NGINX Calling page will download strange file + Certbot can't install certificate

Question

Problem: Certbot returns a urn:ietf:params:acme:error:connection-error when trying to install a certificate for subdomain rainloop.example.com.
EDIT: As to be seen in the "EDIT" segment below there's a way more important problem, probably the cause of the Certbot failure.

What I´ve tried to solve this issue: I´ve been heavily researching on other people with the same problem, but can´t seem to find any useful information. I´ve looked into my DNS Records for my domain, but since setting up a certificate for my other two subdomains hasn´t been a problem, I´m not questioning this. I´ve also checked the permissions on the root folder of that subdomain and gone through my vhost config multiple times. At last I´ve even restarted my server, but nothing helped.

All Configurations: I´ll end this question by pasting all my configuration files and certbot logs here. Thanks for any answers in advance :)

VHOST CONFIGURATION
pfa.example.com (as example, this subdomain works)

server {
    listen 80 http2;
    listen [::]:80 http2;
    server_name pfa.example.com;
    return 301 https://pfa.example.com$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name pfa.example.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem;
    resolver 8.8.8.8;

    root /var/www/pfa/;
    index index.php index.html index.htm;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

rainloop.example.com (subdomain with failed ssl certificate):

server {
    listen 80;
    listen [::]:80;
    server_name rainloop.example.com;
    root /var/www/rainloop;
    index index.php index.html index.htm;
    location / {
            try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }
}

I think it´s also important to point out my default vhost config, since I´ve modified it slightly:

server {
    server_name _;
    listen 80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    location / {
            try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }
    location ~ /\.ht {
            deny all;
    }
}

Certbot Output during installation:

 > certbot --nginx -d rainloop.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for rainloop.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. rainloop.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rainloop.example.com
   Type:   connection
   Detail: Fetching
   http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Certbot log (located at /var/log/letsencrypt/letsencrypt.log):
Too long to paste it here, have a look at it at my backup page.

Permissions on /var/www/rainloop/: (according to filezilla):

775               www-data:www-data

I´m using Debian 9 (Stretch) with NGINX 1.10.3, MariaDB 10.1.37 and PHP 7.2-FPM.

THANKS FOR ANY ADVICE :)

EDIT: When calling the page (example.com) on a other client than my computer which has cached the 301 redirect to https, it will download a random named file with strange, but same content every time instead of performing the intended redirect. Even when calling www.example.com or https://www.example.com it will download a document, only when calling https://www.example.com it will additionally display the content of /var/www/www.example.com/ as intended. Same goes for the pfa.example.com subdomain, which has an almost identical vhost configuration as www.example.com.

score 0 · Answer 1 · answered Dec 17 '18 at 19:40

0

There should be a directory in the site home directory /var/www/rainloop/.well-known/acme-challenge, which is where the text files are put and then checked by let's encrypt. You can verify this is accessible by putting a test text file or html file in there and hitting it from a web browser. Usually this is because Let's Encrypt can't read the validation file certbot generated.

answered Dec 17 '18 at 19:40

SteamerJ

403
2
7

I´ve added the directory, but certbot still outputs the same error. I´ve also noticed that my browser cached the 301 redirect to https from example.com to www.example.com. When calling the page (http://example.com) on a other device it will download a random file with strange content instead of redirecting the client. Seems like there´s something wrong with my vhost configuration files, I can´t seem to find it... Everything has worked great before I modified my default configuration and added rainloop.example.com... – SearchingSolutions Dec 17 '18 at 19:52
so if you created the following directory structure /var/www/rainloop/.well-known/acme-challenge with a file test.txt, when you go to rainloop.example.com/.well-known/acme-challenge/test.txt you should get a page with whatever content you put in the text file. Do you get this? – SteamerJ Dec 17 '18 at 20:05
As said in my comment an my edit segment of my original post, when calling any page (even www.example.com) it will download a random file with strange content instead of showing the page. So calling "rainloop.example.com/anything" will only give me the same output anyway. – SearchingSolutions Dec 18 '18 at 12:26

NGINX Calling page will download strange file + Certbot can't install certificate

1 Answers1