6

I am trying to use certbot and letsencrypt on my Ubuntu 16.0.4 server, so I can install a mail server.

I am running certbot like this:

sudo /opt/letsencrypt/certbot-auto certonly --agree-tos --webroot -w /path/to/www/example -d example.com -d www.example.com

I get the following output from certbot (snippet shown below):

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.example.com/.well-known/acme-challenge/QEZwFgUGOJqqXHcLmTmkr5z83dbH3QlrIUk1S3JI_cg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

This is what my directory structure looks like:

root@yourbox:/path/to/www/example$ ls -la
total 12
drwxr-xr-x 3 example root    4096 Nov  1 10:17 .
drwxr-xr-x 5 root        webapps 4096 Nov  1 10:13 ..
drwxr-xr-x 2 root        root    4096 Nov  1 10:36 .well-known
root@yourbox:/path/to/www/example$ 
root@yourbox:/path/to/www/example$ cd .well-known/
root@yourbox:/path/to/www/example/.well-known$ ls -la
total 8
drwxr-xr-x 2 root        root 4096 Nov  1 10:36 .
drwxr-xr-x 3 example root 4096 Nov  1 10:17 ..
root@yourbox:/path/to/www/example/.well-known$

From above, I can see that the challenge file does not exist - (presumably?) because, it looks like the certbot is unable to write to the folder.

However, I first needed to check that nginx was set up correctly, and that it was serving files from folders starting with a period.

This is the configuration file for nginx for the website (/etc/nginx/sites-available/example):

server {
    # Allow access to the letsencrypt ACME Challenge
    location ~ /\.well-known\/acme-challenge {
        allow all;
    }
}

I manually created a testfile (sudo touch /path/to/www/example/fake) and gave it the correct permissions:

root@yourbox:/path/to/www/example/.well-known/acme-challenge$ ls -l
total 0
-rw-r--r-- 1 example webapps 0 Nov  1 10:45 fake

I then tried to access http://www.example.com/.well-known/acme-challenge/fake from a browser - and got a 404 error.

This means I have two errors:

  1. Nginx is not correctly setup to serve files from the .well-known/acme-challenge folder
  2. The file permissions in the /path/to/www/example folder are wrong, so certbot can't write its automatically generated files to the .well-known/acme-challenge folder.

How may I fix these issues?

Improve this question
1
  • you need to check /etc/hosts file, make sure you have the correct records there, and also, set correct permissions, e.g. chown -R www-data:www-data /path/to/www your Nginx and php-FPM/Apache should work under "www-data" user, for example. Commented Nov 5, 2016 at 19:16

2 Answers 2

Reset to default
5
+25

Your Nginx config file has no config to make your /path/to/www/example/ directory web accessible.

Here's a simple configuration which will put your site live and allow LetsEncyrpt to create a valid certificate. Bare in mind port 80 will need to be accessible.

server {
    listen 80;

    server_name www.example.co.uk example.co.uk;

    root /path/to/www/example;

    access_log /var/log/nginx/example.co.uk.log;
    error_log /var/log/nginx/example.co.uk.log;

    index index.html index.htm index.php;

    location ~ /\.well-known\/acme-challenge {
        allow all;
    }

    location / {
        try_files $uri $uri/index.html $uri.html =404;
    }
}

Change your server_name accordingly, or use your /etc/hosts file to configure a local domain.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I'm at work at the moment. Will check your solution when I get home and award bounty before it expires. Thanks
I loged in remotely to my machine and made the changes you suggested. I still get the same error messages that prompted my question. I made the following further modifications: 1. Recursively changed ownership of /path/to/www/example to www-data:www-data (even though I think this introduces a security risk 2. run the letsencrypt script using suso -H. The encrypt script is not creating the acme-challenge folder under the .well-known folder. When I got the same error message as before, I "touched" an empty file in ./well-known/acme-challenge/abc. Got 404 in browser!
I'm certain this is some form of routing issue. How are you accessing the site? Through an external domain, i.e. example.com or through localhost?
It is an external domain (i.e. world visible). It is not on localhost. I can visit the "homepage" (www.example.com) via my browser - no problem. However, as I stated earlier, even when I manually create the required folder structure (./well-known/acme-challenge), give full ownership to www-data and place a file in that folder - I can't access it through my browser., It sounds like an nginx configuration problem.
Can you pastebin your directory structure of your web root folder including showing permissions/ownership?
|
0

I had the same problem which was caused by the following line:

  location ~ /\. {
        deny all;
    }

i added the following ABOVE the line mentioned above this:

location ~ /\.well-known\/acme-challenge {
        allow all;
    }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.