Cannot renew Let's Encrypt Certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.chiuer.com

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/chiuer.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not parse file: /etc/nginx/sites-enabled/chiuer.com due to Expected string_end, found 'server'  (at char 0), (line:1, col:1)
Renewing an existing certificate for chiuer.com and www.chiuer.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: chiuer.com
  Type:   unauthorized
  Detail: 45.55.150.218: Invalid response from https://www.chiuer.com/.well-known/acme-challenge/KAIPq36QPuJQzCvlqGc7MoKylf0IBcPtbqcDMTnjWf4: 404

  Domain: www.chiuer.com
  Type:   unauthorized
  Detail: 45.55.150.218: Invalid response from https://www.chiuer.com/.well-known/acme-challenge/LZe2vNDDit-e_tyUBEbBrbw8zz1KQACbjQVOuUpzsyY: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Could not parse file: /etc/nginx/sites-enabled/chiuer.com due to Expected string_end, found 'server'  (at char 0), (line:1, col:1)
Failed to renew certificate chiuer.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/chiuer.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

And below is the letsencrypt.log

File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2025-03-24 12:59:04,230:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

My web server is (include version): Nginx 1.24

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is: DigitalOcean and proxied by Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Certbot has trouble parsing your nginx config. Would you post your entire nginx active config? Sometimes an error before that file causes the problem so best to look at everything.

Show the output of below command. An upper case T is essential

sudo nginx -T

Better is to pipe that to a file and upload the resulting file

sudo nginx -T >upload.txt

Did you always have all those rewrite statements for previous cert requests using --nginx plugin?

Because their use of {} looks legal but I can also imagine them causing problems with the Certbot parser. Or, some other element in their syntax.

It is probably better to switch to using --webroot so that Certbot does not have to parse your nginx conf. Just as a test, what does this do? It will not modify your existing production certs.

sudo certbot certonly --dry-run --webroot -w /var/www/chiuer.com -d chiuer.com -d www.chiuer.com

If this works a slightly different command will switch to webroot with auto reload of nginx same as --nginx plugin. Let us know result of this --dry-run. Thanks

Do I need to change the proxy to DNS only in Cloudflare before running this command ?

No, should work similarly to how --nginx was. With --nginx Certbot modifies your nginx.conf to reply to the HTTP request from the Let's Encrypt server. With --webroot Certbot just places a file into the -w folder and your nginx will just return that like it would any other file when LE Server requests it. The --weboot does not need to parse your nginx conf.

Ideally we would make Configuration and Cache Rules or what-not so Cloudflare did not redirect the HTTP acme-challenge to HTTPS but it should be fine as you have it.

See the result below after I run the cmd

sudo certbot certonly --dry-run --webroot -w /var/www/chiuer.com -d chiuer.com -d www.chiuer.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named chiuer.com already exists. Do you want to update its
key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Simulating renewal of an existing certificate for chiuer.com and www.chiuer.com
The dry run was successful.

So does that mean I renewed the certificate successfully ?

No, not yet. The --dry-run is just a test.

To get a fresh cert and update the renewal profile do the following:

sudo certbot certonly --webroot -w /var/www/chiuer.com -d chiuer.com -d www.chiuer.com --deploy-hook "sudo systemctl reload nginx"

The --deploy-hook is the command to reload nginx. I used the common Ubuntu command in the example but change it if you need to for your system.

Once that works you can test the renewal with

sudo certbot renew --dry-run

If that works you are all set

Great, issue is solved, thanks for your help.