Cannot renew a Lets Encrypt certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

**nqchurch.duckdns.org (I have 5 webs servers running behind a reverse proxy server. They all use the same LetsEncrypt certificate

nqchurch.duckdns.org, nqht.duckdns.org, nqht2020.duckdns.org, nqsupport.duckdns.org, williamsonwatsonfamilytree.duckdns.org**

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/nqchurch.duckdns.org.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator nginx, Installer nginx

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for nqchurch.duckdns.org

http-01 challenge for nqht.duckdns.org

http-01 challenge for nqht2020.duckdns.org

http-01 challenge for nqsupport.duckdns.org

http-01 challenge for williamsonwatsonfamilytree.duckdns.org

Waiting for verification...

Cleaning up challenges

Attempting to renew cert (nqchurch.duckdns.org) from /etc/letsencrypt/renewal/nqchurch.duckdns.org.conf produced an unexpected error: Failed authorization procedure. nqsupport.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nqsupport.duckdns.org/ [188.28.139.153]: "\r\n<html", nqht.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nqht.duckdns.org/ [188.28.139.153]: "\r\n<html", nqht2020.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nqht2020.duckdns.org/ [188.28.139.153]: "\r\n<html", williamsonwatsonfamilytree.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://williamsonwatsonfamilytree.duckdns.org/ [188.28.139.153]: "\r\n<html", nqchurch.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nqchurch.duckdns.org/ [188.28.139.153]: "\r\n<html". Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/nqchurch.duckdns.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/nqchurch.duckdns.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

- The following errors were reported by the server:

Domain: nqsupport.duckdns.org

Type: unauthorized

Detail: Invalid response from http://nqsupport.duckdns.org/

[188.28.139.153]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0

Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r\n<html"

Domain: nqht.duckdns.org

Type: unauthorized

Detail: Invalid response from http://nqht.duckdns.org/

[188.28.139.153]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0

Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r\n<html"

Domain: nqht2020.duckdns.org

Type: unauthorized

Detail: Invalid response from http://nqht2020.duckdns.org/

[188.28.139.153]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0

Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r\n<html"

Domain: williamsonwatsonfamilytree.duckdns.org

Type: unauthorized

Detail: Invalid response from

http://williamsonwatsonfamilytree.duckdns.org/ [188.28.139.153]:

"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r\n<html"

Domain: nqchurch.duckdns.org

Type: unauthorized

Detail: Invalid response from http://nqchurch.duckdns.org/

[188.28.139.153]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0

Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r\n<html"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

1 Like

Your port 80 is accessing your Buffalo LinkStation and NOT your nginx webserver.

Please make sure your port redirects and/or portmaps are correct.

Also, you're lucky the admin password is different than the default password. Otherwise anyone on the internet could have modified your LinkStations configuration...

4 Likes

Thank You for the prompt respsonse.

While trouble-shooting this problem yesterday, I realized that I had mis-configured port-forwarding in my (new) router. I had set port forwarding on 80 and 443 to the nginx webserver and had also set port forwarding on port 80 to the Buffalo LinkStation (it should have been 9000)

I changed the settings, but I am still seeing this problem.

Maybe I need to "power-cycle" the router :slight_smile:
Regards,

Boydwill.

2 Likes

Seems to be working now: HTTP on port 80 now is served by nginx and redirects to HTTPS.

Try your renewal again :slight_smile:

2 Likes

Thank You VERY much

After a power cycle, I was able to renew the certificate. So although the router said the port-forwarding setting had been changed, they were not actioned until the power was cycled.

Can I ask how you were able to tell which device (Buffalo NAS server v nginx webserver) was connected to port 80? (I used https://portchecker.co/ to verify that ports 80 and 443 were open.)

Regards,

Boydwill.

2 Likes

First, I used curl to see what the response from your hostname(s) were. I saw "Lighthttpd" as the webserver, which was different than your mentioned nginx.

Then I just simply surfed to your websites using my browser, which resulted in the NAS configuration panel :wink: Using https:// I did see the correct site, but using http:// the NAS.

4 Likes

Thank You

And thanks for the very prompt initial response.

I had spent hours yesterday trying to fix this. I was stumped - especially after I had found (and thought I had fixed) the port forwarding problem.

Regards

Boydwill

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.