Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: staging.maxtool.com

I ran this command: certbot certonly --force-renewal

It produced this output:

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. staging.maxtool.com (http-01): urn:acme:error:unwn/acme-challenge/Uj386Z0j7a4LQlWXV-tAGSzyT2Cc5UQJ1UdH4–l3l8: "<!doctype html>

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: staging.maxtool.com
  Type: unauthorized
  Detail: Invalid response from
  http://staging.maxtool.com/.well-known/acme-challenge/Uj386Z0j7a4LQlWXV-tAGSz
  "<!doctype html>

  var BASE_URL = 'https://staging.maxtool.com/'; var require"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): Nginx V 1.14.0

The operating system my web server runs on is (include version): Linux CentOS7

My hosting provider, if applicable, is: RackSpace

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Magneto 2.2.4 so no control panel have access to PuTTY

You've got something sitting in front of nginx - what is it?

What's the contents of /etc/letsencrypt/renewal/staging.maxtool.com.conf ?

@_az

renew_before_expiry = 30 days

version = 0.22.0
archive_dir = /etc/letsencrypt/archive/staging.static.maxtool.com
cert = /etc/letsencrypt/live/staging.static.maxtool.com/cert.pem
privkey = /etc/letsencrypt/live/staging.static.maxtool.com/privkey.pem
chain = /etc/letsencrypt/live/staging.static.maxtool.com/chain.pem
fullchain = /etc/letsencrypt/live/staging.static.maxtool.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
installer = None
account = 7523dac81cf47efec41be87cd658e15b
pref_challs = dns-01,
manual_public_ip_logging_ok = True

I believe it would be Varnish that is sitting in front of Ngnix

Varnish can't do HTTPS - you've got something sitting in front of Varnish as well. We need to know what it is so we know what to deploy the certificate to.

sudo ss -tlnp | grep ":443"

That's not the file I asked for - does the file I ask for not exist?

Can you show:

sudo certbot certificates

@_az

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/staging.maxtool.com/cert.pem is unknown

Found the following certs:
Certificate Name: staging.maxtool.com
Domains: staging.maxtool.com staging.admin.maxtool.com staging.factoryauthorizedoutlet.com
Expiry Date: 2018-06-11 14:05:35+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.maxtool.com/privkey.pem
Certificate Name: staging.media.maxtool.com
Domains: staging.media.maxtool.com
Expiry Date: 2018-09-12 19:12:09+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.media.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.media.maxtool.com/privkey.pem
Certificate Name: staging.factoryauthorizedoutlet.com
Domains: staging.factoryauthorizedoutlet.com
Expiry Date: 2018-09-12 19:13:33+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/privkey.pem
Certificate Name: staging.duromaxpower.com
Domains: staging.duromaxpower.com
Expiry Date: 2018-09-12 19:13:02+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.duromaxpower.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.duromaxpower.com/privkey.pem

I actually did not do the initial set up… I’m picking up after some one who is no longer maintaining the website.

I'll send over this right now.

Sure. Could you show me how /etc/letsencrypt/renewal/staging.maxtool.com.conf is configured? You provided the contents for a different file a couple of posts back.

It’s possible you could try:

certbot renew --cert-name staging.maxtool.com -a nginx

but there’s a few unknowns at the moment that could prevent it from succeeding.

This is from the grep

LISTEN 0 128 :443 :* users:((“nginx”,pid=45560,fd=7),(“nginx”,pid=45559,fd=7),(“nginx”,pid=45558,fd=7),(“nginx”,pid=45557,fd=7),(“nginx”,pid=45556,fd=7),(“nginx”,pid=45555,fd=7),(“nginx”,pid=45554,fd=7),(“nginx”,pid=45553,fd=7),(“nginx”,pid=45552,fd=7),(“nginx”,pid=45551,fd=7),(“nginx”,pid=45550,fd=7),(“nginx”,pid=45549,fd=7),(“nginx”,pid=45548,fd=7),(“nginx”,pid=45547,fd=7),(“nginx”,pid=45546,fd=7),(“nginx”,pid=45544,fd=7),(“nginx”,pid=45543,fd=7),(“nginx”,pid=45542,fd=7),(“nginx”,pid=45541,fd=7),(“nginx”,pid=45540,fd=7),(“nginx”,pid=45539,fd=7),(“nginx”,pid=45538,fd=7),(“nginx”,pid=45537,fd=7),(“nginx”,pid=45536,fd=7),(“nginx”,pid=45535,fd=7))

