I have Let’s Encrypt configured but it seems like HA does not have the expected challenge files in place. Is there a way I can dig deeper into the system to find out if the directory exist?
I have an Nginx proxy in front of HA - the proxy sees the incoming requests from Let’s Encrypt and is forwarding them on to HA. tcpdump confirms the requests are going from the proxy to HA.
My configuration (with the real domain modified to example.org) is:
domains:
- ha.example.org
email: [email protected]
keyfile: privkey.pem
certfile: fullchain.pem
challenge: http
dns: {}
So far, everything points to this not existing within HA:
/.well-known/acme-challenge/Y2HBZpYlAmHVsRC0EBSJQYq0cRIxAzrB-MtugqfzHm
The full log produced by the Let’s Encrypt add-on is:
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[16:52:28] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ha.example.org
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: ha.example.org
Type: unauthorized
Detail: 108.36.xx.xx: Invalid response from http://ha.example.org/.well-known/acme-challenge/Y2HBZpYlAmHVsRC0EBSJQYq0cRIxAzrB-MtugqfzHmE: 404
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
These are the Nginx proxy logs
34.217.36.223 - - [27/Nov/2022:16:52:33 +0000] "GET /.well-known/acme-challenge/Y2HBZpYlAmHVsRC0EBSJQYq0cRIxAzrB-MtugqfzHmE HTTP/1.1" 404 14 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.222.32.245 - - [27/Nov/2022:16:52:33 +0000] "GET /.well-known/acme-challenge/Y2HBZpYlAmHVsRC0EBSJQYq0cRIxAzrB-MtugqfzHmE HTTP/1.1" 404 14 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.106 - - [27/Nov/2022:16:52:34 +0000] "GET /.well-known/acme-challenge/Y2HBZpYlAmHVsRC0EBSJQYq0cRIxAzrB-MtugqfzHmE HTTP/1.1" 404 14 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
