Can't generate cert. 404 not found

Help
1

Hi!
I know. There are many similar topics. I think I read them all. But not a single answer solved my problem.Three months ago, I successfully received a certificate. When trying to update, I got various errors.

My domain is: amver.net
My hosting provider, if applicable, is: digital ocean
I ran this command: sudo certbot renew --dry-run
It produced this output:

Attempting to renew cert (www.zzz.net) from /etc/letsencrypt/renewal/www.zzz.net.conf produced an unexpected error: Missing command line flag or config entry for this setting:
    Select the webroot for www.zzz.net:
    Choices: ['Enter a new webroot', '/var/www/well-known']

    (You can set this with the --webroot-path flag). Skipping.
    The following certs could not be renewed:
      /etc/letsencrypt/live/www.zzz.net/fullchain.pem (failure)

I decided it by adding a line.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

Further there was such an error:

Attempting to renew cert (www.zzz.net) from /etc/letsencrypt/renewal/www.zzzz.net.conf produced an unexpected error: Failed authorization procedure. www.zzz.net (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.zzz.net. Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/www.zzz.net/fullchain.pem (failure)

. I had to add a domain from www and add an A record to digital ocean.
(although how did it work for the first time without all this ???)
Well and finally I have a 404 error and i can not access to test file in acme directory:

zzz.net:Verify error:Invalid response from http://zzz.net/.well-known/acme-challenge/o9xjJlMXfILDTD9o7h5nhmMX2iqZELZH2Mf9Wg9GSgw [xxx.xxx.xx.xx]:
[Wed Oct 16 07:44:26 UTC 2019] Please check log file for more details: /home/letsencrypt/.acme.sh/acme.sh.log

(I don’t know, maybe this is not the end of my adventures). What am I doing wrong? please, help.

There are my files:

upstream zzz {
server localhost:5000;
}

server {
listen 80;

   location ~ /.well-known/acme-challenge/ {
allow all;
}
location / {
return 301 https://$host$request_uri;
}
}

server {
listen *:443 ssl http2;

server_name zzz.net www.zzz.net;

ssl_certificate /etc/letsencrypt/live/www.zzz.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.zzz.net/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
"/etc/nginx/sites-available/default" [readonly] 39L, 749C

and

[renewalparams]
account = 7f3fae13f882f4eb6794552e2246e3c1
rsa_key_size = 2048
authenticator = webroot
webroot-path = /var/www/html/well-known
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = service nginx reload
[[webroot_map]]
zzz.net = /var/www/well-known
www.zzz.net = /var/www/html/well-known
2

Hi @sipakov

please answer the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like
3

Are you using acme.sh, Certbot or both?

zzz.net is using a different directory than the other two -- no ".../html/..." in the middle.

1 Like
4

Hi!

I gradually supplement my issue, thanks.
I tried this and that.
The issue lists errors as root and certbot.
I also created a separate letsencrypt user and used acme. as in this manual:
https://jereze.com/code/letsencrypt-acme-no-root/
the result is the same - 404

5

There is a check, created yesterday - https://check-your-website.server-daten.de/?q=amver.net

Host T IP-Address is auth. ∑ Queries ∑ Timeout
amver.net A 134.209.30.64 City of London/England/United Kingdom (GB) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA yes
www.amver.net Name Error yes 1 0

The www version isn't defined, so it's impossible to create a certificate with the www name via http-validation.

Domainname Http-Status redirect Sec. G
http://amver.net/ 134.209.30.64 GZip used - 384 / 612 - 37,25 % 200 Html is minified: 129,94 % 0.063 H
https://amver.net/ 134.209.30.64 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 2.450 N
Not Found
Certificate error: RemoteCertificateChainErrors
http://amver.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 134.209.30.64 GZip used - 141 / 178 - 20,79 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 108,54 % 0.070 A
Not Found
Visible Content: 404 Not Found nginx/1.14.0 (Ubuntu)

http + /.well-known/acme-challenge/random-filename isn't redirected to https.

The listen 80 server doesn't have a root. But I don't know exactly, if this is an error using --webroot.

Perhaps try --nginx as authenticator.

PS: You have created one new certificate yesterday:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-10-15 2020-01-13 amver.net
1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-07-17 2019-10-15 amver.net, www.amver.net
2 entries

But your expired certificate has two domain names.

So first step: Add a www A entry, so the www version has an ip address.

1 Like
6 
|A||
|---|---|
|www.amver.netCopy|directs to |
|134.209.30.64Copy||
|3600 Copy|More |
|NS||
|www.amver.netCopy|directs to |
|ns1.digitalocean.com.Copy||
|1800 Copy|More |
|NS||
|www.amver.netCopy|directs to |
|ns2.digitalocean.com.Copy||
|1800 Copy|More |
|NS||
|www.amver.netCopy|directs to |
|ns3.digitalocean.com.Copy||
|1800 Copy|More|

A record already created for www.amver.net.
but before it was gone and everything worked fine
(only for amver.net was A record)

7

Sorry, I took the first entry from you in an attempt to acme. but the essence is the same with certbot

8

Ah, rechecked the domain, now both domain names have A-records.

Next step:

Your port 80 server doesn't have a server_name.

server_name amver.net www.amver.net;

is required, then a restart.

Then try

certbot -d amver.net -d www.amver.net --nginx
2 Likes
9

really? :hushed: :grinning: adding the server name to port 80 and further running the command to add the certificate fixed everything!
Thank you so much for your support and prompt assistance. Perhaps this line I did not see in the existing answers

2 Likes
10

Yep, that's required, so Certbot / the --nginx authenticator can find the vHost with the same list of domain names like your command.

Happy to read it had worked :+1:

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.