6

I am trying to use certbot and letsencrypt on my Ubuntu 16.0.4 server, so I can install a mail server.

I am running certbot like this:

sudo /opt/letsencrypt/certbot-auto certonly --agree-tos --webroot -w /path/to/www/example -d example.com -d www.example.com

I get the following output from certbot (snippet shown below):

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.example.com/.well-known/acme-challenge/QEZwFgUGOJqqXHcLmTmkr5z83dbH3QlrIUk1S3JI_cg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

This is what my directory structure looks like:

root@yourbox:/path/to/www/example$ ls -la
total 12
drwxr-xr-x 3 example root    4096 Nov  1 10:17 .
drwxr-xr-x 5 root        webapps 4096 Nov  1 10:13 ..
drwxr-xr-x 2 root        root    4096 Nov  1 10:36 .well-known
root@yourbox:/path/to/www/example$ 
root@yourbox:/path/to/www/example$ cd .well-known/
root@yourbox:/path/to/www/example/.well-known$ ls -la
total 8
drwxr-xr-x 2 root        root 4096 Nov  1 10:36 .
drwxr-xr-x 3 example root 4096 Nov  1 10:17 ..
root@yourbox:/path/to/www/example/.well-known$

From above, I can see that the challenge file does not exist - (presumably?) because, it looks like the certbot is unable to write to the folder.

However, I first needed to check that nginx was set up correctly, and that it was serving files from folders starting with a period.

This is the configuration file for nginx for the website (/etc/nginx/sites-available/example):

server {
    # Allow access to the letsencrypt ACME Challenge
    location ~ /\.well-known\/acme-challenge {
        allow all;
    }
}

I manually created a testfile (sudo touch /path/to/www/example/fake) and gave it the correct permissions:

root@yourbox:/path/to/www/example/.well-known/acme-challenge$ ls -l
total 0
-rw-r--r-- 1 example webapps 0 Nov  1 10:45 fake

I then tried to access http://www.example.com/.well-known/acme-challenge/fake from a browser - and got a 404 error.

This means I have two errors:

  1. Nginx is not correctly setup to serve files from the .well-known/acme-challenge folder
  2. The file permissions in the /path/to/www/example folder are wrong, so certbot can't write its automatically generated files to the .well-known/acme-challenge folder.

How may I fix these issues?

Homunculus Reticulli
  • 65,167
  • 81
  • 216
  • 341
  • you need to check `/etc/hosts` file, make sure you have the correct records there, and also, set correct permissions, e.g. `chown -R www-data:www-data /path/to/www` your `Nginx` and `php-FPM`/`Apache` should work under "www-data" user, for example. –  Nov 05 '16 at 19:16

2 Answers2

5

Your Nginx config file has no config to make your /path/to/www/example/ directory web accessible.

Here's a simple configuration which will put your site live and allow LetsEncyrpt to create a valid certificate. Bare in mind port 80 will need to be accessible.

server {
    listen 80;

    server_name www.example.co.uk example.co.uk;

    root /path/to/www/example;

    access_log /var/log/nginx/example.co.uk.log;
    error_log /var/log/nginx/example.co.uk.log;

    index index.html index.htm index.php;

    location ~ /\.well-known\/acme-challenge {
        allow all;
    }

    location / {
        try_files $uri $uri/index.html $uri.html =404;
    }
}

Change your server_name accordingly, or use your /etc/hosts file to configure a local domain.

Jack Carlin
  • 354
  • 1
  • 3
  • 17
  • I'm at work at the moment. Will check your solution when I get home and award bounty before it expires. Thanks – Homunculus Reticulli Nov 10 '16 at 13:33
  • I loged in remotely to my machine and made the changes you suggested. I still get the same error messages that prompted my question. I made the following further modifications: **1.** Recursively changed ownership of `/path/to/www/example` to www-data:www-data (even though I think this introduces a security risk **2.** run the letsencrypt script using `suso -H`. The encrypt script is not creating the acme-challenge folder under the .well-known folder. When I got the same error message as before, I "touched" an empty file in ./well-known/acme-challenge/abc. Got 404 in browser! – Homunculus Reticulli Nov 10 '16 at 14:12
  • I'm certain this is some form of routing issue. How are you accessing the site? Through an external domain, i.e. example.com or through localhost? – Jack Carlin Nov 11 '16 at 10:01
  • It is an external domain (i.e. world visible). It is not on localhost. I can visit the "homepage" (www.example.com) via my browser - no problem. However, as I stated earlier, even when I manually create the required folder structure (./well-known/acme-challenge), give full ownership to www-data and place a file in that folder - I can't access it through my browser., It sounds like an nginx configuration problem. – Homunculus Reticulli Nov 11 '16 at 10:10
  • Can you pastebin your directory structure of your web root folder including showing permissions/ownership? – Jack Carlin Nov 11 '16 at 10:46
  • And you **can** access files on the domain within sub folders? i.e. JPEG's etc – Jack Carlin Nov 11 '16 at 11:44
0

I had the same problem which was caused by the following line:

  location ~ /\. {
        deny all;
    }

i added the following ABOVE the line mentioned above this:

location ~ /\.well-known\/acme-challenge {
        allow all;
    }
user1643964
  • 1