I have a Ghost (Node.js) droplet running on Ubuntu 16.04. I’m following the NGINX tutorial to add SSL to my droplet, but I have run into the following error when I run sudo certbot certonly --webroot --webroot-path=/var/www/ghost -d www.mysite.com
.
Here is the full error message:
http-01 challenge for www.mysite.com
Using the webroot path /var/www/ghost for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysite.com/.well-known/acme-challenge/uvXxKgju-gHHZ3dsfsdfsdfsdfsdsO2ZfYsI5D8LGDbmUYH7vo9cUi5A: "<!doctype html>
<!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9" lang="en"><![endif]-->
<!--[if (gte IE 9)| IEMobile |!(IE"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.mysite.com
Type: unauthorized
Detail: Invalid response from
http://www.mysite.com/.well-known/acme-challenge/uvXxKgju-gHHZ3kSO2ZfYsI5dsfdsfsdfsdfsdD8LGDbmUYH7vo9cUi5A:
"<!doctype html>
<!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9"
lang="en"><![endif]-->
<!--[if (gte IE 9)| IEMobile |!(IE"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I followed the instructions and took a look at my Network tab. Here I have an “A” record with the non-www hostname “mysite.com” and it directs to my droplets public IP Address. I then have a “CNAME” record with the www hostname “www.mysite.com” that points to an alias of “mysite.com”. Does the “www.mysite.com” need to be an A record in order for this to work?
Not sure if this is helpful, but here is my server config:
server {
listen 80;
server_name mysite.com; # Replace with your domain
location ~ /.well-known {
allow all;
}
return 301 http://www.mysite.com$request_uri;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name www.mysite.com;
client_max_body_size 10G;
location / {
proxy_pass http://127.0.0.1:2368;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
Having a CNAME record is perfectly fine, so don’t worry about that.
Can you change your config to this and run service nginx restart
:
server {
listen 80;
listen [::]:80; #Added IPv6 here too
server_name mysite.com;
#We remove any location-blocks from here, since this server-block just redirects everything
return 301 http://www.$server_name$request_uri; #We use a variable to have less hardcoding
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name www.mysite.com;
client_max_body_size 100M; #There's no reason to have it set to 10 GigaBytes
location ~ ^/\.well-known {
root /var/www/ghost; #We set root, since it's not set anywhere else
allow all;
}
location / {
#Added a few extra headers to allow proper https - not sure if it will mess with plain http - otherwise just use the ones you had already
proxy_pass http://127.0.0.1:2368;
proxy_buffering off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Referer "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.