Letsencrypt fails to create certificate for Jellyfin in reverse proxy setup

#1

Hello all,

I have migrated from Emby to Jellyfin very recently and tried to expose the Jellyfin server via reverse proxy (Apache in my case) as described in jellyfin documentation.

The setup basically works for non-secure connections. For secure connections I tried to obtain a letsencrypt certificate via certbot but I am receiving an error and the process fails. Obviously the browsers now complain when connecting, however the server behind still works if I overrule the security warning.

I am getting:
Domain: my.domain.de (anonymised:)
Type: unauthorized
Detail: Invalid response from my.domain.de/.well-known/acme-challenge/18tG4LkKOgfJ4rqJ0uHGpSJchojuwZhjlqhJJ1-2ZxM [2001:8d8:1000:5d:6995:cab3:a2ec:f82a]: 204

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

Digging into the log files I see

  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from my.domain.de/.well-known/acme-challenge/18tG4LkKOgfJ4rqJ0uHGpSJchojuwZhjlqhJJ1-2ZxM [2001:8d8:1000:5d:6995:cab3:a2ec:f82a]: 204",
    "status": 403
  },

Response “204” means “No Content”
Response “403” means “Forbidden”
The DNS is OK.Other domains that I own are OK with the letsencrypt certificates.

I now suspect that the challenge that the letsencrypt server sends to (my) apache and which is passed to Jellyfin fails to return correctly. Could that be because Jellyfin and Apache are running as different users?

Anyone managed to install letsencrypt certificates in an Apache/Jellyfin reverse proxy configuration?
Any hint?

#2

This is because of how the default Let’s Encrypt challenge works.

  1. Let’s Encrypt places a file in the document root of the site
  2. Let’s Encrypt contacts the Acme challenge server
  3. The challenge server checks to see if that file from step 1 is accessible and has the right content

If step 3 succeeds, you get a cert. If it fails, you get the errors you saw.

Since Jellyfin doesn’t have a document root for putting the file, the check can’t succeed. What you need to do is either use a different authentication method or set up a directory for the challenged.

In Apache, you could do this by creating a directory and alias for .well-known/acme-challenge, like this:

Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge
<Directory /var/www/html>
    Options All -Indexes
    Allow from all
    AllowOverride All
</Directory>

Then, when you run Certbot or other tool for getting a Let’s Encrypt cert, make sure you set the webroot path to “/var/www/html”

#3

Thank you for the quick and detailed response. Makes absolute sense and matches the documentation from letsencrypt. Unfortunately a quick attempt to try this out was not successful. I need to dig deeper in the log files of the apache2 server. I will do this later this week and report back.

#4

Not really helpful but I use Caddy Server and set up https no problem.

1 Like