Auto-renewal failing (perhaps because certs were not combined?)

Continuing the discussion from Multiple certs were not combined into one: will they auto-update?:

I think I can now confirm this: multiple certs that were not combined into one will apparently not auto-update (except for one of them). So I'd like to ask how I should proceed now... I have three weeks to fix this... Update: this was caused by a simple typo (see solution below)

Background: This was my situation two months ago:

And today it looks like this

Found the following certs:
  Certificate Name: mydomain.net
    Domains: mydomain.net forum.mydomain.net test.mydomain.net www.mydomain.net
    Expiry Date: 2017-07-02 21:03:00+00:00 (VALID: 21 days)
    Certificate Path: /etc/letsencrypt/live/mydomain.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mydomain.net/privkey.pem
  Certificate Name: test.mydomain.net
    Domains: testwp.mydomain.net test.mydomain.net
    Expiry Date: 2017-08-30 09:41:00+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/test.mydomain.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.mydomain.net/privkey.pem
  Certificate Name: forum.mydomain.net
    Domains: forum.mydomain.net
    Expiry Date: 2017-07-02 20:57:00+00:00 (VALID: 21 days)
    Certificate Path: /etc/letsencrypt/live/forum.mydomain.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/forum.mydomain.net/privkey.pem

I have a crontab job that looks like this:

30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log

And the last bit of `/var/log/le-renew.log is this

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/forum.mydomain.net.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/test.mydomain.net/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.net/fullchain.pem (failure)
  /etc/letsencrypt/live/forum.mydomain.net/fullchain.pem (failure)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: forum.mydomain.net
   Type:   unauthorized
   Detail: Invalid response from
   http://forum.mydomain.net/.well-known/acme-challenge/FoT-nf2kywUv4JxkjqLy47M6$
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My questions:

  1. Since there are no other errors in that log file (just saying "not due for renewal yet" all the time), does that mean that the certificate mydomain.net is not in trouble (yet) and might be updated closer to the deadline?
  2. How do I fix the error with the forum subdomain? I double checked my nginx configuration and I have this included in the server block for the forum subdomain (to be precise, this is the outer nginx in a reverse proxy setup):
    location /.well-known {
            alias /var/www/html/.well-known;
    }
    location ~ /.well-known {
            allow all;
    }

Q1 …might be updated closer to the deadline?
A1 Yes.

Q2 How do I fix the error with the forum subdomain?
A2 Ensure port 80 is not being handled by some other virtual host.
Try placing a test text file in the acme-challenge folder then see if it is accessible from the Internet.
That must work before continuing.

1 Like

Port 80 is being handled like this:

server {
        listen 80;
        listen [::]:80;
        server_name forum.mydomain.net test.mydomain.net;

       return 301 https://$host$request_uri;
        }
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        root /var/www.html;

        server_name forum.mydomain.net;
        include snippets/ssl-forum.mydomain.net.conf;
        include snippets/ssl-params.conf;
        ssl on;
        client_max_body_size 20M;

        location / {
                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.h$
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                client_max_body_size 20M;
                error_page 502 =502 /errorpages/offline.html;
                proxy_intercept_errors on;
                error_page 500 503 504 /errorpages/50x.html;
        }

        location /.well-known {
                alias /var/www/html/.well-known;
        }

        location ~ /.well-known {
                allow all;
        }

        location /errorpages/ {
                alias /var/www/errorpages/;
        }
} 

I thought that should work, but apparently it doesn’t…

As shown here:
Detail: Invalid response from
http://forum.mydomain.net/.well-known/acme-challenge/FoT-nf2kywUv4JxkjqLy47M6
The challenge requests are HTTP
So, you should also place the location section in HTTP block.

server {
listen 80;
listen [::]:80;
server_name forum.mydomain.net test.mydomain.net;
location /.well-known {
alias /var/www/html/.well-known;
}
location ~ /.well-known {
allow all;
}
return 301 https://$host$request_uri;
}

1 Like

Okay, I will try that. I guess I misunderstood how return 301 https://$host$request_uri; works. I thought it will just treat any http request as an https request, not allowing any http connection.

