Share

Question

I am trying to add a SSL certificate for the domains www.gramgrown.com and gramgrown.com both served on flask using gunicorn. Both resolve over http. I get the following error when running sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com

I am also using this tutorial https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

 Domain: gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gramgrown.com/.well-known/acme-challenge/9KacDy572kVqLZnVsqLlqM5cVR9x5ijs8zMR0d2Enxo:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   Domain: www.gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.gramgrown.com/.well-known/acme-challenge/XjPLlJk_8MNoFyohKuZv8lulSRtrMu-PtKoIR5XE0-w:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Answer 1

hansen July 5, 2017

Hi @sahopkins93

Can you post your Nginx server-block for that domain - located somewhere in /etc/nginx/sites-enabled/

Reply

sahopkins93 July 5, 2017

This is for the domain
```server {
listen 80;
server_name gramgrown.com www.gramgrown.com;

location / {
    include proxy_params;
    proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

}

}```

This is the block for default

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        location ~ /.well-known {
                allow all;
        }
}

hansen July 5, 2017

@sahopkins93 So Nginx is currently not setup to host the website via Gunicorn?
- sahopkins93 July 5, 2017
  
  I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-gunicorn-and-nginx-on-ubuntu-16-04
  
  so my "/etc/systemd/system/myproject.service" ExecStart argument looks like
  
  ExecStart=/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api_env/bin/gunicorn --workers 3 --bind unix:solytics_api.sock -m 007 wsgi:application
  
  How To Serve Flask Applications with Gunicorn and Nginx on Ubuntu 16.04
  by Justin Ellingwood
  In this guide, we will be setting up a simple Python application using the Flask micro-framework on Ubuntu 16.04. The bulk of this article will be about how to set up the Gunicorn application server to launch the application and Nginx to act as a front end reverse...
  
  hansen July 5, 2017
  
  @sahopkins93 But what I mean is, you haven't even created the reverse proxy setup yet?
  I'm seeing a Content-Type: application/json when I visit gramgrown.com with the following content:
  
  { "success": "dyno awake" }
  
  Can you just leave an index.html in /var/www/html/ where you write hello world just to make sure everything is setup correctly, because your configuration looks perfect and should work with Let's Encrypt, but it will never work as a reverse proxy until the configuration is changed.
  
  sahopkins93 July 5, 2017
  
  Just wrote it and restarted nginx

Answer 2

sahopkins93 July 5, 2017

This is for the domain
```server {
listen 80;
server_name gramgrown.com www.gramgrown.com;

location / {
    include proxy_params;
    proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

}

}```

This is the block for default

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        location ~ /.well-known {
                allow all;
        }
}

hansen July 5, 2017

@sahopkins93 So Nginx is currently not setup to host the website via Gunicorn?
- sahopkins93 July 5, 2017
  
  I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-gunicorn-and-nginx-on-ubuntu-16-04
  
  so my "/etc/systemd/system/myproject.service" ExecStart argument looks like
  
  ExecStart=/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api_env/bin/gunicorn --workers 3 --bind unix:solytics_api.sock -m 007 wsgi:application
  
  How To Serve Flask Applications with Gunicorn and Nginx on Ubuntu 16.04
  by Justin Ellingwood
  In this guide, we will be setting up a simple Python application using the Flask micro-framework on Ubuntu 16.04. The bulk of this article will be about how to set up the Gunicorn application server to launch the application and Nginx to act as a front end reverse...
  
  hansen July 5, 2017
  
  @sahopkins93 But what I mean is, you haven't even created the reverse proxy setup yet?
  I'm seeing a Content-Type: application/json when I visit gramgrown.com with the following content:
  
  { "success": "dyno awake" }
  
  Can you just leave an index.html in /var/www/html/ where you write hello world just to make sure everything is setup correctly, because your configuration looks perfect and should work with Let's Encrypt, but it will never work as a reverse proxy until the configuration is changed.
  
  sahopkins93 July 5, 2017
  
  Just wrote it and restarted nginx

Answer 3

hansen July 5, 2017

@sahopkins93
Then your configuration files are off.
http://gramgrown.com/index.html = 404 Not Found
Do you have other files in /etc/nginx/sites-enabled/ ?
Do you have any server { ... } block sections in /etc/nginx/nginx.conf ?

