Certbot HTTP-01 challenge fails

Question

This might be a simple error but I can't seem to use certbot to verify my domain. I am using nginx that is connected to an express application. I have commented out the configurations from the default nginx file and it only includes the configurations for my site from /etc/nginx/conf.d/mysite.info. In my configuration, the first location entry points to the root /.well-known/acme-challenge directory. Here's the settings from my nginx conf file:

server {
    listen 80;

    server_name <MYDOMAIN>.info www.<MYDOMAIN>.info;

    location '/.well-known/acme-challenge' {
            root /srv/www/<MY_ROOT_DIRECTORY>;
    }

    location / {
            proxy_pass http://localhost:4200;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    }
    location /secure {
            auth_pam "Secure zone";
            auth_pam_service_name "nginx";
    }

}

To verfiy, I used the following certbot command:

certbot certonly --agree-tos --email <My_EMAIL>@gmail.com --webroot -w /srv/www/<ROOT_FOLDER>/ -d <DOMAIN>.info

The error for certbot are as follows:

Performing the following challenges:
http-01 challenge for <MYDOMAIN>.info
Using the webroot path /srv/www/<ROOT_FOLDER> for all unmatched domains.
Waiting for verification...
Challenge failed for domain <MYDOMAIN>.info
http-01 challenge for <MYDOMAIN>.info
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: <MYDOMAIN>.info
   Type:   unauthorized
   Detail: Invalid response from
   http://<MYDOMAIN>.info/.well-known/acme-challenge/Yb3c1WtCn5G43YatrhVorTbT_nn3WKTLwKjr0c9dW8E
   [74.208.<...>.<...>]: "<!DOCTYPE html>\n<html
   lang=\"en\">\n<head>\n<meta
   charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
   GET /.well-known/"

I am literally clueless at this point. All the directories and files have read permission for all users and groups. Any suggestions will be highly appreciated.

EDIT

Since Nginx was failing to deliver the challenge files, I modified my express server to send the files. The express app is accessible and it was easy to send the challenge files to get certbot to work. Although not the desired solution it worked. However, I will keep the post open for a better answer.

Have you tried without the quotes? `location /.well-known/acme-challenge { ... }` — Richard Smith, Jan 18 '20 at 09:19
@RichardSmith I did in fact. It worked. I also had a few other issues and all of them summed up made it really confusing. The main problem was that I forgot to add .conf extension to my conf file. It was not being included and systemctl status was showing nginx was running. It wasn't until I probed the ports and figured out nginx was not running on 443 and 80 and realized my error. — Abrar Hossain, Jan 18 '20 at 18:25
I came down this same path and haven't gotten it to work yet. I think what is happening is that that the certbot is placing a local file, then trying to get it from the web server. What I dont understand is how to know where certbot places the file. You have it as /srv/www/; I have /srv but not directory /srv/www, where should I be expecting certbot to place the token? — Don, Jul 09 '21 at 02:37
@Don you can create a www directory and try creating the other directories inside and place the file there. Also note that the permission for read is allowed so that the file can be accessed by the webserver. You can test by visiting your site `./.well-known/acme-challenge/` from a browser and if that works then the cerbot challenge will pass successfully. Also, make sure port 443 is open. Hope that helps. — Abrar Hossain, Jul 09 '21 at 09:24
Ah I thought certbox made the file on the fly, looks like I can run it in manual mode and get the file I need then set it up and run certbox again. I was trying to sync certbox putting the file somewhere and the nginx conf to work together. — Don, Jul 09 '21 at 13:15

score 8 · Answer 1 · edited Jul 24 '23 at 07:52

8

About:

Challenge failed for domain

This error can happen if you don't have the port 443 opened in your firewall.

I have the same problem trying to make the certbot to work on AWS. After some attempts, I just needed to open the port 443 in the Security Group associated with the EC2 instance.

edited Jul 24 '23 at 07:52

bluish

26,356
27
122
180

answered Mar 25 '20 at 18:45

Dherik

17,757
11
115
164

score 0 · Answer 2 · answered Jan 11 '23 at 21:24

I was facing this issue, but my problem was little bit different, after doing some research i got to know that the domain on which i was trying certbot is protected by cloudflare , and there is a waf rule for country restriction, which was blocking all the traffic from the origin server, so turning off the country restriction for a while did the job.

Certbot HTTP-01 challenge fails

2 Answers2

Linked