Here is the cert.pem file

-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgISA899v6qn7Qd3CoEmqisr3ms0MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMTMxNDA1MzVaFw0x
ODA2MTExNDA1MzVaMB4xHDAaBgNVBAMTE3N0YWdpbmcubWF4dG9vbC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhpew8K9r0VoDi32zrxKd3bIgV
4bK7xGZTgHE8LGoCT39eILG7LzMK7hJFn5Cf19EDbOmbcCQ9jf+QNUdaHBmFojTZ
3oez6ABVZzo74QS/lUPtfTu1Atm+z50SbzHJoayPN6OhQSs9z5/fl5POs1lobOMz
dJCcdUEh1w0xcrWpSddLOjIqipOexG1FOe+v3KOwXfnyuxPNrQOp05MRQyjmreGS
czX0ajYJkr6VPwFbxTILwkKqWPR7Zd74bIyo0DcfhvJbAP1DtlCEqL1alh4wl5bV
8vkfgnbg7nC9TTL+66qPqoMFLYHnsoTO/9vzcgIZ/Tjf/q7S6/v05tkLxzNxAgMB
AAGjggJTMIICTzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC7yZk/cakcemPe7HBKK
+0umlJ1GMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wXgYDVR0RBFcwVYIZc3RhZ2luZy5hZG1pbi5tYXh0b29sLmNvbYIj
c3RhZ2luZy5mYWN0b3J5YXV0aG9yaXplZG91dGxldC5jb22CE3N0YWdpbmcubWF4
dG9vbC5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEB
MIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYI
KwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGll
ZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNl
IHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xl
dHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAnLrF
OkHcdiAkH8wOmYTDcRi1V6JrBST2Sz1LVV+QIdy2RlmvHBGAPPZzxRTeavK+x4ur
FYv5euXEMad4kq1Y9FQMp+yqXkPK5TjyBhITO41Irfgm+r4qTCytD5GP187m3dLo
84UTo3y+6Paiz60NSiJt+AFC8DpxIJOrU3Kl/Rtz0mrhzsALF27CT0zdOPF5YSHb
55RtJ3phAs4fGzRdtUAbEYVQDca7jwmVxRCAJ7cGVvBf2bPLmDjUj+2Vzkl4lhWB
5gAGG73wL0dommPdVQXkfbfMWok/HLU12zzflIh6bVMXLsiPns/7+aJkaQcyb1sm
7btyi2zU2kN42Y24Ow==
-----END CERTIFICATE-----

@_az

You are right it came back with this:

[root@922168-MagentoStaging staging.maxtool.com]# certbot renew --cert-name staging.maxtool.com -a nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/staging.maxtool.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (staging.maxtool.com) from /etc/letsencrypt/renewal/staging.maxtool.com.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/staging.maxtool.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/staging.maxtool.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
[root@922168-MagentoStaging staging.maxtool.com]#

Basically it sounds to me like your previous administrator set all of your certificates up using manual DNS validation using Cloudflare. That approach makes auto-renewal impossible.

You can try see if this works (a slight amendment to the previous command):

certbot renew --cert-name staging.maxtool.com \
-a nginx --preferred-challenges http --dry-run

but if that doesn’t work, you will need to either repeat the same commands the previous admin used and perform manual validation, e.g.:

certbot certonly -d staging.maxtool.com -d staging.admin.maxtool.com \
-d staging.factoryauthorizedoutlet.com -a manual --preferred-challenges dns

or set up a better (automatic) renewal regime, replacing the old one.

@_az

I have to head out of the office, I’ll try this tomorrow morning. Thanks for the direction. You are a HERO!

Best Regards,
Jack

After some changes and running this line: " certbot certificates " I’m getting the following:

Found the following certs:
Certificate Name: staging.maxtool.com
Domains: staging.maxtool.com staging.admin.maxtool.com
Expiry Date: 2018-10-04 16:01:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.maxtool.com/privkey.pem
Certificate Name: staging.media.maxtool.com
Domains: staging.media.maxtool.com
Expiry Date: 2018-09-12 19:12:09+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.media.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.media.maxtool.com/privkey.pem
Certificate Name: staging.factoryauthorizedoutlet.com
Domains: staging.factoryauthorizedoutlet.com
Expiry Date: 2018-09-12 19:13:33+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/privkey.pem
Certificate Name: staging.duromaxpower.com
Domains: staging.duromaxpower.com
Expiry Date: 2018-09-12 19:13:02+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.duromaxpower.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.duromaxpower.com/privkey.pem

Seems like the certificate was renews however site has not updated with the SSL at the moment, Can I get some advice?

Is your web server configured to point at /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem? Did you restart the server program after the renewal?

If you use certonly, Certbot doesn’t restart the web server for you after a renewal, unless you explicitly add a --deploy-hook script that performs this action.

I’ll give that a shot.

@schoen

Hi! I restarted nginix, however the SSL is still pointing to the old cert.

Best Regards,
Jack

Where is the certificate configured in your nginx configuration? Can you post the relevant nginx configuration file?

Here is what I see:

ssl_certificate /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/staging.maxtool.com/privkey.pem;
server_name staging.maxtool.com www.maxtool.com assets.maxtool.com;

and for staging.factoryauthorizedoutlet here is what i see so we can compare.

ssl_certificate /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/privkey.pem; # managed by Certbot
server_name staging.factoryauthorizedoutlet.com www.factoryauthorizedoutlet.com assets.factoryauthorizedoutlet.com;