Cerbot renewal says check dns, confirmed dns accurate

Help
1

My nextcloud box's cert is close to expiring, noticed the email last week and started troubleshooting, found that the nginx plugin was broke, and had to figureout that it'd be renamed from python-cerbot-nginx to python3-cerbot-nginx to get it updated, by that time my attempts maxed out. So I waited a week.

Today I'm still getting issues, so I tried a dry run verbose with the hope someone'll see what's messed up. I've confirmed my dns records are correct and that i can get to the server via v6 (since it seems it tries the v6 address for renewal). The permissions for the folder seem right... so I'm not sure why it's returning 404 to cerbot.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

nextcloud.nsnd20.com

I ran this command:

sudo certbot renew  --verbose --dry-run

It produced this output:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.nsnd20.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator <certbot.cli._Default object at 0x7fe5aae5e5b0> and installer <certbot.cli._Default object at 0x7fe5aae5e5b0>
Var dry_run=True (set by user).
Var server={'dry_run', 'staging'} (set by user).
Var dry_run=True (set by user).
Var server={'dry_run', 'staging'} (set by user).
Var account={'server'} (set by user).
Should renew, less than 30 days before certificate expiry 2020-12-14 22:43:20 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator nginx and installer nginx
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fe5aae61550>
Prep: True
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fe5aae61550>
Prep: True
Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7fe5aae61550> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7fe5aae61550>
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/17080692', new_authzr_uri=None, terms_of_service=None), 6de239930c68e7f6167a09d091d60730, Meta(creation_dt=datetime.datetime(2020, 12, 13, 17, 55, 46, tzinfo=<UTC>), creation_host='newspace.nsnd20.com'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Sun, 13 Dec 2020 18:28:03 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "gNslIRnl1kA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Sun, 13 Dec 2020 18:28:04 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004cpwD0BsNGoZ_bulfSpCSZgpA13wrqvFUjYnOoJKCCd0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0004cpwD0BsNGoZ_bulfSpCSZgpA13wrqvFUjYnOoJKCCd0
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "nextcloud.nsnd20.com"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzA4MDY5MiIsICJub25jZSI6ICIwMDA0Y3B3RDBCc05Hb1pfYnVsZlNwQ1NaZ3BBMTN3cnF2RlVqWW5Pb0pLQ0NkMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "lhn4KxIlygqHnIN3wYdthP9A9f7p85NUwNWUb_EiMXrhPqeFC0gTZ6xO9cdoTV4LIrUijo-z2MJYR8kOHHJCsNh31LD0hB9oeORLWZ5uzQqnE1H0U2YbYvlwj9Ec09kF0eEaC9EcO8fR6RP9Mytj04KoIyAUvC818-Cw2Al0sQPloL18xNs_AiXTFj6yM-ZpQJAL9emUhSoUzjKHEeBnUOTfcpAXJkA-rCFXX3fGw7o4W9H5XVWTV8wegz2N7fJdC1MPGWlv7uvrdgs11X8pJunGv47dwfUQcZ2Cvy9EHiLRUWE_LFgoMo0sZSDa8EfEpaN9m_4vFHbo577VtJWYoQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm5leHRjbG91ZC5uc25kMjAuY29tIgogICAgfQogIF0KfQ"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 364
Received response:
HTTP 201
Server: nginx
Date: Sun, 13 Dec 2020 18:28:04 GMT
Content-Type: application/json
Content-Length: 364
Connection: keep-alive
Boulder-Requester: 17080692
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/17080692/201287909
Replay-Nonce: 0003lyGuYR7bUT7ivJ7J4GmWZTbuJywIIdBoexwR9q-WaLY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-12-20T18:28:04.261110485Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "nextcloud.nsnd20.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/172011149"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/17080692/201287909"
}
Storing nonce: 0003lyGuYR7bUT7ivJ7J4GmWZTbuJywIIdBoexwR9q-WaLY
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/172011149:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzA4MDY5MiIsICJub25jZSI6ICIwMDAzbHlHdVlSN2JVVDdpdko3SjRHbVdaVGJ1Snl3SUlkQm9leHdSOXEtV2FMWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNzIwMTExNDkifQ",
  "signature": "q1KxsT-SaGUdrPsWGwiRsyd-So57l2abwSlKEnZOeU1EfCHbDdSXr6n739ag3tf95ImhIl-AaygpSIVZ3fHvosukTfk-rFBE7TLdDbVoN6Zyy3IqAF3UzYUyenZJHdUCWqa8fW7DPgDo5W0UCeLzJwmPZnz5_2l1dViAJCqcw_VcfCCiuXpAed9v4IYXIGI4xYXE0sfGEWFQdXHuJbqSjTKZpQTMlivJHporv3V27HXo79jMes3BWDRw5yMONxlTxJ1zVr9Z3FnchIhggbVzAlcqw4jcjzFKpovLt_0aJu9xrH3NLraxW-faBii1Gbua2P6jg1Q33tKv8fy2ogUynA",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/172011149 HTTP/1.1" 200 819
Received response:
HTTP 200
Server: nginx
Date: Sun, 13 Dec 2020 18:28:04 GMT
Content-Type: application/json
Content-Length: 819
Connection: keep-alive
Boulder-Requester: 17080692
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 000478MQnkTpJcMS27iRBUyDmRfLUIwPIQWaNsteDUOwhN8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nextcloud.nsnd20.com"
  },
  "status": "pending",
  "expires": "2020-12-20T18:28:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/172011149/dlGBhA",
      "token": "GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/172011149/W-MV5g",
      "token": "GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/172011149/_6MbBQ",
      "token": "GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI"
    }
  ]
}
Storing nonce: 000478MQnkTpJcMS27iRBUyDmRfLUIwPIQWaNsteDUOwhN8
Performing the following challenges:
http-01 challenge for nextcloud.nsnd20.com
Generated server block:
[]
Creating backup of /etc/nginx/conf.d/default.conf
Creating backup of /etc/nginx/conf.d/nextcloud.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-stream.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-mail.conf
Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf
Creating backup of /etc/nginx/mime.types
Creating backup of /etc/nginx/modules-enabled/50-mod-http-image-filter.conf
Creating backup of /etc/nginx/nginx.conf
Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
# 
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Writing nginx conf tree to /etc/nginx/conf.d/nextcloud.conf:
server {
    server_name nextcloud.nsnd20.com;

