Cert renewal failure

Help
1

Greeting folks, first post here.

I am trying for first renewal for https://red.elsmussols.net/

This is on a fully-updated Debian Stretch box. I am using nginx 1.10.3-1+deb9u1 and certbot 0.10.2-1.

Here’s my output:

root@pendle:/var/www/red# certbot renew --pre-hook “service nginx stop” --post-hook "service nginx start"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/red.elsmussols.net.conf

Cert is due for renewal, auto-renewing…
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for red.elsmussols.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/red.elsmussols.net.conf produced an unexpected error: Failed authorization procedure. red.elsmussols.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://red.elsmussols.net/.well-known/acme-challenge/Xv6CfjN6CoP2IH7fqAXSIIKneK86ux5vqmJMkyQHu4U: Connection refused. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/red.elsmussols.net/fullchain.pem (failure)
Running post-hook command: service nginx start
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: red.elsmussols.net
    Type: connection
    Detail: Fetching
    http://red.elsmussols.net/.well-known/acme-challenge/Xv6CfjN6CoP2IH7fqAXSIIKneK86ux5vqmJMkyQHu4U:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

The well-known directory exists:

root@pendle:/var/www/red# ls -al | grep well
drwxr-xr-x 2 root root 4096 Nov 16 10:37 .well-known

Guidance and thoughts appreciated, additional information gladly supplied. Thank you in advance.

2

If you stop your webserver software (nginx) before authorization, the challenge files cannot be delivered. Try without the --pre-hook and --post-hook.

3

So as I suspected that didn’t work as the nginx.conf for that site has enforced https (all http requests are redirected to https).

root@pendle:/var/www/red# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/red.elsmussols.net.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for red.elsmussols.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/red.elsmussols.net.conf produced an unexpected error: Failed authorization procedure. red.elsmussols.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://red.elsmussols.net/.well-known/acme-challenge/lg0l66f-LK0WGPgA3qOYnX6PQaYPc6umI-crhYGnKfc [176.58.122.108]: 404. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/red.elsmussols.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Perhaps if I comment out the redirect directive just while I’m renewing the cert?

4

The redirect does not matter as long as the URL stays correctly mapped to the filesystem. In your log output, there is error 404 (Not Found).

You descriibe that the webroot for red.elsmussols.net is /var/www/red.
So please create a file test.txt in the directory /var/www/red/.well-known/acme-challenge/ and try to access that via http://red.elsmussols.net/.well-known/acme-challenge/test.txt. As long as this does not work, the mapping is wrong.

5

So that’s a fail. I get redirected to https and get an insecure notification (the cert is now expired). If I approve an exception I get a blank page. The file is definitely in the right place:

root@pendle:~# cat /var/www/red/.well-known/acme-challenge/test.txt Testing to see if acme-challenge can get here.

As I mentioned above:

root@pendle:/var/www/red# ls -al | grep well drwxr-xr-x 2 root root 4096 Nov 16 10:37 .well-known

Is the ownership of this correct? Perhaps this directory and its contents should be www-data:www-data not root:root.

6

chown made no difference. I am out of ideas.

7

That might be the correct location, but if I request your test.txt file I get a 404 - and a Set-Cookie and Expires header from PHP. Could there be something in your nginx configuration routing those URLs to PHP instead of serving them from the filesystem?

8

This could be it. Extract from nginx config for this site:

[code]# make sure webfinger and other well known services aren’t blocked

by denying dot files and rewrite request to the front controller

location ^~ /.well-known/ {
allow all;
rewrite ^/(.*) /index.php?q=$uri&$args last;[/code]

9

Would it make sense to comment out this section whilst renewing the cert and then reenabling afterward?

10

I’m not familiar enough with nginx config to say for sure, but it’s worth a try :slight_smile: if it works you might then be able to find some alternative config that can be left in place permanently.

Perhaps someone more familiar with nginx can help with that.

11

Fixed. PHP was interfering so the following was added to the nginx.conf:

# test to excude well-known/acme-challenge/ ignored location ^~ /.well-known/acme-challenge/ { allow all; try_files $uri =404; }

Thank you to everyone who took the time and made the effort to reply. Your input poointed me in the right direction.

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.