I think I can now confirm this: multiple certs that were not combined into one will apparently not auto-update (except for one of them). So I'd like to ask how I should proceed now... I have three weeks to fix this... Update: this was caused by a simple typo (see solution below)
And the last bit of `/var/log/le-renew.log is this
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/forum.mydomain.net.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/test.mydomain.net/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.net/fullchain.pem (failure)
/etc/letsencrypt/live/forum.mydomain.net/fullchain.pem (failure)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: forum.mydomain.net
Type: unauthorized
Detail: Invalid response from
http://forum.mydomain.net/.well-known/acme-challenge/FoT-nf2kywUv4JxkjqLy47M6$
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My questions:
Since there are no other errors in that log file (just saying "not due for renewal yet" all the time), does that mean that the certificate mydomain.net is not in trouble (yet) and might be updated closer to the deadline?
How do I fix the error with the forum subdomain? I double checked my nginx configuration and I have this included in the server block for the forum subdomain (to be precise, this is the outer nginx in a reverse proxy setup):
Q1 …might be updated closer to the deadline?
A1 Yes.
Q2 How do I fix the error with the forum subdomain?
A2 Ensure port 80 is not being handled by some other virtual host.
Try placing a test text file in the acme-challenge folder then see if it is accessible from the Internet.
That must work before continuing.
Okay, I will try that. I guess I misunderstood how return 301 https://$host$request_uri; works. I thought it will just treat any http request as an https request, not allowing any http connection.
UPDATE: Unfortunately, this did not help. Still getting the same error.
Here is some more info that I get when doing letsencrypt renew
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
No. Unfortunately not. It also gives me a 404 error.
But the error is coming from Nginx and not from discourse, which means that the request is not being passed on but handled by the outer Nginx. Which is good, I suppose.
I'm assuming that I no longer need the third certificate since the forum subdomain is included in the first cert, so I can just let that expire, right?
However, letsencrypt renew did give me this error:
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert from /etc/letsencrypt/renewal/forum.mydomain.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
Again, I'm assuming I can ignore it because I don't need that cert any more, but I'd like to understand what it means...
It means you originally created that certificate using the --manual plugin, which doesn't support automatic renewals (unless you provide scripts to perform the manual steps automatically). Since you do have another valid cert covering forum.mydomain.net among others, you indeed don't need that cert anymore (assuming the nginx configuration for that domain is pointing at the other, correct one). If you want, you can stop Certbot from trying to auto-renew it and failing, either by using certbot delete --cert-name forum.mydomain.net to delete it entirely, or if you want to keep the old certificate just in case, you can just remove the corresponding file from /etc/letsencrypt/renewal. Or you can ignore it, that's fine too.
Thanks for pointing that out. So having to choose between a sense of “just in case” security and uncertainty in a couple of weeks about whether or not I need to worry about that cert that is not renewing, I chose the spring cleaning option and deleted both obsolete certs. Feels good to have only one certificate and no more confusion. In three months, I will know whether it auto-updates or not.
Just a headsup for anyone following this advice: if you delete those files, make sure that they are not being pointed to in your nginx.conf, otherwise your nginx will fail to restart after a reboot, for example.
More specifically, if you followed this guide:
those files will be referred to in your /etc/nginx/snippets/ssl-example.com.conf which in turn is included in your nginx.conf...
And if I'm not mistaken, I would also have been in trouble had I just waited for the cert to expire because by NGinx would still have been using it. But then again, maybe that would not have been a problem since it would also have used the correct one.