Can't renew certificate

I spent several hours trying to renew the certificates for my site.

It was painful to initial get the certs as well. It ended up working using DNS instead of http. It seems that DNS don't allow me to renew.

I'd like to start fresh with http and make sure the renewal will work in the future. The main site is Pretalx (a CFP portal)

I've setup a root directory for letsencrypt
/var/www/letsencrypt/.well-known/acme-challenge

here's my nginx config file

server {
	listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;
	server_name cfp.snowcon.info;

	root /var/www/cfp.snowcon.info;
	index index.html;
	location / {
		try_files $uri $uri/ =404;
	}
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/cfp.snowcon.info/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cfp.snowcon.info/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    location /media/ {
        gzip on;
	alias /var/pretalx/data/media/;
	autoindex on;
        add_header Content-Disposition 'attachment';
    }

    location / {
        proxy_pass http://localhost:8345;
#       include proxy_params;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
    }

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    # ssl_dhparam /path/to/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    # add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # replace with the IP address of your resolver
    resolver 8.8.8.8;
}

I have a file called /etc/letsencrypt/renewal/cfp.snowcon.info that looks like this

# renew_before_expiry = 30 days
version = 2.1.0
archive_dir = /etc/letsencrypt/archive/cfp.snowcon.info
cert = /etc/letsencrypt/live/cfp.snowcon.info/cert.pem
privkey = /etc/letsencrypt/live/cfp.snowcon.info/privkey.pem
chain = /etc/letsencrypt/live/cfp.snowcon.info/chain.pem
fullchain = /etc/letsencrypt/live/cfp.snowcon.info/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = XYZ
pref_challs = dns-01,
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
installer = nginx

Not sure if anyone can help. I've tried so many guides that I'm getting lost in my own changes.

Where in your nginx configuration are you referring to this specific directory? I can't find it.

Also, what's the Certbot output? It was one of the questions of the questionnaire:

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


That said, Let's Debug has found an issue: Let's Debug.

In addition to what Osiris asked, how did you get that combination? Because nginx authenticator only supports http-01 challenge

2 Likes

Yeah, that's weird too. Not sure what kind of error Certbot would throw or if it just ignores pref_challs?

Anyway, the IPv6 addresses of cfp.snowcon.info are from GitHub, so that's never going to work.

2 Likes

Feels like someone manually editing renewal profiles. We really need to know the commands they are trying and the errors that result as requested on the form.

Not sure what the purpose of below would be with --nginx authenticator. It makes the needed challenge "return" directly in the nginx config.

But, as you say if this is a github hosted site they won't have control of its nginx for that to work.

2 Likes

Could also be a relic from past certificate issuances, as they stated it was "painful", used DNS and couldn't renew, all pointing to usage of the --manual plugin with the dns-01 challenge (without hooks).

OMG! Thanks so much!

I went in the DNS and removed the IPv6 entries and it just worked!

I did so many manipulations that my original website didn't seems to work. Manage to salvage an older copy of the NGINX config and now it is working!

Seems like the domains pointed to Github which it shouldn't. www. and snowcon.info are pointing to github pages, but not cfp.

Thank you again so much for helping, I literally spent ~8 hours trying everything I could come across online to fix the issue.

Btw, the renewal file updated itself and now shows http-01. Hopefuly the next renewal will go smoothly.

3 Likes

You can test a renew with

sudo certbot renew --dry-run
2 Likes

I did that and it didn't return any errors. But I think I did that when I created the initial certificates and it didn't showed error, but ultimately didn't renew.

Now that it's working via http, I'm more confident.

Thanks again for your help!

2 Likes