Letsencrypt client failed authorization

July 5, 2017 4.1k views
Nginx Let's Encrypt Python Frameworks Deployment Security Ubuntu 16.04
sahopkins93
By:
sahopkins93

I am trying to add a SSL certificate for the domains www.gramgrown.com and gramgrown.com both served on flask using gunicorn. Both resolve over http. I get the following error when running sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com

I am also using this tutorial https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

 Domain: gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gramgrown.com/.well-known/acme-challenge/9KacDy572kVqLZnVsqLlqM5cVR9x5ijs8zMR0d2Enxo:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   Domain: www.gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.gramgrown.com/.well-known/acme-challenge/XjPLlJk_8MNoFyohKuZv8lulSRtrMu-PtKoIR5XE0-w:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
Log In to Comment
4 Answers
hansen July 5, 2017

Hi @sahopkins93

Can you post your Nginx server-block for that domain - located somewhere in /etc/nginx/sites-enabled/

Reply
  • sahopkins93 July 5, 2017

    This is for the domain
    ```server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
    include proxy_params;
    proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

}

    }```

    This is the block for default

    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        location ~ /.well-known {
                allow all;
        }
}
hansen July 5, 2017

@sahopkins93
Then your configuration files are off.
http://gramgrown.com/index.html = 404 Not Found
Do you have other files in /etc/nginx/sites-enabled/ ?
Do you have any server { ... } block sections in /etc/nginx/nginx.conf ?

Reply
sahopkins93 July 5, 2017

I have default and solytics_api which is the domain

There is no server block in /etc/nginx/nginx.conf it is commented out.

Reply
  • hansen July 5, 2017

    @sahopkins93
    Okay, then post solytics_api, since that's actually your domain and the configuration we want to see.

    • sahopkins93 July 5, 2017 
      server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;


    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

    }
}
      • hansen July 5, 2017

        @sahopkins93 Try this and restart Nginx.

        server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
    }

    location ~ /.well-known {
        allow all;
    }
}
sahopkins93 July 5, 2017

Same error. I can't access www.gramgrown.com/index.html either.

I changed the nameservers for this domain this morning at about 9:00am PST by the way, not sure if that has any implication.

Reply
  • hansen July 5, 2017

    Try this, since your root wasn't defined before.

    server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
    }

    location ~ /.well-known {
        root /var/www/html;
        allow all;
    }
}
    • sahopkins93 July 5, 2017

      Done. still cant see www.gramgrown.com/index.html

      • hansen July 5, 2017

        @sahopkins93 Delete that file, since now we know it was the wrong configuration you pasted to begin with.
        Have you tried to get the certificate?

        • sahopkins93 July 5, 2017

          I just tried to get the certificate and it worked. Thank you!

          • hansen July 5, 2017

            @sahopkins93
            Yep, I can see that.
            May I recommend that you go through the Python/Gunicorn tutorial again, since you're running your application as root, which means if there's just a tiny flaw in your code, then someone could take over your server.
            Applications should never-ever run as root or even a user with sudo privileges - actually the user shouldn't even be able to get shell.
            All the tutorials posted here on DigitalOcean always tries to focus on security, so they will recommend creating a dedicated user with no shell that runs services like that.

Have another answer? Share your knowledge.

Related Questions