Let's Encrypt invalid response, token file 404

Discussion in 'Installation/Configuration' started by Keen Mouse, Jan 10, 2019.

Tags:
  1. Keen Mouse

    Keen Mouse New Member

    Ubuntu 18.04.1 LTS
    ISPConfig 3.1.13
    nginx

    I'm having some trouble obtaining Let's Encrypt certificates. I've tried with and without "Skip Lets Encrypt Check" enabled. When it is enabled, the warning shows me the command that was issued. Here's what I get when I issue the command manually:
    Code:
    #
    /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/director
    y --rsa-key-size 4096 --email [email protected][domain].com  --domains testing.[domain].com --webroot-path /usr/local/ispconfig/interface
    /acme
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for testing.[domain].com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Failed authorization procedure. testing.[domain].com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient autho
    rization :: Invalid response from http://testing.[domain].com/.well-known/acme-challenge/gL6rp6uI1IcLYtExxa8AqcxqdZkTA5g-kuA-jmfoLYQ: "<html
    >\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
    
    IMPORTANT NOTES:
     - The following errors were reported by the server:
    
       Domain: testing.[domain].com
       Type:   unauthorized
       Detail: Invalid response from
       http://testing.[domain].com/.well-known/acme-challenge/gL6rp6uI1IcLYtExxa8AqcxqdZkTA5g-kuA-jmfoLYQ:
       "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
       bgcolor=\"white\">\r\n<center><h1>404 Not
       Found</h1></center>\r\n<hr><center>"
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
    
    Running dig confirms that the DNS A record is correct. What might cause the token file to not be served properly?

    Here's my htf_report.txt:
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.1.13
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.2.10-0ubuntu***.***.***.***
    
    ##### PORT CHECK #####
    
    [WARN] Port 143 (IMAP server) seems NOT to be listening
    [WARN] Port 993 (IMAP server SSL) seems NOT to be listening
    [WARN] Port 110 (POP3 server) seems NOT to be listening
    [WARN] Port 995 (POP3 server SSL) seems NOT to be listening
    [WARN] Port 465 (SMTP server SSL) seems NOT to be listening
    [WARN] Port 22 (SSH server) seems NOT to be listening
    
    ##### MAIL SERVER CHECK #####
    
    [WARN] I found no "submission" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.
    [WARN] I found no "smtps" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer SSL for smtp (not TLS) connections you have to enable this.
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
        Unknown process (nginx:) (PID 26707)
    [INFO] I found the following mail server(s):
        Postfix (PID 1184)
    [WARN] I could not determine which pop3 server is running.
    [WARN] I could not determine which imap server is running.
    [INFO] I found the following ftp server(s):
        PureFTP (PID 22366)
    
    ##### LISTENING PORTS #####
    (only        ()
    Local        (Address)
    [anywhere]:80        (26707/nginx:)
    [anywhere]:8080        (26707/nginx:)
    [anywhere]:8081        (26707/nginx:)
    [anywhere]:21        (22366/pure-ftpd)
    ***.***.***.***:53        (519/systemd-resolve)
    [anywhere]:25        (1184/master)
    [localhost]:6010        (19225/sshd:)
    [anywhere]:443        (26707/nginx:)
    [anywhere]:18878        (675/sshd)
    *:*:*:*::*:80        (26707/nginx:)
    *:*:*:*::*:8080        (26707/nginx:)
    *:*:*:*::*:21        (22366/pure-ftpd)
    *:*:*:*::*:25        (1184/master)
    *:*:*:*::*:6010        (19225/sshd:)
    [localhost]8878        (675/sshd)
    *:*:*:*::*:3306        (22234/mysqld)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination       
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination       
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination       
    
    
    
    
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    Do you have a ProxyPass line for /.well-known/ or /.well-known/acme-challenge/ in nginx config? Does the /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ directory exist (and no part of that path is a symlink)?
     
  3. Keen Mouse

    Keen Mouse New Member

    I don't have any ProxyPass line. What should it be and how does it normally get there? I don't recall seeing anything about it in the setup tutorial.

    Thanks for your help.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    I don't run nginx servers, so don't have a working sample, but I see mention of that repeatedly when folks add nginx config - just search the forum here a little and you'll likely find examples within minutes.
     
  5. Keen Mouse

    Keen Mouse New Member

    Thanks for your suggestion. I've at least been able to eliminate this as a possibility. I don't have and shouldn't need any proxy_pass. I've posted a new thread with the problem narrowed down here. I know you're not an nginx guy, and this is firmly in nginx territory now. I just wanted to update you and say thanks for giving it a shot.
     

Share This Page