Can't renew with nginx module with redirect

My domain is: www.adspatium.fr

I ran this command: certbot renew --cert-name www.adspatium.fr --dry-run (work)
certbot renew --cert-name www.adspatium.fr (not work)

It produced this output:

   Domain: www.adspatium.fr
   Type:   unauthorized
   Detail: Invalid response from
   https://www.adspatium.fr/.well-known/acme-challenge/3aO_Tkd4Hhh6CYuBM2T0hPUzdg4Cg4rTchAE_1pOP94
   [149.255.137.182]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"
   \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html
   xmlns=\"http"

My web server is (include version):

nginx -v
nginx version: nginx/1.16.1

The operating system my web server runs on is (include version):

cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

I can login to a root shell on my machine (yes or no, or I don’t know): YES

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot --version
certbot 0.39.0

It looks like, the nginx module make change only on http vhost, and the check is made on http AND (maybe because of redirect) on https :

      "validationRecord": [
        {
          "url": "http://www.adspatium.fr/.well-known/acme-challenge/3aO_Tkd4Hhh6CYuBM2T0hPUzdg4Cg4rTchAE_1pOP94",
          "hostname": "www.adspatium.fr",
          "port": "80",
          "addressesResolved": [
            "149.255.137.182"
          ],
          "addressUsed": "149.255.137.182"
        },
        {
          "url": "https://www.adspatium.fr/.well-known/acme-challenge/3aO_Tkd4Hhh6CYuBM2T0hPUzdg4Cg4rTchAE_1pOP94",
          "hostname": "www.adspatium.fr",
          "port": "443",
          "addressesResolved": [
            "149.255.137.182"
          ],
          "addressUsed": "149.255.137.182"
        }
      ]

With dry-run i get only :

       "validationRecord": [
        {
          "url": "http://www.adspatium.fr/.well-known/acme-challenge/1wqBlbyyoCQDs0D4cfddnqvkNt-KNHArN7vuISMdRIk",
          "hostname": "www.adspatium.fr",
          "port": "80",
          "addressesResolved": [
            "149.255.137.182"
          ],
          "addressUsed": "149.255.137.182"
        }
      ]

What can I do to have the same behaviour between normal and dry-run ?

The difference here is that the dry run is re-using/cacing a previous successful authorization result. It’s not actually performing the challenge every time you run it.

This behavior is fixed in 0.40.0, which is not yet packaged for EPEL 7. In the latest Certbot releases, both your live and dry-runs would be failing.

Which Certbot authenticator are you using? It is not included iin your output.

You can find that by posting the contents of /etc/letsencrypt/renewal/www.adspatium.fr.conf.

1 Like

Did you make a change to your port 80 vhost config within the last 30 days?
[probably relating to http>https redirection]

$ cat /etc/letsencrypt/renewal/www.adspatium.fr.conf
# renew_before_expiry = 30 days
version = 0.39.0
archive_dir = /etc/letsencrypt/archive/www.adspatium.fr
cert = /etc/letsencrypt/live/www.adspatium.fr/cert.pem
privkey = /etc/letsencrypt/live/www.adspatium.fr/privkey.pem
chain = /etc/letsencrypt/live/www.adspatium.fr/chain.pem
fullchain = /etc/letsencrypt/live/www.adspatium.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = b1530a3f89f1...
server = https://acme-v02.api.letsencrypt.org/directory

WWW returns 404:

curl -Iki adspatium.fr
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Tue, 12 Nov 2019 11:01:43 GMT
Content-Type: text/html
Content-Length: 4833
Last-Modified: Fri, 16 May 2014 15:12:48 GMT
Connection: keep-alive
ETag: "53762af0-12e1"
Accept-Ranges: bytes

curl -Iki www.adspatium.fr
HTTP/1.1 404 Not Found
Server: nginx/1.16.1
Date: Tue, 12 Nov 2019 11:01:52 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

I didn’t change anything, it was working for months and then it fails

I choose redirect for creating the certificate and now it look like it can’t renew with the redirect…
It looks like certbot fail to apply the configuration for nginx, then letsencrypt make the request and get a redirect to https which can’t answer to the validation…

This did make a change:

[Not saying that is the problem.]

I see a problem getting to HTTP on the WWW site.

My Bad it was a test without redirect configured, you can test now.
No links with actual problem

And now it works:

curl -Iki www.adspatium.fr
HTTP/1.1 301 Moved Permanently
Server: nginx/1.16.1
Date: Tue, 12 Nov 2019 11:15:57 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.adspatium.fr/

So you ARE making changes…
Please retry the renewal now.

[saying “I didn’t change anything” doesn’t get you any closer to a solution - when you did…]
[don’t get me wrong - there is nothing wrong with making changes - they are part of progess]

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    if ($host = www.zenbellebio.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;

        server_name www.zenbellebio.com;
    return 404; # managed by Certbot


location = /.well-known/acme-challenge/qoxS_k28UZn-VTUtcY2iseBmWS8Ap0H29c6lNGDdOHM{default_type text/plain;return 200 qoxS_k28UZn-VTUtcY2iseBmWS8Ap0H29c6lNGDdOHM.32pRSrBXIbK7itB6ZJgVN4xbUpDPtie-PQv-IyW9Ojk;} # managed by Certbot

}

The renewal was failed (I take another Domain to show you)
This is how nginx module configure the http conf
It looks like the “break” isn’t working
Nginx doesn’t take the location and send the redirect

I have to agree.
[and I don’t really like that style]

Try re…organizing/structuring that.

?
What do you mean ?
I have to change the way nginx module work ?

Change:

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot
    if ($host = www.zenbellebio.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        listen 80;
        server_name www.zenbellebio.com;
    return 404; # managed by Certbot
location = /.well-known/acme-challenge/qoxS_k28UZn-VTUtcY2iseBmWS8Ap0H29c6lNGDdOHM{default_type text/plain;return 200 qoxS_k28UZn-VTUtcY2iseBmWS8Ap0H29c6lNGDdOHM.32pRSrBXIbK7itB6ZJgVN4xbUpDPtie-PQv-IyW9Ojk;} # managed by Certbot
}

To (something more like):

server {
    listen 80;
    server_name www.zenbellebio.com;

    location = /.well-known/acme-challenge/ {
        root /your/html/location/;
        try_files $uri =404;
    } # location

    location / {
        return 301 https://$host$request_uri;
    } # location
}#server

? I can’t : it’s part of the nginx module, I don’t want to change the code of this module

I get this part of the configuration from /var/log/letsencrypt/letsencrypt.log

Do you have root access?

[if you’re looking for a button to click to fix this - you’re probably not going to find one]

Maybe you don’t have understand I don’t use standalone or rootpath module

I use nginx module which is generating himself the configuration while try to renew

Please don’t take me for a fool, or a lamer

I don’t.
[again - don’t get me wrong - I’m here (without pay) trying to fix your problem]
[~Oh Lord! Please don’t let me be misunderstood!~]

I don’t see --standalone in the command line…
So I don’t really understand what you mean.

It is using your NGINX config.
You are the admin - you control NGINX.\

In a perfect world:
CLICK UNDO
and then redo in some other way (that works/better).

But there is no “UNDO” here…?
Did you make a backup of the /etc/nginx/ folder?
[no one does]