My domain is: wheelodex.org
I ran this command:
sudo certbot run \
--nginx \
--rsa-key-size 4096 \
--expand \
--cert-name wheelodex \
--email REDACTED \
--domains www.wheelodex.org,wheelodex.org \
--non-interactive \
--agree-tos
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wheelodex.org
http-01 challenge for www.wheelodex.org
nginx: [warn] conflicting server name "wheelodex.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.wheelodex.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wheelodex.org" on [::]:80, ignored
nginx: [warn] conflicting server name "www.wheelodex.org" on [::]:80, ignored
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.wheelodex.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.wheelodex.org/.well-known/acme-challenge/dLKv4nsTNS7d80I4G934B1XM5vrchidJl_lVdbnH9Ds: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\\n<title>404 Not Found</title>\\n<h1>Not Found</h1>\\n<p>The requested URL was"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.wheelodex.org
Type: unauthorized
Detail: Invalid response from
http://www.wheelodex.org/.well-known/acme-challenge/dLKv4nsTNS7d80I4G934B1XM5vrchidJl_lVdbnH9Ds:
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2
Final//EN\">\\n<title>404 Not Found</title>\\n<h1>Not
Found</h1>\\n<p>The requested URL was
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): nginx-full 1.14.0-0ubuntu1.2
The operating system my web server runs on is (include version): Ubuntu Bionic 18.04.1
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
My site is configured via an Ansible playbook that runs the command listed above every time it’s run in order to ensure a certificate is present, and I trust certbot’s systemd files to take care of certificate renewals. The last time the above command was run successfully was 2018 Nov 14. Today, I got an e-mail that my site’s cert was about to expire, and the systemd logs showed that the renewal job was failing for some unspecified reason. I tried running sudo certbot renew
, but that failed with the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wheelodex.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for wheelodex.org
tls-sni-01 challenge for www.wheelodex.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (wheelodex) from /etc/letsencrypt/renewal/wheelodex.conf produced an unexpected error: Failed authorization procedure. www.wheelodex.org (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 0f441e7c6ddafce814f175c886c06ea5.053d4ebc12491e1f302f6f72e26fb1f6.acme.invalid from [2604:a880:800:a1::c5d:8001]:443. Received 1 certificate(s), first certificate had names "30cbd04dcd1f74c6151b25ba6ebdb445.ccc945d59857aa9580a9d5e58881ac25.acme.invalid, dummy". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wheelodex/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wheelodex/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.wheelodex.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
0f441e7c6ddafce814f175c886c06ea5.053d4ebc12491e1f302f6f72e26fb1f6.acme.invalid
from [2604:a880:800:a1::c5d:8001]:443. Received 1 certificate(s),
first certificate had names
"30cbd04dcd1f74c6151b25ba6ebdb445.ccc945d59857aa9580a9d5e58881ac25.acme.invalid,
dummy"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
After some Googling, I then tried sudo certbot renew --preferred-challenges http
with the result:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wheelodex.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wheelodex.org
http-01 challenge for www.wheelodex.org
nginx: [warn] conflicting server name "www.wheelodex.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wheelodex.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.wheelodex.org" on [::]:80, ignored
nginx: [warn] conflicting server name "wheelodex.org" on [::]:80, ignored
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (wheelodex) from /etc/letsencrypt/renewal/wheelodex.conf produced an unexpected error: Failed authorization procedure. www.wheelodex.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.wheelodex.org/.well-known/acme-challenge/fFdwvIwNBSCByd4u5acHyrjLl9tLld5fsCvF3DBIsvE: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wheelodex/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wheelodex/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
**IMPORTANT NOTES:**
- The following errors were reported by the server:
Domain: www.wheelodex.org
Type: unauthorized
Detail: Invalid response from
http://www.wheelodex.org/.well-known/acme-challenge/fFdwvIwNBSCByd4u5acHyrjLl9tLld5fsCvF3DBIsvE:
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2
Final//EN\">\n<title>404 Not Found</title>\n<h1>Not
Found</h1>\n<p>The requested URL was"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I then ran sudo apt-get install
to upgrade various Certbot packages:
-
certbot
— upgraded from 0.26.1-1+ubuntu18.04.1+certbot+2 to 0.28.0-1+ubuntu18.04.1+certbot+4 -
python-certbot-nginx
— upgraded from 0.25.0-2+ubuntu18.04.1+certbot+1 to 0.28.0-1+ubuntu18.04.1+certbot+3 -
python3-acme
— upgraded from 0.26.0-1+ubuntu18.04.1+certbot+1 to 0.28.0-1+ubuntu18.04.1+certbot+3 -
python3-certbot
— upgraded from 0.26.1-1+ubuntu18.04.1+certbot+2 to 0.28.0-1+ubuntu18.04.1+certbot+4 -
python3-certbot-nginx
— upgraded from 0.25.0-2+ubuntu18.04.1+certbot+1 to 0.28.0-1+ubuntu18.04.1+certbot+3 -
python3-josepy
— upgraded from 1.1.0-1 to 1.1.0-2+ubuntu18.04.1+certbot+1
and then tried running my Ansible playbook, which failed with the error message listed in the section above.
Past experience with running my Ansible playbook has led me to believe that Certbot edits the Nginx configuration in some manner in order to ensure things work (I don’t know how it edits them, since the configuration is immediately overwritten with my configuration by a subsequent Ansible task); however, based on filestamps, it appears that today’s Certbot runs are leaving the Nginx config alone, which may be behind the failures. (Incidentally, my Nginx config redirects everything to https://www.wheelodex.org, which is then handled by uWSGI; this may be another reason why everything is failing.)
How do I get Certbot to work again?