Cant renew certbot

losheredos · March 8, 2019, 8:25pm

My domain is: gotl.me

I ran this command: certbot renew

It produced this output:

Attempting to renew cert (gotl.me) from /etc/letsencrypt/renewal/gotl.me.conf pr oduced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gotl.me/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gotl.me/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: gotl.me
Type: unauthorized
Detail: Invalid response from
http://gotl.me/.well-known/acme-challenge/jZDOAerXBala3GDlW6DMTc6Gr1Kez_8eAGM wIQfjJ3I
[207.154.249.10]: "\n<html lang=“en”>\n
\n \n <meta http-equiv=\"X-UA-Compatible\" content=\"I"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Nginx 1.22.2

The operating system my web server runs on is (include version): CentOS 7.4.1708 x64

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.32.0

Currently Nginx cant read files under public, I mean this .well-known url but before it was reading and I was still getting same error… What I can do? Additionally I have renewed it before as I remember so I dont know whats wrong now…

_az · March 8, 2019, 8:32pm

Could you provide the output of Certbot from the very start? e.g. Is it using webroot or nginx authenticator?

Does this succeed?

certbot renew --cert-name gotl.me -a nginx --dry-run

losheredos · March 8, 2019, 8:33pm

Nope… Responds like this:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gotl.me
Waiting for verification…
Challenge failed for domain gotl.me
http-01 challenge for gotl.me
Cleaning up challenges
Attempting to renew cert (gotl.me) from /etc/letsencrypt/renewal/gotl.me.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gotl.me/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gotl.me/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: gotl.me
Type: unauthorized
Detail: Invalid response from
http://gotl.me/.well-known/acme-challenge/TPsa9OOmwYm6NKgmXmc1ahnhI9r5Hhbn1qPUZ6QhdxM
[207.154.249.10]: "\n<html lang=“en”>\n
\n \n <meta http-equiv=\"X-UA-Compatible\" content=\"I"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[root@gotl ~]#

_az · March 8, 2019, 8:46pm

Could you share your nginx configuration for that virtualhost (i.e. the bits in /etc/nginx/conf.d/)?

I can’t see any reason this should fail other than something strange in the virtualhost.

losheredos · March 8, 2019, 8:55pm

Following default.conf – START –

server {
listen 80;
server_name 207.154.249.10;
# note that these lines are originally from the “location /” block
root /usr/share/nginx/GOTL/public;
index index.php index.html index.htm;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
    root /usr/share/nginx/html;
}

location ~ \.php$ {
  try_files $uri =404;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
   fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  include fastcgi_params;
  fastcgi_param PHP_VALUE "upload_max_filesize=350M \n post_max_size=350M";

}
client_max_body_size 350m;
}
– END –

Following nginx.conf

– START –

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main;

tcp_nodelay         on;

types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

fastcgi_cache_path /tmp/nginx_cache levels=1:2 keys_zone=ZONE_1:100m inactive=60m;
fastcgi_cache_key “$scheme$request_method$host$request_uri”;
add_header X-Cache $upstream_cache_status;

client_body_buffer_size 10k;
client_max_body_size 8m;

client_header_buffer_size 1k;
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 45s;
send_timeout 15;
sendfile on;
tcp_nopush on;

server {
server_name gotl.me;
# note that these lines are originally from the “location /” block
root /usr/share/nginx/GOTL/public;
index index.php index.html index.htm;
location /react/fetch_info{
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

location ~ \.php$ {
  try_files $uri =404;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
   fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;

fastcgi_pass php-fpm;

  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  include fastcgi_params;
  fastcgi_param PHP_VALUE "upload_max_filesize=350M \n post_max_size=350M";

 fastcgi_cache ZONE_1;
 fastcgi_cache_valid 200 60m;

}
client_max_body_size 350m;

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/gotl.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/gotl.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = gotl.me) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen [::]:80;
server_name  gotl.me;
return 404; # managed by Certbot

– END –

_az · March 8, 2019, 9:35pm

Add this right below it:

listen 80;

I tried reproducing your environment, got the same 404 problem. Guessing that an (effective) IPv6-only listen address was the problem, I tried the above, and it started working.

losheredos · March 8, 2019, 9:39pm

It worked!!

Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/gotl.me/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/gotl.me/fullchain.pem (success)

Thank you so much mate, world needs people like you! :)) Thank you

system · April 7, 2019, 9:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.