Letsencrypt client failed authorization

July 5, 2017 317 views
Nginx Let's Encrypt Python Frameworks Deployment Security Ubuntu 16.04

I am trying to add a SSL certificate for the domains www.gramgrown.com and gramgrown.com both served on flask using gunicorn. Both resolve over http. I get the following error when running sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com

I am also using this tutorial https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

 Domain: gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gramgrown.com/.well-known/acme-challenge/9KacDy572kVqLZnVsqLlqM5cVR9x5ijs8zMR0d2Enxo:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   Domain: www.gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.gramgrown.com/.well-known/acme-challenge/XjPLlJk_8MNoFyohKuZv8lulSRtrMu-PtKoIR5XE0-w:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

4 Answers

Hi @sahopkins93

Can you post your Nginx server-block for that domain - located somewhere in /etc/nginx/sites-enabled/

  • This is for the domain
    ```server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
    
    }
    

    }```

    This is the block for default

    server {
            listen 80 default_server;
            listen [::]:80 default_server;
    
            # SSL configuration
            #
            # listen 443 ssl default_server;
            # listen [::]:443 ssl default_server;
            #
            # Note: You should disable gzip for SSL traffic.
            # See: https://bugs.debian.org/773332
            #
            # Read up on ssl_ciphers to ensure a secure configuration.
            # See: https://bugs.debian.org/765782
            #
            # Self signed certs generated by the ssl-cert package
            # Don't use them in a production server!
            #
            # include snippets/snakeoil.conf;
    
            root /var/www/html;
    
            # Add index.php to the list if you are using PHP
            index index.html index.htm index.nginx-debian.html;
    
            server_name _;
    
            location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
            }
    
            location ~ /.well-known {
                    allow all;
            }
    }
    

@sahopkins93
Then your configuration files are off.
http://gramgrown.com/index.html = 404 Not Found
Do you have other files in /etc/nginx/sites-enabled/ ?
Do you have any server { ... } block sections in /etc/nginx/nginx.conf ?

I have default and solytics_api which is the domain

There is no server block in /etc/nginx/nginx.conf it is commented out.

  • @sahopkins93
    Okay, then post solytics_api, since that's actually your domain and the configuration we want to see.

    • server {
          listen 80;
          server_name gramgrown.com www.gramgrown.com;
      
      
          location / {
              include proxy_params;
              proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
      
          }
      }
      
      • @sahopkins93 Try this and restart Nginx.

        server {
            listen 80;
            server_name gramgrown.com www.gramgrown.com;
        
            location / {
                include proxy_params;
                proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
            }
        
            location ~ /.well-known {
                allow all;
            }
        }
        

Same error. I can't access www.gramgrown.com/index.html either.

I changed the nameservers for this domain this morning at about 9:00am PST by the way, not sure if that has any implication.

  • Try this, since your root wasn't defined before.

    server {
        listen 80;
        server_name gramgrown.com www.gramgrown.com;
    
        location / {
            include proxy_params;
            proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
        }
    
        location ~ /.well-known {
            root /var/www/html;
            allow all;
        }
    }
    
      • @sahopkins93 Delete that file, since now we know it was the wrong configuration you pasted to begin with.
        Have you tried to get the certificate?

        • I just tried to get the certificate and it worked. Thank you!

          • @sahopkins93
            Yep, I can see that.
            May I recommend that you go through the Python/Gunicorn tutorial again, since you're running your application as root, which means if there's just a tiny flaw in your code, then someone could take over your server.
            Applications should never-ever run as root or even a user with sudo privileges - actually the user shouldn't even be able to get shell.
            All the tutorials posted here on DigitalOcean always tries to focus on security, so they will recommend creating a dedicated user with no shell that runs services like that.

Have another answer? Share your knowledge.