[SOLVED] Error 404 while trying to set up HTTPS with Let's Encrypt certificates

Hello !

This new thread follows the previous conversation I had with @wthess on the Tutorial for using free SSL/TLS certificates provided by “letsencrypt”.

The main issue was that i continuously got the following error while trying to use certbot-auto:

[quote]Failed authorization procedure. mydomain.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.fr/.well-known/acme-challenge/xW5e-ssGxezDEPUIE2UJZRoLU08n_1sOzad6jTLc4N0 [2001:1600:4:1::b]: 404

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: mydomain.fr
  Type: unauthorized
  Detail: Invalid response from
  http://mydomain.fr/.well-known/acme-challenge/xW5e-ssGxezDEPUIE2UJZRoLU08n_1sOzad6jTLc4N0
  [2001:1600:4:1::b]: 404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.[/quote]

Here was my seafile.conf on nginx:

[quote]server {
listen 80;
listen [::]:80;
server_name mydomain.fr;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect ht$

# Enables or disables emitting nginx version on error pages and in the "Ser$
server_tokens off;

location /.well-known/acme-challenge {
default_type “text/plain”;
allow all;
root /home/pi/certbot-webroot;
}
}

server {
listen 443;
listen [::]:443;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
error_page 497 https://$host:$server_port$request_uri;

location / {

fastcgi_pass 127.0.0.1:8000 ;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
fastcgi_param REMOTE_ADDR $remote_addr;

    access_log      /var/log/nginx/seahub.access.log;

error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
}
location /media {
root /home/pi/seafile/seafile-server-latest/seahub;
}
location /.well-known/acme-challenge {
default_type “text/plain”;
allow all;
root /home/pi/certbot-webroot;
}
}[/quote]

After a lot of investigation, with the help of @wthess, it belongs that the error was “only” due to IPv6. It appears that, if Certbot-auto “detects” the IPv6 activated on your domain, it will favor this way of working. So if it gets back an error on IPv6, it will not try on IPv4 and will return you the 404 error.

So the solution was to delete the DNS AAAA redirection in my domain gestion interface. After this was done, certbot-auto doesn’t “detect” IPv6 on my domain and work so with IPv4.

I thanks a lot @wthess for his help, and let him brings some precision on this issue.

Hope this thread can help.

PS: Sorry for my poor english… i’m from France

Just wanted to add that there was something else that was necessary. The certbot file is deprecated and has been replaced by certbot-auto. You will need to wget certbot-auto from the certbot web site, copy it into the folder where certbot is located (usually /usr/bin) and use certbot-auto in place of certbot. This will require you to edit the cron file that comes with certbot, and if you are on systemd, you’ll need to edit it there too. Just replace all references to certbot with certbot-auto.

BTW, @CoteletteTV, PM me when you are ready to switch from fastcgi. It’s a lot easier than certbot and won’t take us long. Since you are using an alternate port, there is only one small change that deviates from the Seafile manual.