Can't renew ssl certificates

My domain is: www.example.com

I ran this command: sudo certbot renew

It produced this output:
The following errors were reported by the server:

Domain: www.example.com
Type: connection
Detail: Fetching
http://www.example.com/.well-known/acme-challenge/GLXvVCq9WHQeJBSQn5kjrdQ0LJdkccO4-fFnUfbxrpc:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):
nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

Is your port 80 open?

How can I check it ?

https://www.google.com/search?q=how+can+I+check+if+port+80+is+open&oq=how+can+I+check+if+port+80+is+open

If it isn’t open, check all possible firewalls/routers.

sudo lsof -i:80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 13802 root 7u IPv4 213721 0t0 TCP *:http (LISTEN)
nginx 13802 root 8u IPv6 213722 0t0 TCP *:http (LISTEN)
nginx 13803 www-data 7u IPv4 213721 0t0 TCP *:http (LISTEN)
nginx 13803 www-data 8u IPv6 213722 0t0 TCP *:http (LISTEN)

its open.

That’s just your local machine. Check firewalls/possibly NAT routers et cetera.

Also, if you really want the best help in stead of generic hints, please share the hostname of the site(s) in question.

It seems your site is indeed accessible through port 80 currently. It does however have some issues. For example, your www subdomain on port 80 (HTTP, http://www.codeistalk.com/) doesn’t give a redirect to HTTPS, but returns a 404 file not found error, while your base domain through HTTP on port 80 (http://codeistalk.com/)actually does redirect to HTTPS. I don’t know for sure if this is also hampering your try to renew, but it should be something you should fix.

What is the current output of sudo certbot renew?

- The following errors were reported by the server:

   Domain: www.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.example.com/.well-known/acme-challenge/kFkmrCNvSPYkTqnQhgMepTSLEnuTmKqSzKJMt4yebls
   [167.172.136.00]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Can it be an nginx conf issue?

Yes, it most certainly is. The Let’s Encrypt validation server gets the same 404 file not found now, just as any other user surfing to http://www.codeistalk.com/.

conf looks like this

Did you manually add the www subdomain to this configuration? Possibly around 2020-05-08, when you got the certificate which included the www subdomain for the first time? If so, you forgot to add the redirect for the www subdomain, as the current redirect code only covers the base domain name.

I guess I generated certificates with this command:
certbot certonly --webroot

and it asks for domain names and I gave two domain names like with and without www

Good to know. It also answers my question about the nginx configuration change indirectly: by using certonly certbot wouldn’t have edited the configuration file, so it must have been done manually.

I recommend to also add a redirect for the www subdomain, make sure it works, and try renewing again.

Do you mean another server block entry or just add another if statement ? Or there is a possibility to add something like

if($host = domain.com or $host = www.domain.com) {
do redirect()
}

That’s not necessary.

Indeed, that’s the correct way to go I think.

I’m not that familiar with nginx, but the documentation about the if statement does not contain anything about or operators. I would not recommend it.

Now new version:

it still fails

Well, that’s because you’re redirecting to the www.www subdomain:

osiris@erazer ~ $ curl -LIv www.codeistalk.com
*   Trying 167.172.136.90:80...
* Connected to www.codeistalk.com (167.172.136.90) port 80 (#0)
> HEAD / HTTP/1.1
> Host: www.codeistalk.com
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx
Server: nginx
< Date: Sat, 01 Aug 2020 12:02:58 GMT
Date: Sat, 01 Aug 2020 12:02:58 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 162
Content-Length: 162
< Connection: keep-alive
Connection: keep-alive
< Location: https://www.www.codeistalk.com/
Location: https://www.www.codeistalk.com/

< 
* Connection #0 to host www.codeistalk.com left intact
* Issue another request to this URL: 'https://www.www.codeistalk.com/'
* getaddrinfo(3) failed for www.www.codeistalk.com:443
* Couldn't resolve host 'www.www.codeistalk.com'
* Closing connection 1
curl: (6) Couldn't resolve host 'www.www.codeistalk.com'
osiris@erazer ~ $ 

Which makes sense if you read your added redirect closely.

Ah. Perfect. Now it works. Thank you so much.

1 Like