letsencrypt and nginx 404 error

Question

I'm trying to configure ssl with my digital ocean server with nginx but I'm facing a problem. I have 4 websites on the same server, 3 are working well, but the last one seems to be capricious. To set up my certificates (to enable https with ssl), I'm following this tutorial (using letsencrypt): https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

I precise that I'm using the same certificate for the 4 websites. The problem occure when I run this command

sudo letsencrypt certonly -a webroot --webroot-path=/projects/mysite/staging/backend -d staging.backend.mysite.com -d www.staging.backend.mysite.com

It returns me this error:

Failed authorization procedure. staging.backend.mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://staging.backend.mysite.com/.well-known/acme-challenge/jyYxmJYByVQS_HPf7at04LZkirwKe3rOHCeMYcNk1XA: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.staging.backend.mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.staging.backend.mysite.com/.well-known/acme-challenge/-CPeTAThAt2XBMP28LiJmaJxhWDgtU6ysRvgfVv3o5s: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: staging.backend.mysite.com
   Type:   unauthorized
   Detail: Invalid response from http://staging.backend.mysite.com
   /.well-known/acme-
   challenge/jyYxmJYByVQS_HPf7at04LZkirwKe3rOHCeMYcNk1XA: "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.staging.backend.mysite.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.staging.backend.mysite.com/.well-known/acme-
   challenge/-CPeTAThAt2XBMP28LiJmaJxhWDgtU6ysRvgfVv3o5s: "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

When I try to reach http://staging.backend.mysite.com/ with Chrome, it returns me this error:

NET::ERR_CERT_COMMON_NAME_INVALID

Here is my nginx configuration:

server {
    listen 80;
    listen [::]:80;
    server_name staging.backend.mysite.com www.staging.backend.mysite.com;

    location / {
        proxy_pass http://127.0.0.1:8900/;
    }
}


server {
    listen 8900;
    server_name my.site.ip.adresse;

    location = /favicon.ico {
        access_log off;
        log_not_found off;
    }

    location /static/ {
        root /projects/mysite/staging/backend;
    }

    location /media/ {
        root /projects/mysite/staging/backend;
    }

    location ~ /.well-known {
        allow all;
    }

    location / {
        proxy_pass http://unix:/projects/mysite/staging/backend/run/mysite.sock;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
        proxy_redirect off;
    }
}

As you can see there is no ssl configuration on the server block because the tutorial say to add it later. It worked well for the 3 other sites. Is there something wrong with my configuration?

Answer 1

I fixed this by disabling the the proxy in nginx and making sure .well-known was in my http root dir (you don't have a root directive in your 8900 server block, add one as a temp. This has to point to a dir in the filesystem, which would be /projects/mysite/staging/backend/.well-known based on the webroot path you gave to the letsencrypt command).

Make sure you can access sample.com/.well-known from the browser, run the Let's Encrypt install, then turn your proxy back on.

Your .well-known block should not be necessary. Also not sure why you're serving on both 80 and 8900 in nginx. Why not just proxy 80 right to your socket and skip serving on 8900?