Letsencrypt client failed authorization

Question

I am trying to add a SSL certificate for the domains www.gramgrown.com and gramgrown.com both served on flask using gunicorn. Both resolve over http. I get the following error when running sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com

I am also using this tutorial https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

 Domain: gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gramgrown.com/.well-known/acme-challenge/9KacDy572kVqLZnVsqLlqM5cVR9x5ijs8zMR0d2Enxo:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   Domain: www.gramgrown.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.gramgrown.com/.well-known/acme-challenge/XjPLlJk_8MNoFyohKuZv8lulSRtrMu-PtKoIR5XE0-w:
   "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
   <title>404 Not Found</title>
   <h1>Not Found</h1>
   <p>The requested URL was"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Answer 1

hansen July 5, 2017

Hi @sahopkins93

Can you post your Nginx server-block for that domain - located somewhere in /etc/nginx/sites-enabled/

Reply Report

sahopkins93 July 5, 2017
This is for the domain
“`server {
listen 80;
server_name gramgrown.com www.gramgrown.com;

location / { include proxy_params; proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock; }

}”`

This is the block for default

server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location ~ /.well-known { allow all; } }
Reply Report
- hansen July 5, 2017
  
  @sahopkins93 So Nginx is currently not setup to host the website via Gunicorn?
  
  Reply Report
  
  sahopkins93 July 5, 2017
  
  I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-gunicorn-and-nginx-on-ubuntu-16-04
  
  so my “/etc/systemd/system/myproject.service” ExecStart argument looks like
  
  ExecStart=/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api_env/bin/gunicorn --workers 3 --bind unix:solytics_api.sock -m 007 wsgi:application
  
  How To Serve Flask Applications with Gunicorn and Nginx on Ubuntu 16.04
  by Justin Ellingwood
  In this guide, we will be setting up a simple Python application using the Flask micro-framework on Ubuntu 16.04. The bulk of this article will be about how to set up the Gunicorn application server to launch the application and Nginx to act as a front end reverse...
  
  Reply Report
  
  hansen July 5, 2017
  
  @sahopkins93 But what I mean is, you haven’t even created the reverse proxy setup yet?
  I’m seeing a Content-Type: application/json when I visit gramgrown.com with the following content:
  
  { "success": "dyno awake" }
  
  Can you just leave an index.html in /var/www/html/ where you write hello world just to make sure everything is setup correctly, because your configuration looks perfect and should work with Let’s Encrypt, but it will never work as a reverse proxy until the configuration is changed.
  
  Reply Report
  
  sahopkins93 July 5, 2017
  
  Just wrote it and restarted nginx
  
  Reply Report

Answer 2

sahopkins93 July 5, 2017
This is for the domain
“`server {
listen 80;
server_name gramgrown.com www.gramgrown.com;

location / { include proxy_params; proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock; }

}”`

This is the block for default

server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location ~ /.well-known { allow all; } }
Reply Report
- hansen July 5, 2017
  
  @sahopkins93 So Nginx is currently not setup to host the website via Gunicorn?
  
  Reply Report
  
  sahopkins93 July 5, 2017
  
  I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-gunicorn-and-nginx-on-ubuntu-16-04
  
  so my “/etc/systemd/system/myproject.service” ExecStart argument looks like
  
  ExecStart=/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api_env/bin/gunicorn --workers 3 --bind unix:solytics_api.sock -m 007 wsgi:application
  
  How To Serve Flask Applications with Gunicorn and Nginx on Ubuntu 16.04
  by Justin Ellingwood
  In this guide, we will be setting up a simple Python application using the Flask micro-framework on Ubuntu 16.04. The bulk of this article will be about how to set up the Gunicorn application server to launch the application and Nginx to act as a front end reverse...
  
  Reply Report
  
  hansen July 5, 2017
  
  @sahopkins93 But what I mean is, you haven’t even created the reverse proxy setup yet?
  I’m seeing a Content-Type: application/json when I visit gramgrown.com with the following content:
  
  { "success": "dyno awake" }
  
  Can you just leave an index.html in /var/www/html/ where you write hello world just to make sure everything is setup correctly, because your configuration looks perfect and should work with Let’s Encrypt, but it will never work as a reverse proxy until the configuration is changed.
  
  Reply Report
  
  sahopkins93 July 5, 2017
  
  Just wrote it and restarted nginx
  
  Reply Report

Answer 3

hansen July 5, 2017

@sahopkins93
Then your configuration files are off.
http://gramgrown.com/index.html = 404 Not Found
Do you have other files in /etc/nginx/sites-enabled/ ?
Do you have any server { ... } block sections in /etc/nginx/nginx.conf ?

