificate before running the command otherwise it's giving
Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Certificate not yet due for renewal
certbot |
certbot | You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
certbot | (ref: /etc/letsencrypt/renewal/admin.veedhyapeeth.com.conf)
certbot |
certbot | What would you like to do?
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | 1: Keep the existing certificate for now
certbot | 2: Renew & replace the certificate (may be subject to CA rate limits)
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | An unexpected error occurred:
certbot | EOFError

12

There was no mistake. Your certificate includes both domain names. You can see this by running the below command in that container. Or view the certificate that your server is using now in a browser or other tool

certbot certificates

3 Likes
13

@MikeMcQ , @rg305 Thank you for your help problem has been resolved :slight_smile:

4 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.