Cert renewal failed

Hi,

Problem is renwal fails with details as below. Been going eround in circles and would be grateful for any suggestions. Not massively experienced with Nginx, more of an Apache type.

Thanks,

Joolz

My domain is: bgs-conference.bordengrammar.kent.sch.uk

I ran this command: certbot renew --dry-run --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing
/etc/letsencrypt/renewal/bgs-conference.bordengrammar.kent.sch.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bgs-conference.bordengrammar.kent.sch.uk
nginx: [emerg] “server_names_hash_bucket_size” directive is duplicate in /etc/nginx/sites-enabled/bgs-conference.bordengrammar.kent.sch.uk.conf:1
Cleaning up challenges
nginx: [warn] conflicting server name “bgs-conference.bordengrammar.kent.sch.uk” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “bgs-conference.bordengrammar.kent.sch.uk” on [::]:80, ignored
nginx: [warn] conflicting server name “bgs-conference.bordengrammar.kent.sch.uk” on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name “bgs-conference.bordengrammar.kent.sch.uk” on [::]:443, ignored
Attempting to renew cert (bgs-conference.bordengrammar.kent.sch.uk) from /etc/letsencrypt/renewal/bgs-conference.bordengrammar.kent.sch.uk.conf produced an unexpected error: nginx restart failed:
b’’
b’’. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bgs-conference.bordengrammar.kent.sch.uk/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bgs-conference.bordengrammar.kent.sch.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0-1~ubuntu18.04.1

1 Like

This is a known bug with server_names_hash_bucket_size and Certbot’s nginx plugin. Have a read over https://github.com/certbot/certbot/issues/5199. The workarounds are: either set its value to 128, or remove it entirely.

The “conflicting server names” in your nginx config are a problem as well, but you will have to address them on your own, as it’s an issue independent of Certbot.

Finally, for Ubuntu 18/Bionic, it’s recommended to install Certbot from the Ubuntu PPA: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx . It’ll get you a slightly newer version, which contains some important fixes.

2 Likes

That’s brilliant, thank you very much. Fastest reponse I think I’ve ever had.

All the best,

Jools

1 Like

OK problem cured.

There’s only one nginx website on the server, so the server has the same name as the site, rather than the site being a virtual host.

Sites-enabled contained both a default file and a file for the web address of the server, both of which had the same hostname. Removing the default file got rid of the conflict, but it still complained about the bucket size so I just hashed that line out.

Installed the PPA, upgraded and bingo, certbot did its magic.

Thanks again, your help is very much appreciated.

1 Like