UPDATE: Unfortunately, this did not help. Still getting the same error.

Here is some more info that I get when doing letsencrypt renew

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

Have you passed this test?

No. Unfortunately not. It also gives me a 404 error.

But the error is coming from Nginx and not from discourse, which means that the request is not being passed on but handled by the outer Nginx. Which is good, I suppose.

Please a text file in the challenge folder:
echo “just text” > /var/www/html/.well-known/acme-challenge/text.txt

Make sure the file is there:
ls -l /var/www/html/.well-known/acme-challenge/text.txt

Check the contents of the file:
more /var/www/html/.well-known/acme-challenge/text.txt

Then from an external source:
http//your.domain/.well-known/acme-challenge/text.txt
Does it see the content “just text”?

Yes, that is what I did (except that my text file is simply called test). But trying to access it via the web browser gives me the 404 error

Can you just give the domain name?
This is not easy.

Have you checked the nginx logs?

It says:

2017/06/11 14:54:34 [error] 16390#16390: *677679 open() "/var/www.html/.well-known/acme-challenge/test" failed (2: No such file or directory), client: 64.***.***.***, server: forum.mydomain.net, request: "HEAD /.well-known/acme-challenge/test HTTP/1.1", host: "forum.mydomain.net"

I sent you the domain via PM

Wait: I just realize the path in the nginx error is /var/www.html/.... Where does the . instead of the / come from?

UPDATE: Aha, it was a simple typo here:

So letsencrypt renew now worked and I have

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: mydomain.net
    Domains: mydomain.net forum.mydomain.net test.mydomain.net www.mydomain.net
    Expiry Date: 2017-09-09 12:32:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mydomain.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mydomain.net/privkey.pem
  Certificate Name: test.mydomain.net
    Domains: testwp.mydomain.net test.mydomain.net
    Expiry Date: 2017-08-30 09:41:00+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/test.mydomain.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/test.mydomain.net/privkey.pem
  Certificate Name: forum.mydomain.net
    Domains: forum.mydomain.net
    Expiry Date: 2017-07-02 20:57:00+00:00 (VALID: 21 days)
    Certificate Path: /etc/letsencrypt/live/forum.mydomain.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/forum.mydomain.net/privkey.pem
-------------------------------------------------------------------------------

I'm assuming that I no longer need the third certificate since the forum subdomain is included in the first cert, so I can just let that expire, right?

However, letsencrypt renew did give me this error:

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert from /etc/letsencrypt/renewal/forum.mydomain.net.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

Again, I'm assuming I can ignore it because I don't need that cert any more, but I'd like to understand what it means...

It means you originally created that certificate using the --manual plugin, which doesn't support automatic renewals (unless you provide scripts to perform the manual steps automatically). Since you do have another valid cert covering forum.mydomain.net among others, you indeed don't need that cert anymore (assuming the nginx configuration for that domain is pointing at the other, correct one). If you want, you can stop Certbot from trying to auto-renew it and failing, either by using certbot delete --cert-name forum.mydomain.net to delete it entirely, or if you want to keep the old certificate just in case, you can just remove the corresponding file from /etc/letsencrypt/renewal. Or you can ignore it, that's fine too.

1 Like

Thanks for pointing that out. So having to choose between a sense of “just in case” security and uncertainty in a couple of weeks about whether or not I need to worry about that cert that is not renewing, I chose the spring cleaning option and deleted both obsolete certs. Feels good to have only one certificate and no more confusion. In three months, I will know whether it auto-updates or not.

Thanks everyone for your assistance.

Just a headsup for anyone following this advice: if you delete those files, make sure that they are not being pointed to in your nginx.conf, otherwise your nginx will fail to restart after a reboot, for example.

More specifically, if you followed this guide:

those files will be referred to in your /etc/nginx/snippets/ssl-example.com.conf which in turn is included in your nginx.conf

And if I’m not mistaken, I would also have been in trouble had I just waited for the cert to expire because by NGinx would still have been using it. But then again, maybe that would not have been a problem since it would also have used the correct one.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.