NGINX - Let's Encrypt Failed Authorization Error
I have a Ghost (Node.js) droplet running on Ubuntu 16.04. I'm following the NGINX tutorial to add SSL to my droplet, but I have run into the following error when I run sudo certbot certonly --webroot --webroot-path=/var/www/ghost -d www.mysite.com
.
Here is the full error message:
http-01 challenge for www.mysite.com
Using the webroot path /var/www/ghost for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysite.com/.well-known/acme-challenge/uvXxKgju-gHHZ3dsfsdfsdfsdfsdsO2ZfYsI5D8LGDbmUYH7vo9cUi5A: "<!doctype html>
<!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9" lang="en"><![endif]-->
<!--[if (gte IE 9)| IEMobile |!(IE"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.mysite.com
Type: unauthorized
Detail: Invalid response from
http://www.mysite.com/.well-known/acme-challenge/uvXxKgju-gHHZ3kSO2ZfYsI5dsfdsfsdfsdfsdD8LGDbmUYH7vo9cUi5A:
"<!doctype html>
<!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9"
lang="en"><![endif]-->
<!--[if (gte IE 9)| IEMobile |!(IE"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I followed the instructions and took a look at my Network tab. Here I have an "A" record with the non-www hostname "mysite.com" and it directs to my droplets public IP Address. I then have a "CNAME" record with the www hostname "www.mysite.com" that points to an alias of "mysite.com". Does the "www.mysite.com" need to be an A record in order for this to work?
Not sure if this is helpful, but here is my server config:
server {
listen 80;
server_name mysite.com; # Replace with your domain
location ~ /.well-known {
allow all;
}
return 301 http://www.mysite.com$request_uri;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name www.mysite.com;
client_max_body_size 10G;
location / {
proxy_pass http://127.0.0.1:2368;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}