NGINX - Let's Encrypt Failed Authorization Error

June 25, 2017 435 views
Nginx Let's Encrypt Ubuntu 16.04

I have a Ghost (Node.js) droplet running on Ubuntu 16.04. I'm following the NGINX tutorial to add SSL to my droplet, but I have run into the following error when I run sudo certbot certonly --webroot --webroot-path=/var/www/ghost -d www.mysite.com.

Here is the full error message:

http-01 challenge for www.mysite.com
Using the webroot path /var/www/ghost for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysite.com/.well-known/acme-challenge/uvXxKgju-gHHZ3dsfsdfsdfsdfsdsO2ZfYsI5D8LGDbmUYH7vo9cUi5A: "<!doctype html>
<!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9" lang="en"><![endif]-->
<!--[if (gte IE 9)| IEMobile |!(IE"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.mysite.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.mysite.com/.well-known/acme-challenge/uvXxKgju-gHHZ3kSO2ZfYsI5dsfdsfsdfsdfsdD8LGDbmUYH7vo9cUi5A:
   "<!doctype html>
   <!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9"
   lang="en"><![endif]-->
   <!--[if (gte IE 9)| IEMobile |!(IE"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I followed the instructions and took a look at my Network tab. Here I have an "A" record with the non-www hostname "mysite.com" and it directs to my droplets public IP Address. I then have a "CNAME" record with the www hostname "www.mysite.com" that points to an alias of "mysite.com". Does the "www.mysite.com" need to be an A record in order for this to work?

Not sure if this is helpful, but here is my server config:

server {
    listen 80;
    server_name mysite.com; # Replace with your domain

    location ~ /.well-known {
        allow all;
    }

    return 301 http://www.mysite.com$request_uri;

}

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name www.mysite.com;

    client_max_body_size 10G;

    location / {
        proxy_pass http://127.0.0.1:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

1 Answer
hansen June 25, 2017
Accepted Answer

Hi @connordphillips

Having a CNAME record is perfectly fine, so don't worry about that.

Can you change your config to this and run service nginx restart:

server {
    listen 80;
    listen [::]:80; #Added IPv6 here too
    server_name mysite.com;
    #We remove any location-blocks from here, since this server-block just redirects everything
    return 301 http://www.$server_name$request_uri; #We use a variable to have less hardcoding
}

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name www.mysite.com;

    client_max_body_size 100M; #There's no reason to have it set to 10 GigaBytes

    location ~ ^/\.well-known {
        root /var/www/ghost; #We set root, since it's not set anywhere else
        allow all;
    }

    location / {
        #Added a few extra headers to allow proper https - not sure if it will mess with plain http - otherwise just use the ones you had already
        proxy_pass http://127.0.0.1:2368;
        proxy_buffering off;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Referer "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
    }
}
Have another answer? Share your knowledge.