Cannot renew after expiration of certificate

My domain is: task-tag.co.uk

I ran this command: sudo certbot certonly --nginx --dry-run

Other ran commands:
sudo certbot certonly -d task-tag.co.uk --dry-run
sudo certbot renew --force-renewal
After many trials, I tried these (below) and then repeat the first command and sudo certbot --nginx. Always same error.
sudo certbot delete
sudo certbot revoke

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: task-tag.co.uk


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for task-tag.co.uk
nginx: [warn] conflicting server name “task-tag.co.uk” on 0.0.0.0:80, ignored
Waiting for verification…
Cleaning up challenges
nginx: [warn] conflicting server name “task-tag.co.uk” on 0.0.0.0:80, ignored
Failed authorization procedure. task-tag.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://task-tag.co.uk/.well-known/acme-challenge/Mr6S__Lz1l8cjxeL0t94ipo2UBz7jAGTrhxo_ZBjtlg [35.178.212.206]: 404

IMPORTANT NOTES:

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Linux-5.3.0-1017-aws-x86_64-with-Ubuntu-18.04-bionic

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no, simply SSH.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0

Hi @jesusce

that’s expected.

You have to fix your basic error before you can create a certificate:

1 Like

That’s because I have the same domain but for different port.
The one without port had SSL and the one with port didnt use SSL. It was working fine like this but I forgot to renew the certificate and now im having this issue.

No, that’s wrong. You have to fix that. It’s not a problem using the same domain with port 80 / port 443 / other ports.

That’s not the warning message.

1 Like

I see. within nginx/sites-enabled/ I have two files: one for the default port and the other one with a specific port. I will try simply having the default port one first and see how it goes.

Indeed that fixed the problem. It’s now working with only one site enabled. Thank you very much. Now, I just need to figure out how to add it as well for the specific port. Do you have any ideas about this?

1 Like

Can you show the two…
Maybe we can make heads or tails out of it.

Without seeing anything, I would say don’t call the server by any name used for web services.

sites-enabled/dns1:
server {
        server_name task-tag.co.uk;

        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/production;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
        }




    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = task-tag.co.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name task-tag.co.uk;
    listen 80;
    return 404; # managed by Certbot


}

sites-enabled/dns2:
server {
        server_name task-tag.co.uk;
        listen 8001;
        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/production;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
        }




    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = task-tag.co.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name task-tag.co.uk;
    listen 80;
    return 404; # managed by Certbot


}

this way it was giving me conflicts after the expiration of the certificate.

Here it is abbreviated (maybe you can see the problem - I do):

sites-enabled/dns1:
server {
>>> server_name task-tag.co.uk; <<<
>>> listen 443 ssl; # managed by Certbot <<<
server {
>>> server_name task-tag.co.uk; <<<
>>> listen 80; <<<

sites-enabled/dns2:
server {
>>> server_name task-tag.co.uk; <<<
listen 8001;
>>> listen 443 ssl; # managed by Certbot <<<
server {
>>> server_name task-tag.co.uk; <<<
>>> listen 80; <<<

Yes definitely the problem is clear. Is there any possibility to have the SSL Certificate under that 8001 port? otherwise, I will leave this one without SSL Certificate, it should be alright by now.

You already do.
sites-enabled/dns2 has a valid cert for that name and is listening on two ports (8001 and 443).
But in that same block it also listens on 443 (needlessly).
And further down adds a listen to port 80 with overlaps with the other file - one needs to be removed.

You can reduce sites-enabled/dns2 to just:

sites-enabled/dns2:
server {
    server_name task-tag.co.uk;
    listen 8001;
    location = /favicon.ico { access_log off; log_not_found off;}
    location /static/ {
        root /home/ubuntu/production;
    }#location
    location / {
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
    }#location
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}#server

But that really should be sites-available/dns2 with a symbolic link from sites-enabled
[which should have been created by using a2ensite dns2]

1 Like

And here is dns1:

sites-enabled/dns1:
server {
    listen 443 ssl; # managed by Certbot
    server_name task-tag.co.uk;
    location = /favicon.ico { access_log off; log_not_found off;}
    location /static/ {
        root /home/ubuntu/production;
    }#location
    location / {
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
    }#location
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}#server
server {
    listen 80;
    server_name task-tag.co.uk;
    return 301 https://$host$request_uri;
    return 404; # managed by Certbot
}#server
1 Like

Yes, I have tried this but when I use https, it will just give me an error back. http works fine tho.

What you tried had listen 443 in both files dns1 & dns2
Review the files again as I have updated them

dns2 only listens on 8001
dns1 listens on 443 and 80

If a conflict remains, then you have another listen combined with this same name.
Which goes to my first guess:

You may have a “default” vhost config block that is using the “default” server_name set in the main config - which I would suspect is “task-tag.co.uk

Your port 8001 is a http port. So you can’t use the same port with https, that’s expected.

Create a second port or change the 8001.

2 Likes

Yes, exactly that way. let me share the code again.

dns1:

server {
        server_name task-tag.co.uk;

        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/production;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
        }




    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = task-tag.co.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name task-tag.co.uk;
    listen 80;
    return 404; # managed by Certbot


}

dns2:

server {
        server_name task-tag.co.uk;
        listen 8001;
        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/tasktag/backend/tasktag_django;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/tasktag/backend/tasktag_django/tasktag_django.sock;
        }



    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Messier than the ones I gave you but, yes, no overlapping port/name combinations seen there.
So do you still have a name conflict?

YES! That was it. i had to add listen 8001 ssl; and it worked.
Thank you very much for your help @rg305 too as I could create a better config.
Thanks a lot.

1 Like

no, name conflict is gone when I do sudo nginx -t. Within dns2 file, the second server rules was triggering this name conflict.