    # Add headers to serve security related headers
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    #I found this header is needed on Ubuntu, but not on Arch Linux. 
    add_header X-Frame-Options "SAMEORIGIN";

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    access_log /var/log/nginx/nextcloud.access;
    error_log /var/log/nginx/nextcloud.error;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       try_files $fastcgi_script_name =404;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.nsnd20.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.nsnd20.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    add_header Strict-Transport-Security "max-age=31536000" always;

    ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.nsnd20.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    if ($host = nextcloud.nsnd20.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name nextcloud.nsnd20.com;
    return 404; # managed by Certbot


location = /.well-known/acme-challenge/GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI{default_type text/plain;return 200 GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI.OO9NJj5J5v0-I0yla9PB1MXDKajtLzZOMy8RSOWrF84;} # managed by Certbot

}

Waiting for verification...
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/172011149/dlGBhA:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzA4MDY5MiIsICJub25jZSI6ICIwMDA0NzhNUW5rVHBKY01TMjdpUkJVeURtUmZMVUl3UElRV2FOc3RlRFVPd2hOOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xNzIwMTExNDkvZGxHQmhBIn0",
  "signature": "ES7SLxsj7nzDrtbAuyMZ-xJImAb07mCrJM7ie3M-Fedk5VzndaG5Ug1hx_0luMzgsKdv2RMs2vd1AgtfRyniesaPe0qg0aKmTIMdOScQeDnVUKkx56i1Usi75Lv0IrdKK6SBM7aABhNa3_J_Zy1EtoC9tPW9-cmmzcQpRl9y4cgWUeNMY6HBRmTAAQTprJQrC6KZsztlX-lnnjHl7QPisWk2wcydNb5pNB3AzxXwXrdtuW6WwdqFydZeLbcF8g7X_xlR9QEV_1ryzJBkRkWowFVzThveAD9ua5oih4ZWpCu3Faw3zxgcyT2Nq3OdXNNN1ZrpspcfE0vyudGOFHQ2lw",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/172011149/dlGBhA HTTP/1.1" 200 192
Received response:
HTTP 200
Server: nginx
Date: Sun, 13 Dec 2020 18:28:05 GMT
Content-Type: application/json
Content-Length: 192
Connection: keep-alive
Boulder-Requester: 17080692
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/172011149>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/172011149/dlGBhA
Replay-Nonce: 0003B16lqUUX_Ep31c_b4tHjipzwCaClWCufajCWoZUJI-s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/172011149/dlGBhA",
  "token": "GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI"
}
Storing nonce: 0003B16lqUUX_Ep31c_b4tHjipzwCaClWCufajCWoZUJI-s
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/172011149:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzA4MDY5MiIsICJub25jZSI6ICIwMDAzQjE2bHFVVVhfRXAzMWNfYjR0SGppcHp3Q2FDbFdDdWZhakNXb1pVSkktcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNzIwMTExNDkifQ",
  "signature": "amBtz-5xe9sDUcf2N2OtqYXqqpAImtScqFKKWdgCjG3r1mD5ffwr_I8q5VGQlm5i5J7aXQIa_SNHbsx55nF6tIn2AKUnHrjw2z5tAVhriJUuR_xa50RmdYCL5QaEzpXSJvh5CXwTDjNGUTNrjkb_mhVT4WqDKvSFr7q-YfSzqQfeTWXHRhY6wJm0b8pdMPDknAzkOcFD8tEGxLx_xpnU8UnVjzI83EIu5cW6MG9QyAc_0v7nnqxzTQgSLVDdedVuilksfzi69e_nJffbPpgsx7apNaVvGAnLcK2WmHbohwJ-Sdo-SLOjdW7yySquVMAl9jXj1gAKwoOuK3oLiIVjrw",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/172011149 HTTP/1.1" 200 1343
Received response:
HTTP 200
Server: nginx
Date: Sun, 13 Dec 2020 18:28:06 GMT
Content-Type: application/json
Content-Length: 1343
Connection: keep-alive
Boulder-Requester: 17080692
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00041UZvc9A2wGphFhlL-aRExMPbwZMibF32BxpL-dSCUdE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nextcloud.nsnd20.com"
  },
  "status": "invalid",
  "expires": "2020-12-20T18:28:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://nextcloud.nsnd20.com/.well-known/acme-challenge/GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI [2604:a880:2:d0::1004:6001]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.18.0 (Ub\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/172011149/dlGBhA",
      "token": "GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI",
      "validationRecord": [
        {
          "url": "http://nextcloud.nsnd20.com/.well-known/acme-challenge/GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI",
          "hostname": "nextcloud.nsnd20.com",
          "port": "80",
          "addressesResolved": [
            "138.197.211.252",
            "2604:a880:2:d0::1004:6001"
          ],
          "addressUsed": "2604:a880:2:d0::1004:6001"
        }
      ]
    }
  ]
}
Storing nonce: 00041UZvc9A2wGphFhlL-aRExMPbwZMibF32BxpL-dSCUdE
Challenge failed for domain nextcloud.nsnd20.com
http-01 challenge for nextcloud.nsnd20.com
Reporting to user: The following errors were reported by the server:

