28

I had working Let's encrypt certificates some months ago (with the old letsencrypt client). The server I am using is nginx.

Certbot is creating the .well-known folder, but not the acme-challenge folder

Now I tried to create new certificates via ~/certbot-auto certonly --webroot -w /var/www/webroot -d domain.com -d www.domain.com -d git.domain.com

But I always get errors like this:

IMPORTANT NOTES:
   - The following errors were reported by the server:

   Domain: git.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://git.domain.com/.well-known/acme-challenge/ZLsZwCsBU5LQn6mnzDBaD6MHHlhV3FP7ozenxaw4fow:
   "<.!DOCTYPE html>
   <.html lang='en'>
   <.head prefix='og: http://ogp.me/ns#'>
   <.meta charset='utf-8'>
   <.meta content='IE=edge' http-equiv"

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain.com/.well-known/acme-challenge/7vHwDXstyiY0wgECcR5zuS2jE57m8I3utszEkwj_mWw:
   "<.html>
   <.head><.title>404 Not Found</title></head>
   <.body bgcolor="white">
   <.center><.h1>404 Not Found</h1></center>

(Of course the dots inside the HTML tags are not really there)

I have looked for a solution, but didn't found one yet. Does anybody know why certbot is not creating the folders?

Thanks in advance!

Jamie Counsell
  • 7,730
  • 6
  • 46
  • 81
lehnerchristian
  • 1,236
  • 3
  • 13
  • 26

3 Answers3

19

The problem was the nginx configuration. I replaced my long configuration files with the simplest config possible:

server {
    listen 80;
    server_name domain.com www.domain.com git.domain.com;
    root /var/www/domain/;
}

Then I was able to issue new certificates.

The problem with my long configuration files was (as far as I can tell) that I had the these lines:

location ~ /.well-known {
    allow all;
}

But they should be:

location ~ /.well-known/acme-challenge/ {
    allow all;
}

Now the renewal works, too.

lehnerchristian
  • 1,236
  • 3
  • 13
  • 26
  • 24
    It's worth mentioning that Certbot will clear the `.well-known` directory after trying to issue. So if you're looking into it believing that the problem is with file generation instead of file serving, rest assured it is not. The error you get when there are permission errors is different. – DfKimera Dec 13 '16 at 17:29
  • Note that in this case, all subdomains use the same root directory. Create one server per root is a solution (maybe not the best, but it works) if using multiple roots. – aluriak Mar 18 '17 at 13:46
  • 1
    These solution did not work for me. I have "location /.well-known { .. allow all; }. Strace shows that certbot deletes the acme-challenge directory when it is create manually before starting certbot. Then it fails to open the challenge file. – rhoerbe Jul 29 '17 at 14:59
  • I thought the regex here should match. `~ /.well-known` matches `/.well-known/acme-challege/`, no? – Michael Campbell May 26 '19 at 19:53
  • @DfKimera it may clear it, but will it re-create it on the next run if I delete it ? – mckenzm Jul 23 '23 at 00:11
7

I had a similar issue. My problem was, that I had this rule:

 location ~ /\. {
    access_log off;
    log_not_found off;
    deny all;
 }

these lines where canceling every acces to any directory starting with a "." (point)

Dazag
  • 685
  • 9
  • 18
  • 3
    I had this problem too (default for Wordpress on Nginx) but it's a valuable rule, so just place it after the `location ~ /.well-known` rule – Jason Elkin Jun 14 '17 at 19:59
1

For some strange reason (I think the certbot script changed in some way), I was not able in any way to renew the certificates. I found this thread that finally helped me after almost 4 hours of research:

https://community.letsencrypt.org/t/solved-invalid-response-403-forbidden/64170/13

hope it helps somebody else.

The trick is to add this in the apache config : 

DocumentRoot /var/lib/letsencrypt/http_challenges
    <Directory /var/lib/letsencrypt/http_challenges>
            Allow from All
    </Directory>

Hope it works for someone else!

Alejandro Giraldo
  • 609
  • 1
  • 6
  • 11