Can't certbot renew in nginx

here cat of exampleprint.com.conf:

renew_before_expiry = 30 days

version = 0.8.1
cert = /etc/letsencrypt/live/exampleprint.com/cert.pem
privkey = /etc/letsencrypt/live/exampleprint.com/privkey.pem
chain = /etc/letsencrypt/live/exampleprint.com/chain.pem
fullchain = /etc/letsencrypt/live/exampleprint.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 05c789ed330bc5c4d238b8d43e3292be
[[webroot_map]]
member.exampleprint.com = /srv/examplestore/www/public
exampleprint.com = /srv/exampestore/www/public
www.exampleprint.com = /srv/exmplestore/www/public

and shop.example.com.conf

renew_before_expiry = 30 days

version = 0.8.1
cert = /etc/letsencrypt/live/shop.example.com/cert.pem
privkey = /etc/letsencrypt/live/shop.example.com/privkey.pem
chain = /etc/letsencrypt/live/shop.example.com/chain.pem
fullchain = /etc/letsencrypt/live/shop.example.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 05c789ed330bc5c4d238b8d43e3292be
[[webroot_map]]
shop.example.com = /srv/shop.example.com/www/public

and how to make single test as your suggested for each webroot, is it edit in /etc/nginx/sites-enable/shop.example.com.conf by adding .well-known/acme-challenge, and how to confirm that appear on the web?

Thank you

Nope, I mean make a text file at /srv/examplestore/www/public/.well-known/acme-challenge/test.txt and make sure that's visible at http://member.exampleprint.com/.well-known/acme-challenge/test.txt and http://exampleprint.com/.well-known/acme-challenge/test.txt and http://www.exampleprint.com/.well-known/acme-challenge/test.txt.

Then make a second text file at /srv/shop.example.com/www/public/.well-known/acme-challenge/test2.txt and make sure that's visible at http://shop.example.com/.well-known/acme-challenge/test2.txt.

If both of these work as described, make sure that the results would be the same for a visitor who connects via IPv6, if any of your domain names publishes an AAAA record in DNS.

ho @schoen now i am getting this:

Processing /etc/letsencrypt/renewal/shop.example.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/shop.example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.


Processing /etc/letsencrypt/renewal/example.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shop.example.com/fullchain.pem (failure)
/etc/letsencrypt/live/example.com/fullchain.pem (failure)

How to solve this without create new certificate, because i am trying many time to renewal i think.
Thank you

Wahyu

the result make test file for two site:
404 :: Page Not Found
The page you requested cannot be found

I don’t know why?

Please help

Hi @schoen

this back to renewal failed when i close terminal and reopen and run certbot renew not appear:
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/shop.example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.

Processing /etc/letsencrypt/renewal/example.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shop.example.com/fullchain.pem (failure)
/etc/letsencrypt/live/example.com/fullchain.pem (failure)

just still back to first failed when i post first time

the result make test file for two site:
404 :: Page Not Found
The page you requested cannot be found

I don’t know why?

Please help

This means that you must wait an hour before trying to get a certificate again. In any case, it won't work until you fix the other 404 problem, so it's not necessary to keep trying. The problem is with your configuration (possibly Certbot's renewal configuration no longer matches your web server's configuration), not on the certificate authority's side.

That's definitely enough to prevent the renewal authorizations from working!

A next step for debugging purposes would be to try to make test files at the top level of your web sites (instead of within /.well-known/acme-challenge). Can you do that?

I am sory if get mistake… For next step debuging are add /.well-known/acme-challenge to nginx files? Example:

location /.well-known/acme-challege {
root /srv/examplestore/www/public;
}

Am i right?

Don’t do that yet. (Also, you misspelled “challenge” above.)

Can you make a file in /srv/examplestore/www/public and see the contents of that file at the top level of your web site?

Hi @schoen

I create file blank text.txt file in /srv/examplestore/www/public and try to access in web browse:
examplestore.com/text.txt

the result is:
on the top is header of website and the body is:

404 :: Page Not Found
The page you requested cannot be found.

OK! This is making progress in analyzing the situation. :slight_smile: So, what made you say that /srv/examplestore/www/public is your web root directory? Are there any other individual files in there that are visible on your web site? Do you know a way to post an individual file on your web site?

Is it possible that when you originally configured the web server, you had files in /srv/examplestore/www/public but then you set up a web application like WordPress or Drupal or Joomla or something, and rerouted URLs on your site to be handled by that web application instead of being served out of the filesystem?

So base on your question that /srv/examplestore/www/public is not my
webroot? the second question, i don’t know how to upload file from website
i thing from admin dasboard that created by laravel progammer,

For the last, usually i deploy web on the server on /srv directory, and the
configuration was setup by previosly sysadmin…

Then how i can renewal Lets Encrypt vie certbot renew command?

Thank you,

Wahyu

It might indeed require a location directive in your nginx configuration to make clear that that location should be served from a specified location. I would suggest root /src/examplestore/www/public/.well-known/acme-challenge rather than root /src/examplestore/www/public as a first try, though, unless I'm misremembering how location works.

In general, it will be necessary to find or create some direct relationship between "files get written over here on the disk" and "those same files show up over here on the web site", because that's what Certbot is expecting with the webroot setting.

To elaborate a bit on @schoen’s comments, you can set this up many ways, but I would recommend the following to have minimal impact on the rest of your setup. Add the following to your nginx config:

location /.well-known/acme-challenge {
    root /src/examplestore/www/public/.well-known/acme-challenge;
}

This will leave everything else the same, except that now any requests to http(s)://whatever.example.com/.well-known/acme-challenge will pull files from /src/examplestore/www/public/.well-known/acme-challenge. You would then set /src/examplestore/www/public as your webroot for certbot and it will place the challenges in the proper directory. (Create these first so nginx doesn’t get mad.)

In nginx config root /srv/examplestore/www/public/ is under server name
row.

But if you make a file /src/examplestore/www/public/test.txt, you can’t see that file at /test.txt on the web site itself?

Nginx appends the full path to the root. It needs to be “root /src/examplestore/www/public;”. “root /src/examplestore/www/public/.well-known/acme-challenge;” would use paths like /src/examplestore/www/public/.well-known/acme-challenge/.well-known/acme-challenge.

Nginx’s error.log should show what path it’s been trying to use.

However… Nginx’s default 404 page uses different phraseology. It’s:

404 Not Found


nginx/1.12.1

It’s totally possible the site is configured to use a nnon-default 404 page, but it could also be that 404 errors are coming from some backend PHP web application or somesuch.

Edit:

And Nginx’s default error pages don’t contain a <meta> tag.

If the error is coming from a web application, Nginx’s error.log probably doesn’t contain anything, and you’d have to see if the web application has logs.

Hi all,

Please close, the issue was solved with create new certificate. And my mistake was i renewal in old server. I am forget that web app was move on new VPS server…
And many thank’s to @schoen @jared.m @mnordhoff for your support.

Thank you,

Wahyu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.