404 when trying to get LE cert

Hi all
im trying to get the LE cert to provision on my setup, but im getting a 404 error

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for mail.pomtom.co.nz Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. mail.pomtom.co.nz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.pomtom.co.nz/.well-known/acme-challenge/BqkKUhhB65lRvof2fhXMN3ZmIU02lsIbPVamU0K3Iy4 []: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>" IMPORTANT NOTES: - The following errors were reported by the server: Domain: mail.pomtom.co.nz Type: unauthorized Detail: Invalid response from http://mail.pomtom.co.nz/.well-known/acme-challenge/BqkKUhhB65lRvof2fhXMN3ZmIU02lsIbPVamU0K3Iy4 []: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

Iv done some tracing, and I can see the requests hitting my web proxy, and being forwarded to the mail server okay, but im getting this error on the nginx logs on the server

open() "/home/user-data/www/default/.well-known/acme-challenge/BqkKUhhB65lRvof2fhXMN3ZmIU02lsIbPVamU0K3Iy4" failed (2: No such file or directory)

based on my limited understanding, it looks like certbot isnt making the .well-known folder?
But i could be wrong

Any ideas?

Please, the backquote character (`) is intended for inline code. When you dump a large blob of text into a question it is very difficult to read and there is at least one of us that moves on to the next question.

On top of that, you seem to have interspersed in your blob html tags, so copy and paste elsewhere is full of noise.

I know it sounds like I’m being picky, but if you desire quality answers it is helpful to ask quality questions, including formatting.

Hi Open
I used the preformatted button when posting the log, so I assumed that was correct?
im currently rebuilding the server again just to confirm i didnt mess up the install but will re-post logs soon if i have the same problems
Would a pastebin link be ok as well? or would you prefer the backquote logs on here?

Pastebin is fine. Discourse uses markdown, so to multi-line code can be either paste in and highlight then press click the code button or place ``` above and below code lines, although maybe for your email it should be paste in, highlight and click the quote button. And try to not have the html tags in there. Not sure where those come from.

Firewall at your ISP?

I should be able to telnet mail.pomtom.co.nz 587 but cannot.

Say what??? What ‘web proxy’? MiaB does not use a web proxy.

Sorry yes, should have been clear

Im running the mail server behind a NAT on a single IP
I dont have any ports open for any mail stuff yet, I was just trying to get the SSL setup before I moved onto that step

I also have a web proxy installed for http traffic coming in,
I have a filter on that to take any requests to the hostnames of the mail server
(in my case mail.pomtom.co.nz, and the autoconfigure etc) and point it to my mail server rather than my web server

I have done a complete fresh install, getting a few errors about ports but thats expected as per my comment above

Gone to the system, ssl page, and tried to do a Provision certs using the button on that page
When I hit provision I can see the requests hitting my proxy server and being redirected to my mail server fine

Example Log

haproxy IP: mail.pomtom.co.nz/.well-known/acme-challenge/k8CAVTdunp5RK7VjSEAJK9TW-eI7UkUx9fidMng2u7w

Looking at the LE Logs I can see the following

Which to me says it wasnt able to find that acme-challenge file

And finally looking at the nginx logs

Shows that the file it is trying to get cant be found

When I run curl mail.pomtom.co.nz there is no response. Is this result you would expect?

I can see the response requests and yes i think thats what id expect at the moment, its just being routed to nowhere currently
i might try fix that to go to the mail server properly

Is the proxy forwarding the request to MiaB?

The LE requests were being forwarded as I could see those on the nginx logs
unless there was other requests that were being not forwarded

Iv just changed to forward everything on to the MIAB server and im still getting the 404 error

I’m not familiar enough with LE errors. Like, why are the GET and open() different addresses?

do you mean the random string at the end?
That might have just been my bad getting the wrong value fom the logs
Iv run a few test and tried to get the same logs but could have just gotten the wrong one
(each run generates a different ID AFAIK)

Can you bypass haproxy completely just to see if LE works?

ok so yes that worked
its something to do with my proxy then, not sure what though as all it does it pass on the request…
will have to do some more tracing to see whats going on

How does certbot (acme-client or whichever command) communicate with the LE server?

i have no idea? some web request would be my guess?

I just guessing it is somehow related. Not sure what else other than spend some time dredging search results.

going to LE i dont think is the problem, as i can see the request coming back fine (as shown in the logs)
i think its the proxy somehow changing something to do with the url or source or something which causes nginx to not route to the correct location on the miab server?

Is haproxy forwarding all ports?