404 on renew only

So I have setup lets encrypt with nginx and freeBSD successfully for two subdomains.

The initial process worked perfectly:

fbs-backup root # certbot certonly --webroot -w /usr/local/www/nginx/portal -d portal.example.com -d www.portal.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /usr/local/etc/letsencrypt/renewal/portal.example.com.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for portal.example.com
http-01 challenge for www.portal.example.com
Using the webroot path /usr/local/www/nginx/portal for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at

All good, however, if I run a renew --dry-run:

fbs-backup root # certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/portal.example.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for portal.example.com
http-01 challenge for www.portal.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /usr/local/etc/letsencrypt/renewal/portal.example.com.conf produced an unexpected error: Failed authorization procedure. www.portal.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.portal.example.com/.well-known/acme-challenge/cszM1dexQcpS2WcxcWiN-S8rqv2wO93JzZRqJ9ydv2o: "<html>
 <head>
  <title>404 Not Found</title>
 </head>
 <body>
  <h1>404 Not Found</h1>
  The resource could not be found.<br/><". Skipping.

This is my nginx configuration:

    server {
        listen       80;
        server_name portal.example.com;
        # Forward all traffic to SSL
        return         301 https://www.portal.example.com$request_uri;
    }
    server {
        listen         443 ssl;
        ssl    on;
        ssl_certificate    /usr/local/etc/letsencrypt/live/portal.example.com/cert.pem;
        ssl_certificate_key    /usr/local/etc/letsencrypt/live/portal.example.com/privkey.pem;
        server_name    www.portal.example.com;
	
	client_max_body_size 10M;
	client_body_buffer_size 128k;
	
	 location ~ /\.well-known/ {
            root /usr/local/www/nginx/portal;
        }
	
	location / {
	    root   /home/luke/ecom2/dist;
            index  index.html;
	}
   }

Have I missed anything obvious? Its great that the client works and my SSL is active, however I want to make sure future renewals will go smoothly, thanks!

Hi @crooksey,

Could you please show the content of /usr/local/etc/letsencrypt/renewal/portal.example.com.conf ?.

Edit: I see you don’t have a server name directive for www.portal.example.com so it is not being redirected to https://www.portal.example.com/whatever and it is not using the root directive defined by location ~ /\.well-known/, it is using the default root directory.

Also, it is not related to your issue but in ssl_certificate directive you should use fullchain.pem instead of cert.pem.

Cheers,
sahsanu

2 Likes

What a stupid mistake! I trimmed my configs down for a new vhost for lets encrypt and missed then additional block, thanks and thanks for the heads up on using fullchain.pem

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.