invalid response 404 acme challenge certbot

September 22, 2019 561 views
Let's Encrypt Nginx

hi

I have a nginx docker that I use as reverse proxy. I been trying to auto renew my certs lately and followed this blog to do so. I had my certs working before but now they are not working.

My domain is:
1040nra.com

I ran this command:
certbot certonly –webroot -w /var/www/certbot -d 1040nra.com

It produced this output:

*Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification…
Challenge failed for domain 1040nra.com
Challenge failed for domain www.1040nra.com
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: 1040nra.com
Type: unauthorized
Detail: Invalid response from
http://1040nra.com/.well-known/acme-challenge/NX6nmGvCUpg5L_c_hGePFu6ffuu2wn6MJ2CWHsg3PSw
[167.99.107.175]: “\r\n404 Not
Found\r\n\r\n

404 Not
Found
\r\n
nginx/1.15.12</c”
Domain: www.1040nra.com
Type: unauthorized
Detail: Invalid response from
http://www.1040nra.com/.well-known/acme-challenge/UFJgtKNI2FZtJne5GGnEFeuYfMS8qVF_UlPTJpBOb9s
[167.99.107.175]: "\r\n404 Not
404 Not
nginx/1.15.12

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.*

My web server is (include version): spring boot [tomcat]

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot –version or certbot-auto –version if you’re using Certbot):

Nginx.conf

server {
listen 80;
server_name 1040nra.com;
server_tokens off;

       location /.well-known/acme-challenge/ {
            allow all;
           root /var/www/certbot;
        }

    return 301 https://www.1040nra.com$request_uri;
}

server {
    listen 443 ssl;
    server_name 1040nra.com;
    ssl_certificate /etc/letsencrypt/live/1040nra.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/1040nra.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
         proxy_pass http://1040nra.com;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
    }

Docker compose

nginx:
image: nginx:1.15-alpine
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
ports:
- 80:80
- 443:443
depends_on:
- keycloak
- dt-app
links:
- keycloak
- dt-app
command: “/bin/sh -c ‘while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g “daemon off;”’”
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: “/bin/sh -c ‘trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;’”
1 Answer

Hello,

I think that you are experiencing the problem because you don’t have your www version added in your server_name list. I would recommend trying to add it and then test again. It should look something like this for both your http and https server blocks:

server_name 1040nra.com www.1040nra.com;

Then run a config test with nginx -t and if you get Syntax OK run a quick restart and then try again.

Hope that this helps!
Regards,
Bobby

Have another answer? Share your knowledge.