Reply

Answer 4

sahopkins93 July 5, 2017

I have default and solytics_api which is the domain

There is no server block in /etc/nginx/nginx.conf it is commented out.

Reply

hansen July 5, 2017

@sahopkins93
Okay, then post solytics_api, since that's actually your domain and the configuration we want to see.

sahopkins93 July 5, 2017

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;


    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

    }
}

hansen July 5, 2017

@sahopkins93 Try this and restart Nginx.

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
    }

    location ~ /.well-known {
        allow all;
    }
}

sahopkins93 July 5, 2017

done
- hansen July 5, 2017
  
  @sahopkins93 Then run sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com

Answer 5

hansen July 5, 2017

@sahopkins93
Okay, then post solytics_api, since that's actually your domain and the configuration we want to see.

sahopkins93 July 5, 2017

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;


    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

    }
}

hansen July 5, 2017

@sahopkins93 Try this and restart Nginx.

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
    }

    location ~ /.well-known {
        allow all;
    }
}

sahopkins93 July 5, 2017

done
- hansen July 5, 2017
  
  @sahopkins93 Then run sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com

Answer 6

sahopkins93 July 5, 2017

Same error. I can't access www.gramgrown.com/index.html either.

I changed the nameservers for this domain this morning at about 9:00am PST by the way, not sure if that has any implication.

Reply

hansen July 5, 2017
Try this, since your root wasn't defined before.

server { listen 80; server_name gramgrown.com www.gramgrown.com; location / { include proxy_params; proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock; } location ~ /.well-known { root /var/www/html; allow all; } }
- sahopkins93 July 5, 2017
  
  Done. still cant see www.gramgrown.com/index.html
  
  hansen July 5, 2017
  
  @sahopkins93 Delete that file, since now we know it was the wrong configuration you pasted to begin with.
  Have you tried to get the certificate?
  
  sahopkins93 July 5, 2017
  
  I just tried to get the certificate and it worked. Thank you!
  
  hansen July 5, 2017
  
  @sahopkins93
  Yep, I can see that.
  May I recommend that you go through the Python/Gunicorn tutorial again, since you're running your application as root, which means if there's just a tiny flaw in your code, then someone could take over your server.
  Applications should never-ever run as root or even a user with sudo privileges - actually the user shouldn't even be able to get shell.
  All the tutorials posted here on DigitalOcean always tries to focus on security, so they will recommend creating a dedicated user with no shell that runs services like that.

Answer 7

hansen July 5, 2017
Try this, since your root wasn't defined before.

server { listen 80; server_name gramgrown.com www.gramgrown.com; location / { include proxy_params; proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock; } location ~ /.well-known { root /var/www/html; allow all; } }
- sahopkins93 July 5, 2017
  
  Done. still cant see www.gramgrown.com/index.html
  
  hansen July 5, 2017
  
  @sahopkins93 Delete that file, since now we know it was the wrong configuration you pasted to begin with.
  Have you tried to get the certificate?
  
  sahopkins93 July 5, 2017
  
  I just tried to get the certificate and it worked. Thank you!
  
  hansen July 5, 2017
  
  @sahopkins93
  Yep, I can see that.
  May I recommend that you go through the Python/Gunicorn tutorial again, since you're running your application as root, which means if there's just a tiny flaw in your code, then someone could take over your server.
  Applications should never-ever run as root or even a user with sudo privileges - actually the user shouldn't even be able to get shell.
  All the tutorials posted here on DigitalOcean always tries to focus on security, so they will recommend creating a dedicated user with no shell that runs services like that.

Letsencrypt client failed authorization

Leave a Comment

Share

Share your Question

Letsencrypt client failed authorization

Leave a Comment

Related Questions

Almost there!

Report a Bug