Django & Certbot - unauthorized, Invalid response (HTTPS)

Question

I'm trying to configure Certbot (Letsencrypt) with Nginx.

I get this error :

 - The following errors were reported by the server:

   Domain: koomancomputing.com
   Type:   unauthorized
   Detail: Invalid response from
   http://koomancomputing.com/.well-known/acme-challenge/xvDuo8MqaKvUhdDMjE3FFbnP1fqbp9R66ah5_uLdaZk
   [2600:3c03::f03c:92ff:fefb:794b]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   Domain: www.koomancomputing.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.koomancomputing.com/.well-known/acme-challenge/T8GQaufb9qhKIRAva-_3IPfdu6qsDeN5wQPafS0mKNA
   [2600:3c03::f03c:92ff:fefb:794b]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

in /etc/nginx/sites-available/koomancomputing :

server {
listen 80;
server_name koomancomputing.com www.koomancomputing.com;

location = /favicon.ico { access_log off; log_not_found off; }
location /staticfiles/ {
    root /home/kwaku/koomancomputing;
}

location /media/ {
    root /home/kwaku/koomancomputing;
}

location / {
    include proxy_params;
    proxy_pass http://unix:/run/gunicorn.sock;
}
}

my DNS A/AAAA records :

I didn't know what to do, so I did a search and find django-letsencrypt app, but I don't know hot to use :

Answer 1

For me, it worked after I removed and installed the latest certbot version using snapd.

I use cloudflare proxy option and it failed for certbot 0.31.0. After installing certbot 1.27 and configuring the cert newly, it works fine even proxy toggle is on in cloudflare.

Answer 2

server {
  listen 80;
  listen [::]:80;

  # other configuration
}

Works for both IPV4 and IPV6 after adding this restart nginx.

Answer 3

Your domain has a proper AAAA record configured to your server over IPv6, and certbot chose that to validate your server.

However, your server block as configured under nginx only listens to port 80 on IPv4 for your domain. When certbot requests Let's Encrypt to access your challenge and issue a certificate, nginx isn't configured to properly respond with the challenge on IPv6. It often in this case returns other things (such as a 404 in your case, or a default site).

You can resolve this by modifying the first two lines to also listen on all IPv6 addresses for your server:

server {
  listen 80;
  listen [::]:80;

  # other configuration
}

After editing, restart nginx and run certbot again.

Answer 4

Your Nginx server is responding with a 404 error because it does not define a route to /.well-known needed by certbot to verify challenges. You need to modify the Nginx config file to tell it how to respond to certbot's challenges.

Certbot can update the Nginx config file for you.

• First, make sure your config file is enabled. Run sudo service nginx reload and check for the presence of a file called /etc/nginx/sites-enabled/koomancomputing.

• Then, run certbot --nginx -d koomancomputing.com -d www.koomancomputing.com

The --nginx flag tells certbot to find an Nginx config file with a matching server name and update that file with SSL info.