Cannot renew after expiration of certificate

jesusce · September 14, 2020, 10:29am

I ran this command: sudo certbot certonly --nginx --dry-run

Other ran commands:
sudo certbot certonly -d task-tag.co.uk --dry-run
sudo certbot renew --force-renewal
After many trials, I tried these (below) and then repeat the first command and sudo certbot --nginx. Always same error.
sudo certbot delete
sudo certbot revoke

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: task-tag.co.uk

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for task-tag.co.uk
nginx: [warn] conflicting server name “task-tag.co.uk” on 0.0.0.0:80, ignored
Waiting for verification…
Cleaning up challenges
nginx: [warn] conflicting server name “task-tag.co.uk” on 0.0.0.0:80, ignored
Failed authorization procedure. task-tag.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://task-tag.co.uk/.well-known/acme-challenge/Mr6S__Lz1l8cjxeL0t94ipo2UBz7jAGTrhxo_ZBjtlg [35.178.212.206]: 404

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: task-tag.co.uk
Type: unauthorized
Detail: Invalid response from
http://task-tag.co.uk/.well-known/acme-challenge/Mr6S__Lz1l8cjxeL0t94ipo2UBz7jAGTrhxo_ZBjtlg
[35.178.212.206]: 404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Linux-5.3.0-1017-aws-x86_64-with-Ubuntu-18.04-bionic

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no, simply SSH.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0

JuergenAuer · September 14, 2020, 10:47am

Hi @jesusce

that's expected.

You have to fix your basic error before you can create a certificate:

jesusce · September 14, 2020, 10:49am

That’s because I have the same domain but for different port.
The one without port had SSL and the one with port didnt use SSL. It was working fine like this but I forgot to renew the certificate and now im having this issue.

JuergenAuer · September 14, 2020, 10:51am

No, that's wrong. You have to fix that. It's not a problem using the same domain with port 80 / port 443 / other ports.

That's not the warning message.

jesusce · September 14, 2020, 10:55am

I see. within nginx/sites-enabled/ I have two files: one for the default port and the other one with a specific port. I will try simply having the default port one first and see how it goes.

jesusce · September 14, 2020, 11:01am

Indeed that fixed the problem. It’s now working with only one site enabled. Thank you very much. Now, I just need to figure out how to add it as well for the specific port. Do you have any ideas about this?

rg305 · September 14, 2020, 11:02am

Can you show the two…
Maybe we can make heads or tails out of it.

Without seeing anything, I would say don’t call the server by any name used for web services.

jesusce · September 14, 2020, 11:06am

sites-enabled/dns1:
server {
        server_name task-tag.co.uk;

        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/production;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
        }




    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = task-tag.co.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name task-tag.co.uk;
    listen 80;
    return 404; # managed by Certbot


}

sites-enabled/dns2:
server {
        server_name task-tag.co.uk;
        listen 8001;
        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/production;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
        }




    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = task-tag.co.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name task-tag.co.uk;
    listen 80;
    return 404; # managed by Certbot


}

this way it was giving me conflicts after the expiration of the certificate.

rg305 · September 14, 2020, 11:09am

Here it is abbreviated (maybe you can see the problem - I do):

sites-enabled/dns1:
server {
>>> server_name task-tag.co.uk; <<<
>>> listen 443 ssl; # managed by Certbot <<<
server {
>>> server_name task-tag.co.uk; <<<
>>> listen 80; <<<

sites-enabled/dns2:
server {
>>> server_name task-tag.co.uk; <<<
listen 8001;
>>> listen 443 ssl; # managed by Certbot <<<
server {
>>> server_name task-tag.co.uk; <<<
>>> listen 80; <<<

jesusce · September 14, 2020, 11:13am

Yes definitely the problem is clear. Is there any possibility to have the SSL Certificate under that 8001 port? otherwise, I will leave this one without SSL Certificate, it should be alright by now.

rg305 · September 14, 2020, 11:15am

You already do.
sites-enabled/dns2 has a valid cert for that name and is listening on two ports (8001 and 443).
But in that same block it also listens on 443 (needlessly).
And further down adds a listen to port 80 with overlaps with the other file - one needs to be removed.

rg305 · September 14, 2020, 11:20am

You can reduce sites-enabled/dns2 to just:

sites-enabled/dns2:
server {
    server_name task-tag.co.uk;
    listen 8001;
    location = /favicon.ico { access_log off; log_not_found off;}
    location /static/ {
        root /home/ubuntu/production;
    }#location
    location / {
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
    }#location
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}#server

But that really should be sites-available/dns2 with a symbolic link from sites-enabled
[which should have been created by using a2ensite dns2]

rg305 · September 14, 2020, 11:26am

And here is dns1:

sites-enabled/dns1:
server {
    listen 443 ssl; # managed by Certbot
    server_name task-tag.co.uk;
    location = /favicon.ico { access_log off; log_not_found off;}
    location /static/ {
        root /home/ubuntu/production;
    }#location
    location / {
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
    }#location
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}#server
server {
    listen 80;
    server_name task-tag.co.uk;
    return 301 https://$host$request_uri;
    return 404; # managed by Certbot
}#server

jesusce · September 14, 2020, 11:26am

Yes, I have tried this but when I use https, it will just give me an error back. http works fine tho.

rg305 · September 14, 2020, 11:27am

What you tried had listen 443 in both files dns1 & dns2
Review the files again as I have updated them

dns2 only listens on 8001
dns1 listens on 443 and 80

If a conflict remains, then you have another listen combined with this same name.
Which goes to my first guess:

You may have a "default" vhost config block that is using the "default" server_name set in the main config - which I would suspect is "task-tag.co.uk"

JuergenAuer · September 14, 2020, 11:30am

Your port 8001 is a http port. So you can't use the same port with https, that's expected.

Create a second port or change the 8001.

jesusce · September 14, 2020, 11:31am

Yes, exactly that way. let me share the code again.

dns1:

server {
        server_name task-tag.co.uk;

        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/production;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/production/happytasking.sock;
        }




    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = task-tag.co.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name task-tag.co.uk;
    listen 80;
    return 404; # managed by Certbot


}

dns2:

server {
        server_name task-tag.co.uk;
        listen 8001;
        location = /favicon.ico { access_log off; log_not_found off;}
        location /static/ {
                root /home/ubuntu/tasktag/backend/tasktag_django;
        }

        location / {
                include proxy_params;
                proxy_pass http://unix:/home/ubuntu/tasktag/backend/tasktag_django/tasktag_django.sock;
        }



    ssl_certificate /etc/letsencrypt/live/task-tag.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/task-tag.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

rg305 · September 14, 2020, 11:32am

Messier than the ones I gave you but, yes, no overlapping port/name combinations seen there.
So do you still have a name conflict?

jesusce · September 14, 2020, 11:34am

YES! That was it. i had to add listen 8001 ssl; and it worked.
Thank you very much for your help @rg305 too as I could create a better config.
Thanks a lot.

jesusce · September 14, 2020, 11:35am

no, name conflict is gone when I do sudo nginx -t. Within dns2 file, the second server rules was triggering this name conflict.

Topic		Replies	Views
Does the prompt about my domain not being close to expiry ever go away? Help	6	3007	April 17, 2018
Certificate renew Help	6	535	May 12, 2023
I'm trying to renewal my certificate but it's now renewing Help	8	461	July 9, 2022
Certificate expired after date Help	11	689	May 13, 2021
Unable to renew automatically Help	11	1090	January 15, 2021

Cannot renew after expiration of certificate

Related topics