Cannot renew cert that used to work


#1

Please fill out the fields below so we can help you better.

My domain is: knnubt05oc.kuenn.co

I ran this command: cd /opt/letsencrypt && /opt/letsencrypt/letsencrypt-auto renew

It produced this output:


Processing /etc/letsencrypt/renewal/knnubt05oc.kuenn.co.conf

2016-08-03 16:02:46,409:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/knnubt05oc.kuenn.co.conf produced an unexpected error: Failed authorization procedure. knnubt05oc.kuenn.co (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://knnubt05oc.kuenn.co/.well-known/acme-challenge/RjQ7ggZiNZbReYGR1F48td-apUlJDSF7omTrUzlgTiI: "

knnubt05oc.kuenn.co
Type: unauthorized
Detail: Invalid response from
http://knnubt05oc.kuenn.co/.well-known/acme-challenge/RjQ7ggZiNZbReYGR1F48td-apUlJDSF7omTrUzlgTiI:
" <html lang=" <p>To fix these errors, please make sure that your domain name was<br> entered correctly and the DNS A record(s) for that domain<br> contain(s) the right IP address.<br> root@5b195ee1c011:/tmp#</p> </li> </ul> <p>My operating system is (include version): Ubuntu 16.04.1 LTS</p> <p>My web server is (include version): nginx version: nginx/1.10.0 (Ubuntu)</p> <p>My hosting provider, if applicable, is: Digital Ocean</p> <p>I can login to a root shell on my machine (yes or no, or I don’t know): yes</p> <p>I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, i am using ssh</p>

#2

curl-ing that URL shows a redirect loop - check your server config for anything involving redirects:

➜  ~ curl -i http://knnubt05oc.kuenn.co/.well-known/acme-challenge/RjQ7ggZiNZbReYGR1F48td-apUlJDSF7omTrUzlgTiI
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.0 (Ubuntu)
Date: Wed, 03 Aug 2016 10:49:17 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://knnubt05oc.kuenn.co
...
➜  ~ curl -i http://knnubt05oc.kuenn.co
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.0 (Ubuntu)
Date: Wed, 03 Aug 2016 10:49:36 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://knnubt05oc.kuenn.co
...

#3

hello pfg,

  thank you for the hint. solved the problem now. 




  My Resolution: 


  - i need to turn back ON listen for Port 80. My original intend
  was to eliminate any non-secure connection. Now, it seem not
  possible.... : (


    refer to below sections of my nginx default config file 




       # vi /etc/nginx/sites-available/default


        :


       server {


          client_max_body_size  10M;


          listen              80 default_server;


          listen              [::]:80 default_server;


          listen              443 ssl default_server;


          listen              [::]:443 ssl default_server;


        :




  One question,


  is there plan for Letsencrypt to support HTTPS validation?


   


  regards,


  kuenn 
pfgCommunity Moderator

August 3

curl-ing that URL shows a redirect loop - check your server config for anything involving redirects:

➜  ~ curl -i http://knnubt05oc.kuenn.co/.well-known/acme-challenge/RjQ7ggZiNZbReYGR1F48td-apUlJDSF7omTrUzlgTiI
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.0 (Ubuntu)
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://knnubt05oc.kuenn.co
...
➜  ~ curl -i http://knnubt05oc.kuenn.co
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.0 (Ubuntu)
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://knnubt05oc.kuenn.co
...

Visit Topic or reply to this email to respond.

To unsubscribe from these emails, click here.


#4

There’s a challenge type - TLS-SNI-01 - that works via HTTPS/port 443. However, this challenge type currently requires you to either use apache (for which a certbot plugin that automates the validation exists) or stop your existing web server for a few seconds so that certbot (with the standalone plugin) can listen on port 443. The good news is that a certbot plugin for nginx is being worked on and is going to use this challenge type, so you could probably switch to this if you want to with one of the upcoming releases (sorry, no ETA :blush:).

For some discussion on why the HTTP-01 challenge type does not work via HTTPS, and why it might not really be all that bad to listen on port 80 for a HTTPS-only site anyway, see this old thread:


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.