Cert Renew Failed


#1

Attempting to renew cert (www.whyyte-invest.de) from /etc/letsencrypt/renewal/www.whyyte-invest.de.conf produced an unexpected error: Failed authorization procedure. www.whyyte-invest.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.whyyte-invest.de/.well-known/acme-challenge/RTrAugRTZp4Pf4YOXI3IgfzPm0m_g8v8-SEOQ_BYLpE [185.244.195.184]: 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.whyyte-invest.de/fullchain.pem (failure)

how to fix this? thank you


#2

Your site needs to be online for the authentication to succeed. Or at least it needs to successfully have access to the webroot without any automated error messages.

Just a minute ago, your site responded with “offline.” to any request, including the authentication token in the link in your post. Now, your site is completely down, no response on port 80 nor 443.


#3

i turned nginx off for few minutes.

now:

the failure error:
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

and:

IMPORTANT NOTES:

i tried alot of solutions but bothing worked out so far…


#4

Which solutions would that be exactly?

As of yet, your site still responds with “offline.” for every request I make, including the authentication token.

As long as your site is responding with a general error message and not serving files from the webroot, renewal won’t work.

You’ll need to “fix” your nginx not to return a HTTP 503 Service Unavailable error message with offline. as contents. It should at least respond with a HTTP 200 OK (the normal response) with the contents of the file requested when requested a file from /.well-known/acme-challenge/.


#5

i try different things from google search.

now i open the site, and still get the error:

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

i dont know what .well-known/acme-challenge is :smiley:


#6

But WHAT did you try? And why EXACTLY didn’t it work? (I.e., what was the expected result and what did you get?) And most importantly, what were you trying to fix? Certificate renewal? Or your nginx server/website in general?

You’re telling us two things here, which aren’t really making any sense. You SAY you “open the site”, but the error message you’re telling us here is from certbot, the ACME client used for certificates. Those two things are totally different, opening a site and running certbot to renew a certificate.

To put it blunt: your site is down! You’ll need to fix your site so it is UP and so it can serve files in the first place before you continue to get a renewed certificate. Site is currently back up again.


#7

There is already a Letsencrypt-certificate, created today. So all is fine.

The only thing: The certificate has no alternate name whyyte-invest.de, so it doesn’t work with https://whyyte-invest.de/


#8

That doesn’t really matter, from a TLS point of view: there’s no DNS record for that FQDN, so it isn’t possible to use that hostname anyway.


#9

Yes. But often it’s a good idea to create the non-www entry. People type whyyte-invest.de without www, so they are redirected to the correct version.

Same with www and a redirect, if non-www is the main site.


#10

i try to run: " certbot renew --dry-run " to test the automatic renew process but it failed.


#11

That might be true, but without a working DNS record, @whyyte can’t simply add the FQDN without www to the certificate.


#12

Without the error-message - no help.

But looking

https://crt.sh/?id=500279544

There is a Letsencrypt-certificate, 2018-06-01 with two names:

X509v3 Subject Alternative Name:
DNS:whyyte-invest.de
DNS:www.whyyte-invest.de

No dns-entry whyyte-invest.de -->> renewal cannot work


#13

i added a " @" DNS record - maybe this helps ?!


#14

If you require a certificate for both FQDNs and it wasn’t working before b/c of the missing DNS entry, it should work now indeed.


#15

i will see , thank you for your help


#16

ok now its working. thank you


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.