Cannot renew expired certificate

details:
(www.)danso.ca
nginx
Arch Linux
Linode
certbot 2.1.0

sudo certbot renew --cert-name danso.ca --verbose

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/danso.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for danso.ca and www.danso.ca
Performing the following challenges:
http-01 challenge for www.danso.ca
Waiting for verification...
Challenge failed for domain www.danso.ca
http-01 challenge for www.danso.ca

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.danso.ca
  Type:   connection
  Detail: 217.70.184.56: Fetching http://www.danso.ca/.well-known/acme-challenge/pxZW1TAT44NfmTJEjaEAUhXJv9MLApf1paiys8DkGU8: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate danso.ca with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/danso.ca/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

sudo nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:

#user http;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
#     include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    types_hash_max_size 4096;

    #gzip  on;

    server {
        server_name  danso.ca www.danso.ca;
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        #charset koi8-r;
        charset UTF-8;

        #access_log  logs/host.access.log  main;

        location / {
            root   /var/www/danso.ca;
            index  index.html index.htm;
            try_files $uri $uri/ =404;
        }

        location /feeds {
            root   /var/www/danso.ca;
            # index  index.html index.htm;
            default_type application/atom+xml;
            types {
                application/atom+xml    xml;
            }
        }

        error_page  404              /404.html;

        error_page  403     =404     /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

        ssl_certificate /etc/letsencrypt/live/danso.ca/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/danso.ca/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    }

    server {
        if ($host = danso.ca) {
            return 302 https://$host$request_uri;
        }

        if ($host = www.danso.ca) {
            return 302 https://$host$request_uri;
        }

        listen       80;
        listen       [::]:80;
        server_name  danso.ca www.danso.ca;
        return 404; # managed by Certbot
    }

    include sites-enabled/*;
}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/sites-enabled/pleroma.nginx:
# default nginx site config for Pleroma
#
# Simple installation instructions:
# 1. Install your TLS certificate, possibly using Let's Encrypt.
# 2. Replace 'example.tld' with your instance's domain wherever it appears.
# 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
#    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.

proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
                 inactive=720m use_temp_path=off;

# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
# and `localhost.` resolves to [::0] on some systems: see issue #930
upstream phoenix {
    server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
}

server {
    server_name    mtl.rocks www.mtl.rocks;

    listen         80;
    listen         [::]:80;

    # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
    # that the directory exists and that it is accessible by the webserver. If you followed
    # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
    # You may need to load this file with the ssl server block commented out, run certbot
    # to get the certificate, and then uncomment it.
    #
    # location ~ /\.well-known/acme-challenge {
    #     root /var/lib/letsencrypt/;
    # }
    location / {
      return         302 https://$server_name$request_uri;
    }
}

# Enable SSL session caching for improved performance
ssl_session_cache shared:ssl_session_cache:10m;

server {
    server_name mtl.rocks www.mtl.rocks;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_trusted_certificate   /etc/letsencrypt/live/mtl.rocks/chain.pem;
    ssl_certificate           /etc/letsencrypt/live/mtl.rocks/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/mtl.rocks/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers off;
    # In case of an old server with an OpenSSL version of 1.0.2 or below,
    # leave only prime256v1 or comment out the following line.
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
    ssl_stapling on;
    ssl_stapling_verify on;

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;

    # the nginx default is 1m, not enough for large media uploads
    client_max_body_size 16m;
    ignore_invalid_headers off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://phoenix;
    }

    location ~ ^/(media|proxy) {
        proxy_cache        pleroma_media_cache;
        slice              1m;
        proxy_cache_key    $host$uri$is_args$args$slice_range;
        proxy_set_header   Range $slice_range;
        proxy_cache_valid  200 206 301 304 1h;
        proxy_cache_lock   on;
        proxy_ignore_client_abort on;
        # dan did this
        #proxy_buffering    on;
        proxy_buffering    off;
        proxy_buffer_size  16k;
        proxy_buffers      64 4k;
        proxy_busy_buffers_size  64k;
        # end of dan
        chunked_transfer_encoding on;
        proxy_pass         http://phoenix;
    }
}

Hi @danso, and welcome to the LE community forum :slight_smile:

The IPs are very dissimilar:

Name:      danso.ca
Addresses: 2600:3c03::f03c:91ff:fe05:6954
           45.33.68.83

Name:      webredir.gandi.net
Address:   217.70.184.56
Aliases:   www.danso.ca
7 Likes

Thanks for remarking that -- I did not know that IP address was supposed to be mine.

I don't understand why this is a problem now -- I have been using Gandi's web redirect service for years and it's never confused Certbot before...

I have removed it and am waiting for the DNS changes to propagate.

edit: everything is fixed, thank you :heart:

4 Likes

I'm glad to hear that you have the cert you needed.
:slight_smile:

Maybe they changed the way they redirect.
OR
Your previous certs were for the FQDN "danso.ca" [and they did not include the "www"].
OR
You used DNS-01 authentication.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.