Reply Report

Answer 4

sahopkins93 July 5, 2017

I have default and solytics_api which is the domain

There is no server block in /etc/nginx/nginx.conf it is commented out.

Reply Report

hansen July 5, 2017

@sahopkins93
Okay, then post solytics_api, since that’s actually your domain and the configuration we want to see.

Reply Report

sahopkins93 July 5, 2017

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;


    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

    }
}

Reply Report

hansen July 5, 2017

@sahopkins93 Try this and restart Nginx.

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
    }

    location ~ /.well-known {
        allow all;
    }
}

Reply Report

sahopkins93 July 5, 2017

done
Reply Report
- hansen July 5, 2017
  
  @sahopkins93 Then run sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com
  
  Reply Report

Answer 5

hansen July 5, 2017

@sahopkins93
Okay, then post solytics_api, since that’s actually your domain and the configuration we want to see.

Reply Report

sahopkins93 July 5, 2017

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;


    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;

    }
}

Reply Report

hansen July 5, 2017

@sahopkins93 Try this and restart Nginx.

server {
    listen 80;
    server_name gramgrown.com www.gramgrown.com;

    location / {
        include proxy_params;
        proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock;
    }

    location ~ /.well-known {
        allow all;
    }
}

Reply Report

sahopkins93 July 5, 2017

done
Reply Report
- hansen July 5, 2017
  
  @sahopkins93 Then run sudo certbot certonly --webroot --webroot-path=/var/www/html -d gramgrown.com -d www.gramgrown.com
  
  Reply Report

Answer 6

sahopkins93 July 5, 2017

Same error. I can’t access www.gramgrown.com/index.html either.

I changed the nameservers for this domain this morning at about 9:00am PST by the way, not sure if that has any implication.

Reply Report

hansen July 5, 2017
Try this, since your root wasn’t defined before.

server { listen 80; server_name gramgrown.com www.gramgrown.com; location / { include proxy_params; proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock; } location ~ /.well-known { root /var/www/html; allow all; } }
Reply Report
- sahopkins93 July 5, 2017
  
  Done. still cant see www.gramgrown.com/index.html
  
  Reply Report
  
  hansen July 5, 2017
  
  @sahopkins93 Delete that file, since now we know it was the wrong configuration you pasted to begin with.
  Have you tried to get the certificate?
  
  Reply Report
  
  sahopkins93 July 5, 2017
  
  I just tried to get the certificate and it worked. Thank you!
  
  Reply Report
  
  hansen July 5, 2017
  
  @sahopkins93
  Yep, I can see that.
  May I recommend that you go through the Python/Gunicorn tutorial again, since you’re running your application as root, which means if there’s just a tiny flaw in your code, then someone could take over your server.
  Applications should never-ever run as root or even a user with sudo privileges - actually the user shouldn’t even be able to get shell.
  All the tutorials posted here on DigitalOcean always tries to focus on security, so they will recommend creating a dedicated user with no shell that runs services like that.
  
  Reply Report

Answer 7

hansen July 5, 2017
Try this, since your root wasn’t defined before.

server { listen 80; server_name gramgrown.com www.gramgrown.com; location / { include proxy_params; proxy_pass http://unix:/root/Solytics/SolyticsScript/SolyticsAPI/solytics_api.sock; } location ~ /.well-known { root /var/www/html; allow all; } }
Reply Report
- sahopkins93 July 5, 2017
  
  Done. still cant see www.gramgrown.com/index.html
  
  Reply Report
  
  hansen July 5, 2017
  
  @sahopkins93 Delete that file, since now we know it was the wrong configuration you pasted to begin with.
  Have you tried to get the certificate?
  
  Reply Report
  
  sahopkins93 July 5, 2017
  
  I just tried to get the certificate and it worked. Thank you!
  
  Reply Report
  
  hansen July 5, 2017
  
  @sahopkins93
  Yep, I can see that.
  May I recommend that you go through the Python/Gunicorn tutorial again, since you’re running your application as root, which means if there’s just a tiny flaw in your code, then someone could take over your server.
  Applications should never-ever run as root or even a user with sudo privileges - actually the user shouldn’t even be able to get shell.
  All the tutorials posted here on DigitalOcean always tries to focus on security, so they will recommend creating a dedicated user with no shell that runs services like that.
  
  Reply Report

Related

Question

Letsencrypt client failed authorization

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Letsencrypt client failed authorization

Related

Leave a comment

Related

question

PHP Error Log: authz_core:error - For files that don't exists on my server

question

blocked ip in spam

question

Having MongoDB Startup Errors!

question

How to make web service unavailable. As I develop this application, I'd rather not be burning up CPU or access time when not logged in.

Looking for something else?