Domain: nextcloud.nsnd20.com
Type:   unauthorized
Detail: Invalid response from http://nextcloud.nsnd20.com/.well-known/acme-challenge/GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI [2604:a880:2:d0::1004:6001]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Attempting to renew cert (nextcloud.nsnd20.com) from /etc/letsencrypt/renewal/nextcloud.nsnd20.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 462, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1208, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.nsnd20.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.nsnd20.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1287, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 486, in handle_renewal_request
    raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.nsnd20.com
   Type:   unauthorized
   Detail: Invalid response from
   http://nextcloud.nsnd20.com/.well-known/acme-challenge/GoaVhblqkQnX-DPgwnCOsfEv44b68KO207BA8m9FMVI
   [2604:a880:2:d0::1004:6001]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

sudo certbot renew --verbose --dry-run

The operating system my web server runs on is (include version):

Linux 5.4.0-56-generic #62-Ubuntu SMP Mon Nov 23 19:20:19 UTC 2020

My hosting provider, if applicable, is:

digital ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes, but through sudo

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

2

Hi @Notsonoble

see your error:

Checking your domain - https://check-your-website.server-daten.de/?q=nextcloud.nsnd20.com - you have ipv4 and ipv6.

But there are different answers, http + ipv4 redirects to https, http + ipv6 not. Looks like different servers answer or ipv6 answers with the standard vHost.

  • Fix that (or)
  • Remove the ipv6.

Checking your domain Letsencrypt prefers ipv6, so that's critical.

1 Like
3

As you didn't get any certificates issued, the waiting period of a week probably wasn't necessary.

4

Hmm, not sure why the v6 address wouldn't redirect, but at least that's something to figure out. Thanks.

5

and fixed, the listen listen [::]:443 ssl http2; was missing. Oddly enough, so was listen [::]:80 but testing on ipv6 test sites said it was reachable. I'm currently sitting a v4 only box so I couldn't test myself (yay tx home service providers). Will try from a v6 enabled box later.

6

That's not the complete solution, see your check result (part url-checks).

That explains why https + ipv6 had a timeout.

But http / port 80 has different answers.

Looks like different vHosts answer.

7

To confirm your IP addresses, try this form your server:
curl -4 ifconfig.co
curl -6 ifconfig.co

8

This is a tremendously useful trick, but it's also worth noting its limitations:

  • if you're behind a reverse proxy, load balancer, or NAT firewall, your outbound IP address might not always match the inbound IP address that users will use to connect to you

  • especially in IPv6, a single network interface could get configured with several different kinds of address and, again, the outbound one that gets preferred for routing might not be the same one that users will use to reach you (although that issue wouldn't appear by default in a typical VPS setup)

(In a typical VPS setup, your inbound and default outbound addresses are going to be the same and the method Rudy suggested should work perfectly.)

2 Likes
9

Which is a very good method of identifying this actually :wink:

if ($remote_test_address != $internal_address) {
  // I must be behind some kind of firewall/NAT router and connecting to my internal address might prove impossible!
}
2 Likes
10

I get the same IPs as I do from ipaddr and DO's web interface.

1 Like
11

OK!
IP addresses: :heavy_check_mark:

Now to the nginx config...
Please show the relevant vhost config (or the entire config - if not too large).

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.