Why the certificate Authority always failed the temporary challenge file created by Certbot?

My domain is:
crt.sh | autocensor.ru)

i'm using jonasal/nginx-certbot image for letsencript certificates generate.
docker-compose.yml:

version: '3'
services:
  nginx:
    image: jonasal/nginx-certbot:latest
    restart: unless-stopped
    environment:
      - CERTBOT_EMAIL=your@email.org
    env_file:
      - ./nginx-certbot.env
    ports:
      - 80:80
      - 443:443
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - ./user_conf.d:/etc/nginx/user_conf.d

volumes:
  nginx_secrets:

nginx-certbot.env:

# Required
CERTBOT_EMAIL=your@email.org

# Optional (Defaults)
STAGING=0
DHPARAM_SIZE=2048
RSA_KEY_SIZE=2048
ELLIPTIC_CURVE=secp256r1
USE_ECDSA=0
RENEWAL_INTERVAL=8d

# Advanced (Defaults)
DEBUG=0
USE_LOCAL_CA=0

example_server.conf:

server {
    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl default_server reuseport;
    listen [::]:443 ssl default_server reuseport;

    # Domain names this server should respond to.
    server_name autocensor.ru www.autocensor.ru;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/autocensor.ru/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/autocensor.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/autocensor.ru/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;

    return 200 'Let\'s Encrypt certificate successfully installed!';
    add_header Content-Type text/plain;
}

and on docker-compose up running i get this error:

Requesting a certificate for autocensor.ru and www.autocensor.ru nginx_1 | nginx_1 | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: nginx_1 | Domain: autocensor.ru nginx_1 | Type:
unauthorized nginx_1 | Detail: The key authorization file from the server did not match this challenge "pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU" != "pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM"

i'm using jonasal/nginx-certbot image for letsencript certificates generate.

docker-compose.yml:

version: '3'
services:
  nginx:
    image: jonasal/nginx-certbot:latest
    restart: unless-stopped
    environment:
      - CERTBOT_EMAIL=your@email.org
    env_file:
      - ./nginx-certbot.env
    ports:
      - 80:80
      - 443:443
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - ./user_conf.d:/etc/nginx/user_conf.d

volumes:
  nginx_secrets:

nginx-certbot.env:

# Required
CERTBOT_EMAIL=your@email.org

# Optional (Defaults)
STAGING=0
DHPARAM_SIZE=2048
RSA_KEY_SIZE=2048
ELLIPTIC_CURVE=secp256r1
USE_ECDSA=0
RENEWAL_INTERVAL=8d

# Advanced (Defaults)
DEBUG=0
USE_LOCAL_CA=0

example_server.conf:

server {
    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl default_server reuseport;
    listen [::]:443 ssl default_server reuseport;

    # Domain names this server should respond to.
    server_name autocensor.ru www.autocensor.ru;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/autocensor.ru/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/autocensor.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/autocensor.ru/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;

    return 200 'Let\'s Encrypt certificate successfully installed!';
    add_header Content-Type text/plain;
}

and on docker-compose up running i get this error:

Requesting a certificate for autocensor.ru and www.autocensor.ru nginx_1 | nginx_1 | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: nginx_1 | Domain: autocensor.ru nginx_1 | Type:
unauthorized nginx_1 | Detail: The key authorization file from the server did not match this challenge "pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU" != "pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM"

however, https://autocensor.ru/.well-known/acme-challenge/pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU shows the full hash code and it does not seem that certbot cut it off for some reason.

i tried to do that using the original phusion/baseimage image. The result is the same. What i'm doing wrong?

Maybe i have to output only the part of the hash? I tried to print out other content and it showed me smth like this:

"pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU" != "content"

it means that the output content stays from the right side.

I also ran this command just using plain certbot:

certbot certonly --webroot -w /var/www/certbot \
    --email test@email.org \
    -d autocensor.ru \
    --rsa-key-size 4096 \
    --agree-tos \
    --force-renewal

and it produced the same output.

My web server is (include version): jonasal/nginx-certbot:latest

The operating system my web server runs on is (include version): Debian 8 or MacOS 11.4

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.18.0

There are lots of similar posts, but everywhere the problem with access to token. In my case token works properly.

File requested:

"pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU"

!=
[not equal to the contents returned]

"pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM"

Who/what created that file?

Also, please refrain from using:

I also don't get why you show the secured vhost config and the https:// file request, when LE requests on HTTP.

thank you for your reply. Well, i'll remove it.

Regarding your comment: Actually, it was the question. as you can see https://autocensor.ru/.well-known/acme-challenge/pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU returns correct result, not cropped

I also don't get why you show the secured vhost config and the https:// file request, when LE requests on HTTP.

this is a good point. I'll try. thx

I see that.
But LE doesn't make requests on HTTPS (unless redirected).
And you fail to show the insecure vhost config, so I can't assume redirection will take place.

Now back to my main concern:

I beg to differ.
The expected result is only 43 bytes long.
The returned result is 87 bytes long.

Please answer this one simple question:
Who/what created that file?

Might it have something to do with this:

return 200 'Let\'s Encrypt certificate successfully installed!';
add_header Content-Type text/plain;

You should be returning the contents of the file the client placed in the server location - not a fixed response of '200'.

@MikeMcQ, that return is within the secure vhost config which a) shouldn't be hit by LE; as it challenges via HTTP and b) isn't even seen anywhere in the HTTPS response:

curl -k https://autocensor.ru/.well-known/acme-challenge/pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU

pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU

Which makes me wonder if that is even the vhost config being used (likely NOT)...

@rg305 Yeah, but we were clearly working with, um, imperfect info so thought worth mentioning it. I was mostly struck by the 'mis-matched data' response and the response length almost exactly matching the fixed string in their sample.

I'll leave you to it

Going forward, it's definitely

But you're on Step #3
We are still trying to fix Step #1
LOL

@rg305 Fair enough!

sorry, your are right, I copied wrong file.
The original file is:

server {

    listen 80;
    listen [::]:80;

    ssl_certificate /etc/letsencrypt/live/autocensor.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/autocensor.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/autocensor.ru/chain.pem;

    include /etc/letsencrypt/conf/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;

    # For https
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name autocensor.ru www.autocensor.ru;

    root /var/www/smclient.ru/www/public;
    index index.php index.html index.htm;

    location ~ "^/\.well-known/acme-challenge/(.*)$" {
        default_type text/plain;
        return 200 "$1";
    }

    location / {
         try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_pass php-upstream;
        fastcgi_index index.php;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fixes timeouts
        fastcgi_read_timeout 600;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

and the port 80 is open.

and this config creates the response. If it's not expected answer, sorry, can you clarify what are you expecting to see as an answer?

Interesting code.
Not sure why you removed it...

None-the-less, the issue is within the HTTP vhost config (not the HTTPS vhost config).
A config which you have yet to show us.

it works now using jonasal/nginx-certbot. I changed nothing. Only one thing i did wrong is that i run it from local machine in a time the domain was pointed to the real one. I wanted to grab the local certificates and place it on the server. But it does not work as certificate is tied with the server IP.

jonasal/nginx-certbot generates config file with port 80 on the fly, so i do not have to write in the configuration explicitly.

anyway, thank you for your participation! Without you, i would not come to these reflections

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.