gumshoenoir.com www.gumshoenoir.com
certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email redacted@redacted.net -d gumshoenoir.com -d www.gumshoenoir.com --debug-challenges
CentOS8
[root@centos8 ~]# nginx -v
nginx version: nginx/1.14.1
[root@centos8 ~]#
vps at Hostinger
yup, I have root via ssh. Not a control pannel.
[root@centos8 ~]# certbot --version
certbot 1.6.0
[root@centos8 ~]#
Background
FWIW I've regularly used certbot and acme.sh to issue certificates for several years. My previous experience is with CentOS 7 / Apache on a vps hosted by Dediserve and Fedora and Debian buster at home.
Now with a new additional hosting provider, Hostinger, I'm taking my first stab at CentOS 8, nginx with server blocks and ipv6.I haven't previously worked with nginx or ipv6.
Summary
Dinkin' around for a couple days, scratching my head and trying to talk myself out of thinking I'm seeing inconsistent results today I make some headway.
I feel the problem may have begun with an incorrect or incomplete ipv6 config of my nameservers, which may have allowed the very first attempt to succeed over ipv4. Subsequent attempts with the same syntax resulted in failures -- after I had corrected the ipv6. I use name.com to host my DNS
Eventually I setup an alias for .well-know/acme-challenge in the root nginx server which is labeled default_server. Although the certbot considered the server blocks DNS correct it appeared to try and retrieve data from the root server not the server block.
Before I put up the alias/redirect for .well-know I got errors like detail ... Invalid response (like a not found) after adding the redirect I get detail Error getting validation data
Success?
Finally, for debugging I added --debug-challenges
certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email redacted@redacted.net -d gumshoenoir.com -d www.gumshoenoir.com --debug-challenges
when certbot paused I couldn't find anything in .well-know/acme-challenges but after hitting CR to resume, the cert was granted! (huh?) I did that twice in a row with different virtual domain names.
But certbot renew --dry-run
failed.
Logs
I have many. I can share more if required. Meanwhile this is the last run I did. From certbot renew --dry-run
(shoot, how do I put scroll bars on this lloonngg log?)
the run for gumshoenoir.com. had the .well-known/acme-challenge
redirect but still failed renewal.
Doh! topic wouldn't post to many characters. Check this pastebin. https://pastebin.com/erZqBVQw
gumshoenoir.com.conf
server {
# listen [::]:80; server_name gumshoenoir.com www.gumshoenoir.com; root /var/www/gumshoenoir.com; access_log /var/log/nginx/gumshoenoir.com_access.log main; error_log /var/log/nginx/gumshoenoir.com_error.log error; index index.html index.htm; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location ^~ /.well-known/acme-challenge/ { # default_type "text/plain"; root /usr/share/nginx/html/letsencrypt; } location = /.well-known/acme-challenge/ { return 404; } listen [::]:443 ssl; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/gumshoenoir.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/gumshoenoir.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot ssl_trusted_certificate /etc/letsencrypt/live/gumshoenoir.com/chain.pem; # managed by Certbot ssl_stapling on; # managed by Certbot ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = www.gumshoenoir.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = gumshoenoir.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; # listen [::]:80; listen [::]:80 ipv6only=on; server_name gumshoenoir.com www.gumshoenoir.com; root /var/www/gumshoenoir.com; access_log /var/log/nginx/gumshoenoir.com_access.log main; error_log /var/log/nginx/gumshoenoir.com_error.log error; index index.html index.htm; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location ^~ /.well-known/acme-challenge/ { # default_type "text/plain"; root /usr/share/nginx/html/letsencrypt; } location = /.well-known/acme-challenge/ { return 404; }
}