Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: csg.utdallas.edu
I ran this command: certbot renew --dry-run --nginx --cert-name csg.utdallas.edu
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/csg.utdallas.edu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for csg.utdallas.edu
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: csg.utdallas.edu
Type: connection
Detail: 129.110.92.18: Fetching http://csg.utdallas.edu/.well-known/acme-challenge/s4wOa1Iwu0_OOZZnpJjCKVuJprIpXi-X_9icxIuHCd4: Connection reset by peer
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate csg.utdallas.edu with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/csg.utdallas.edu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx/1.14.1
The operating system my web server runs on is (include version): CentOS Stream release 8
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0
Here is our nginx serverblock: /etc/nginx/sites-available/ghost
server {
server_name csg.utdallas.edu; # managed by Certbot
listen 80;
location / {
root /var/www/ghost;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:2368;
}
client_max_body_size 50m;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl default_server ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/csg.utdallas.edu/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/csg.utdallas.edu/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
When I remove the listen 443 the site no longer posts. Could this be firewall issues on port 80? I inherited this site from the previous manager and am not the most familiar with nginx.
I think I read that somewhere but I'm guessing that's wrong. When I run 'certbot renew --cert-name csg.utdallas.edu --dry-run I get the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/csg.utdallas.edu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for csg.utdallas.edu
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: csg.utdallas.edu
Type: connection
Detail: 129.110.92.18: Fetching http://csg.utdallas.edu/.well-known/acme-challenge/2JpH-vvT4DVWxBuD6wQYE_rlVdvO7w2XNLDphkmjOfI: Connection refused
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate csg.utdallas.edu with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/csg.utdallas.edu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Certbot Certificates Output
Found the following certs:
Certificate Name: csg.utdallas.edu
Serial Number: 3e45aea5e6872bc69b89f19a50a77b9c42f
Key Type: RSA
Domains: csg.utdallas.edu
Expiry Date: 2022-05-11 16:46:37+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/csg.utdallas.edu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/csg.utdallas.edu/privkey.pem```
Output of /etc/letsencrypt/renewal/csg.utdallas.edu.conf
# renew_before_expiry = 30 days
version = 1.6.0
archive_dir = /etc/letsencrypt/archive/csg.utdallas.edu
cert = /etc/letsencrypt/live/csg.utdallas.edu/cert.pem
privkey = /etc/letsencrypt/live/csg.utdallas.edu/privkey.pem
chain = /etc/letsencrypt/live/csg.utdallas.edu/chain.pem
fullchain = /etc/letsencrypt/live/csg.utdallas.edu/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 487574e4ce6c432dc4d5e47cebf49ead
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
Yes, it looks like a firewall is blocking port 80. Let's Encrypt requires port 80 be open for the HTTP Challenge (which --nginx authenticator uses). And, LE recommends it be open anyway (link here)
See these results:
(request using HTTPS port 443 works if I ignore the cert error)
curl -Ik https://csg.utdallas.edu
HTTP/1.1 200 OK
Server: nginx/1.14.1
X-Powered-By: Express
(request with HTTP port 80 fails. Even just to home page)
curl -Ik -m8 http://csg.utdallas.edu
curl: (7) Failed to connect to csg.utdallas.edu port 80 after 38 ms: Connection refused