nginxconfig.io icon indicating copy to clipboard operation
nginxconfig.io copied to clipboard

Published 20 hours ago verified publisher icon digitalocean

Cannot get SSL certificate.

Open nicheosala opened this issue 4 years ago • 3 comments

I've followed the setup instructions step by step. However, when I execute:

sudo certbot certonly --webroot -d domain.com --email [email protected] -w /var/www/_letsencrypt -n --agree-tos --force-renewal

The following error message appears:

Failed authorization procedure. domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/V8Gz5gpzI0B6C7iyQ5N6W4MhmYD6Cn6Mh5Pb755s03Y [MY IP]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.com/.well-known/acme-challenge/V8Gz5gpzI0B6C7iyQ5N6W4MhmYD6Cn6Mh5Pb755s03Y
   [MY IP]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I'm sure the web server is reachable from the internet. I'm trying to configure the webserver on a Raspberry Pi 4B with Nginx 1.14.2 and Certbot 0.31.0-1

nicheosala avatar Jul 01 '20 12:07 nicheosala

I substituted my domain with domain.com in the previuos message. Anyway, I got the certificate for my website using certbot certonly --nginx.

nicheosala avatar Jul 05 '20 12:07 nicheosala

Hi, this looks like misconfig of the nginx. For some reason, resolving of location ^~ /.well-known/acme-challenge/ could not work. For my clean installation of nginx v1.18.0 and certbot I did following things:

  • Ensure there is symlink to your host config in /etc/nginx/sites-available/, e.g. ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/. If you downloaded zip file, generated by a configurator, it should be unpacked as a part of directory structure from that archive.

  • Optionally, ensure default configs in /etc/nginx/conf.d that could override letsencrypt.conf declarations (i.e. location ^~ /.well-known/acme-challenge/ section) are deactivated: mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.old.

If location ^~ /.well-known/acme-challenge/ resolves, the command

sudo certbot certonly --webroot -d domain.com --email [email protected] -w /var/www/_letsencrypt -n --agree-tos --force-renewal

should execute without errors and steps from NGINXconfig Setup work good. Anyway, you can try the certbot command witn --dry-runflag and test for success without actual ACME server requests not being limited by rate limits.

onix avatar Oct 26 '20 18:10 onix

In my case this was caused by SELinux. Reading this blog post I found a solution: https://www.nginx.com/blog/using-nginx-plus-with-selinux/

CentOS Linux release 8.2.2004 (Core) nginx/1.14.1

jeremyj avatar Oct 27 '20 18:10 jeremyj