Related

Marketplace Node.js on DigitalOcean Marketplace
PHP Error Log: authz_core:error - For files that don't exists on my server Question Question
blocked ip in spam Question Question

Question

LetsEncrypt failed authorization process

Posted May 15, 2017 27k views
Node.jsLet's EncryptUbuntu 16.04

I am trying to add another domain (www.curiotech.me) to my SSL certificate, which there are currently one, curiotech.me. I get the following error when running sudo certbot certonly --webroot --webroot-path=/var/www/html -d www.curiotech.me

Failed authorization procedure. www.curiotech.me (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.curiotech.me/.well-known/acme-challenge/IB6wCaFDO8bqQt_tndM7__txPdZrahYEz-ifuLLrLQ0: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
Add a comment
parion
By:
parion
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers
hansen May 15, 2017

Hi @parion

Is your website root located in /var/www/html for both curiotech.me and www.curiotech.me ?

Reply Report
hansen May 15, 2017

@parion
Then you need to post your Nginx server block, so we can see where it might go wrong, since you’re doing proxy_passthru to Node.js, but static files should be served by Nginx.

Reply Report
  • parion May 16, 2017 
    # HTTP - redirect all requests to HTTPS:
server {
        listen 80;
        listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;
}

# HTTPS - proxy requests on to local Node.js app:
server {
        listen 443;
        server_name curiotech.me www.curiotech.me;

        ssl on;
        # Use certificate and key provided by Let's Encrypt:
        ssl_certificate /etc/letsencrypt/live/curiotech.me/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/curiotech.me/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        location ~ /.well-known {
                allow all;
        }

        # Pass requests for / to localhost:5000:
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://localhost:5000/;
                proxy_ssl_session_reuse off;
                proxy_set_header Host $http_host;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
        }
}
    Reply Report
    • hansen May 16, 2017

      @parion
      Can you change the first server block to this:

      server {
        listen 80;
        listen [::]:80 default_server ipv6only=on;
        root /home/gwiebel/app;
        location ~ /.well-known {
                allow all;
        }
}

      Then check the config and restart Nginx:

      sudo service nginx configtest
sudo service nginx restart

      Then run the certificate again:

      sudo certbot certonly --webroot --webroot-path=/home/gwiebel/app -d curiotech.me -d www.curiotech.me

      Then change the block to this:

      server {
        listen 80;
        listen [::]:80;
        server_name curiotech.me www.curiotech.me;
        return 301 https://$server_name$request_uri;
}

      Then check the config and restart Nginx:

      sudo service nginx configtest
sudo service nginx restart
      Reply Report
      • parion May 16, 2017

        That did it! Thanks!

        Reply Report
        • hansen May 16, 2017

          Remember to setup the cronjob, so it automatically renews every week, because LE certificates are only valid for 90 days, so by it should automatically renew on about day 60 - and you’ll start getting warnings on day 75 (or something like that).

          If you haven’t already certbot in your crontab, then follow the guide below. I’m not sure how certbot in Ubuntu 16.04 is handled, so don’t know if it is already added to the crontab.

          Run this command to ensure the path of certbot:

          /usr/bin/certbot renew

          Then run sudo crontab -e to open the crontab in your editor and add the following line to the bottom:

          23 4 * * 1 /usr/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx restart"

          This will run certbot in quiet mode, meaning it will only show errors and certbot-updates notification. And then whenever it has updated a certificate, it will restart Nginx, since Nginx doesn’t dynamically load the new certificate.
          It’s being run at 4:23am on every Monday (that’s the 1) - you can change that if you want. This is based on your servers time.

          Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help