Cert fine but certbot keep trying to find challenge


#1

My new certificate was obtained without too much issue for nginx on debian, using certbot. I used the certonly flag as the nginx plugin apparently isn’t available for now. I got the cert fine, and added the appropriate config to nginx. All is working fine except the certbot server is continually trying to hit challenge files on my server. Here’s an excerpt from my error log.

2018/06/13 04:09:59 [error] 15331#15331: *2090 open() “/mnt/ext/www/.well-known/acme-challenge/BPSGAkWuDJGJECfFX-SdKc_i_modS6nBIyRClN-ZcHk” failed (2: No such file or directory), client: 66.133.109.36, server: dev.offthebricks.com, request: “GET /.well-known/acme-challenge/BPSGAkWuDJGJECfFX-SdKc_i_modS6nBIyRClN-ZcHk HTTP/1.1”, host: “dev.offthebricks.com
2018/06/13 04:19:57 [error] 15329#15329: *2112 open() “/mnt/ext/www/.well-known/acme-challenge/V86q_i405QJKom8jPEFO1jwpx3MDw8v76f5j1XNrGSA” failed (2: No such file or directory), client: 66.133.109.36, server: dev.offthebricks.com, request: “GET /.well-known/acme-challenge/V86q_i405QJKom8jPEFO1jwpx3MDw8v76f5j1XNrGSA HTTP/1.1”, host: “dev.offthebricks.com


#2

Hi,

Can you confirm the timezone & your cronjob doesn’t have a renew line? (E.g. certbot renew etc…)

P.S. your dev server is serving phpinfo as a default. I strongly advise removing that (or hide it from the public)

Thank you


#3

Although that should be fine, unless somehow a --force-renew or --renew-by-default switch/option managed to get in the command line or cli.ini.


#4

Hm, I didn’t even consider the cronjob. Here’s what I’ve got. Can you suggest an alternative?

0 2 * * * certbot renew >> /var/log/letsencrypt.log


#5

Timezone was also incorrectly still set to UTC. I have adjusted to ‘America/Vancouver’ for Pacific timezone.


#6

And now, can you please see if the let’s encrypt server is still trying to access your website?


#7

Although there was a longer delay this time (30 minutes), it is still trying to access it.

2018/06/13 05:54:53 [error] 15332#15332: *2308 open() “/mnt/ext/www/.well-known/acme-challenge/3w8ewEhglrTX-_oemsfN7Kid7nYQn9jGPTTBSfkeUvo” failed (2: No such file or directory), client: 66.133.109.36, server: dev.offthebricks.com, request: “GET /.well-known/acme-challenge/3w8ewEhglrTX-_oemsfN7Kid7nYQn9jGPTTBSfkeUvo HTTP/1.1”, host: “dev.offthebricks.com


#8

Hi @Mircer,

The first thing you should try to check is whether those nginx log entries match the entries in your /var/log/letsencrypt/letsencrypt.log because if the log entries don’t match (date and time) maybe you should look into your other machine, the one where you have the cpanel because maybe that machine is trying to renew your cert once and again if you configured your dev domain some time ago…

Note: Regarding date and time, keep in mind that /var/log/letsencrypt/letsencrypt.log entries are UTC if your certbot version is 0.22.0 or older and the date and time showed is the same as the system time zone from 0.23.0 version.

Edit: I forgot to say that maybe you are using systemd timers instead of cron jobs, you could check them using systemctl list-timers

Cheers,
sahsanu


#9

Although there is a cpanel machine, there’s only an A-record in the DNS settings; no ssl for this domain. Anyway I removed my cron completely and still the error persisted for another couple of days. After that it just stopped. The letsencrypt.log file shows that certbot is still checking the certificate. Not sure what happened but for now problem solved. I’ll post here again when the certificate comes up for renewal, and the problem comes back. Thanks for the suggestions from everyone!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.