Menu
I had working Let's encrypt certificates some months ago (with the old letsencrypt client). The server I am using is nginx.
Certbot is creating the .well-known folder, but not the acme-challenge folder
Now I tried to create new certificates via ~/certbot-auto certonly --webroot -w /var/www/webroot -d domain.com -d www.domain.com -d git.domain.com
But I always get errors like this:
IMPORTANT NOTES: - The following errors were reported by the server: Domain: git.domain.com Type: unauthorized Detail: Invalid response from http://git.domain.com/.well-known/acme-challenge/ZLsZwCsBU5LQn6mnzDBaD6MHHlhV3FP7ozenxaw4fow: "<.!DOCTYPE html> <.html lang='en'> <.head prefix='og: http://ogp.me/ns#'> <.meta charset='utf-8'> <.meta content='IE=edge' http-equiv" Domain: www.domain.com Type: unauthorized Detail: Invalid response from http://www.domain.com/.well-known/acme-challenge/7vHwDXstyiY0wgECcR5zuS2jE57m8I3utszEkwj_mWw: "<.html> <.head><.title>404 Not Found</title></head> <.body bgcolor="white"> <.center><.h1>404 Not Found</h1></center> (Of course the dots inside the HTML tags are not really there)
I have looked for a solution, but didn't found one yet. Does anybody know why certbot is not creating the folders?
Thanks in advance!
375
If you want to use the http-01 challenge validation, make sure that Certbot can write to the challenge folder of the web server, usually located in /var/www/html/. well-known/acme-challenge.
well-known/acme-challenge on port 80. The CA verifies client control by issuing an HTTP GET request to that URL. This is a good general-purpose challenge type. By hosting the challenge response via HTTP on port 80, the client proves its control over a protected port on the domain being requested.
Certbot's Apache and Nginx plugins normally require root both for making temporary and persistent changes to webserver configurations, and to perform graceful reload events for those servers.
Certbot helps you achieve two tasks: Obtaining a certificate: automatically performing the required authentication steps to prove that you control the domain(s), saving the certificate to /etc/letsencrypt/live/ and renewing it on a regular schedule.
The problem was the nginx configuration. I replaced my long configuration files with the simplest config possible:
server { listen 80; server_name domain.com www.domain.com git.domain.com; root /var/www/domain/; } Then I was able to issue new certificates.
The problem with my long configuration files was (as far as I can tell) that I had the these lines:
location ~ /.well-known { allow all; } But they should be:
location ~ /.well-known/acme-challenge/ { allow all; } Now the renewal works, too.
164
I had a similar issue. My problem was, that I had this rule:
location ~ /\. { access_log off; log_not_found off; deny all; } these lines where canceling every acces to any directory starting with a "." (point)
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
