Reputation: 313
Certificate renewal fails with unauthorized/invalid response/404 .well-known/
I understand this question is quite common and I have tried many attempts to fix this following many different variations on the theme. In the past I could not renew a let's encrypt cert at the 3 month expiry because of this error. I have since rebuilt the server and started again. This time however, I started with a staging certificate and it seems I am now stuck with that.
This is a rails server, running on ubuntu 20.04 with nginx, setup via Ansible per the book "Efficient Rails DevOps".
It cannot renew certificates as it complains the .well-known directory/page does not exist:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ------.com.au
Using default address 80 for authentication.
Waiting for verification...
Challenge failed for domain -----.com.au
http-01 challenge for -----.com.au
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: -----.com.au
Type: unauthorized
Detail: Invalid response from
https://-----.com.au/.well-known/acme-challenge/DQ2urLrKOSQmBhtlciFcbfMOcPIltmAAdI3vrijWrsM
[103.208.218.34]: "<!DOCTYPE html>\n<html>\n<head>\n <title>The
page you were looking for doesn't exist (404)</title>\n <meta
name=\"viewport\" content"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I've taken out my attempts to resolve from the vhost conf file below, so it represents the original...
server {
listen nnn.nnn.nnn.nnn:80;
listen nnn.nnn.nnn.nnn:443 ssl;
server_name www.dddd.com.au;
return 301 https://dddd.com.au$request_uri;
ssl_certificate /etc/letsencrypt/live/dddd.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dddd.com.au/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dddd.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff;
}
server {
listen nnn.nnn.nnn.nnn:443 ssl;
server_name dddd.com.au;
ssl_certificate /etc/letsencrypt/live/dddd.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dddd.com.au/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dddd.pem;
root /var/www/dddd/application/public;
client_max_body_size 4G;
keepalive_timeout 5;
access_log /var/log/nginx/access.dddd.com.au.log;
error_log /var/log/nginx/error.dddd.com.au.log;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location ~ ^/assets/ {
root /var/www/dddd/application/public;
gzip_static on;
expires max;
add_header Cache-Control public;
add_header ETag "";
break;
}
location / {
try_files $uri @app;
}
location @app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://dddd;
}
error_page 502 = @maintenance;
location @maintenance {
root /var/www/dddd/shared/maintenance;
try_files $uri /index.html =502;
}
}
Thanks in advance.
Upvotes: 0
Views: 602
Answers (1)
Reputation: 313
So...I've just had a development...I successfully deleted and re-issued the certificate as a full one.
I think I also found a location block for .well-known that works:
location ~ ^/.well-known/ {
allow all;
}
...and inserted this into BOTH the server blocks (for port 80 and 443), as I performed a dry run renewal and no more errors...I got "Congratulations, all renewals succeeded..."
I'm happy to receive any corrections to this, as I'm still quite green with this stuff.
Thx.
Upvotes: 0
Related Questions
- Renew manually Let's Encrypt SSL certificate
- Issue with Let's Enrypt certificates and auto renewal
- let's encrypt certificate renew after expiration
- Nginx not taking into account renewed let's encrypt certificates
- error when renewing my let's encrypt certificate
- renewal of letsencrypt certificate fails
- how to renew an expired "let's encrypt" certificate?
- ERR_CERT_DATE_INVALID after manual renewal
- certificate from Let's Encrypt fails to renew
- Letsencrypt nginx, renew returns a 404