Let's Encrypt Authorization File Not Generating?

Technical Support Installation Support
1

OS Name/Version: Ubuntu 24.04.2 LTS

Product Name/Version: GetAMP v3.0.10

Problem Description:

I’m trying to install GetAMP on a dedicated instance manager server for the first time for evaluation. When running the bash script, I get through the first parts of the installation up until the prompt for using HTTPS.

I select yes and enter the relevant info. DNS for the URL is pointing to a reverse proxy which directs to the AMP server. If I test from both internal and external, I’m able to get the default NGINX welcome page.

After this is all in place and I run the installer, it fails when trying to do the Let’s Encrypt challenge with a 404 error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for gscp.[mydomainname].com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: gscp.[mydomainname].com
  Type:   unauthorized
  Detail: [ip address]: Invalid response from http://gscp.[mydomainname].com/.well-known/acme-challenge/[omit]: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.

If I bypass the proxy, it still appears that the challenge file does not generate. Additionally, if I try navigating to the .well-known root folder in a browser, that also fails with a 404 error.

This is a completely clean Ubuntu server with nothing else configured on it. NGINX was installed via the AMP installer package (NGINX version 1.18.0).

Steps to reproduce:

  • Install Ubuntu 22.04.2 LTS from scratch using the Server ISO
  • sudo su - into root
  • Run bash <(wget -qO getamp.sh) [To note, I’ve tried this both in /, /home/username and /root with no difference - not sure if that mattered or not]
  • No to Docker
  • No to Minecraft
  • No to SteamCMD
  • Yes to HTTPS
  • Enter the appropriate domain
  • Entered my e-mail address
  • Continued the installer

Actions taken to resolve so far:

  • Reboot
  • Tried changing folders that GetAMP was run from
  • Poked around for the AMP webserver directory, was unable to find it (checked /srv and /var/www as well as the config in /etc/nginx/sites-available)
  • Tried bypassing the reverse proxy by connecting directly to the IP address internally, the challenge folders were still not found
  • Verified that going to my URL from the internet (cell phone) does indeed connect to the default NGINX welcome page
  • Validated/ruled out that IPS was blocking anything at the router for trying to access a .well-known sub-folder

E: Okay so I found where the WebRoot lives finally in /opt/cubecoders/amp/shared/WebRoot - didn’t think to check /etc/nginx/conf.d. There are only two files in that folder - installState.json and NotRunning.html.

installState.json just shows {"status":200} and nothing else. NotRunning.html looks to just be a standard dynamic template file, so I won’t share that out here. :slight_smile:

2

Your post is confusing. It suggests that you already have nginx running on another host and have your public IP pointed to that host.

If that’s the case you wouldn’t set up nginx again on a second host since you can’t have ports 80/443 forwarded to two separate hosts in the same network. Instead, configure your first host to serve an additional nginx server block for the second amp installation.

Otherwise, explain clearly what your setup is and exactly what you want to achieve. Also look at the HTTPS guide on this forum.

3

The external IP forwards to an NGINX reverse proxy. This proxy forwards traffic to different servers depending on the URL entered. The GSCP URL is forwarding to the AMP server through that reverse proxy.

Client → GSCP URL Resolving to the 1.2.3.4 Public IP → NGINX Reverse Proxy → Traffic for the GSCP URL going to internal IP 10..x.y.z

4

Right, then you wouldn’t select HTTPS when installing AMP.

You’d configure your existing nginx installation to serve AMP.

See Setting up secure HTTP (HTTPS) with AMP

5

So I setup the connection using directives from the primary NGINX server and got connected but am getting mixed content warnings in MS Edge resulting in a “Not Secure” label. I’m guessing that this is because the internal AMP server isn’t using HTTPS, though looking at that guide it seems it can be configured to do so - I’m assuming that I can use an internally signed certificate to facilitate SSL between the proxy and the AMP web server to fix this?

6

AMP’s internal HTTPS configuration is wonky, don’t use it. Just proxy to HTTP and use proper certs at the nginx endpoint. I assume you are proxying within your network so HTTP between nginx and AMP shouldn’t be a concern