Certbot-auto renew not working

hniemi · December 10, 2019, 7:29am

Please, find below the required information.

I somehow got to create the certificate three months ago and most probably checked the renewal with --dry-run then (as I normally do). But now I got an email saying that there is a problem in renewal.

I have examined this in the net and it looks like the challenge could go to a different virtual host, BUT
a) I can’t find any duplicates of the host names on the confs as seen fron nginx -T and
b) nginx -t gives no errors

My domain is: shop.kunnat.net (plus a dozen others in the same certificate but all (don’t) work the same.

The service I am needing this certificate will be shut down in the near future, but not in so near future (the cert will expire december 19th).

So a helping hand would be appreciated.

wbr Hannu

I ran this command: certbot-auto renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/shop.kuntaliitto.fi.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
.
.
http-01 challenge for shop.kunnat.net
Using default address 80 for authentication.
nginx: [warn] conflicting server name “shop.kunnat.net” on 0.0.0.0:80, ignored
.
.
.
nginx: [warn] conflicting server name Waiting for
verification…
Challenge failed for domain shop.kunnat.net
.
.
.
http-01 challenge for shop.kunnat.net
.
.
Cleaning up challenges
Attempting to renew cert (shop.kunnat.net) from /etc/letsencrypt/renewal/shop.kuntaliitto.fi.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shop.kunnat.net/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

(I think this shows enough of the error, I had to remove parts of the log because new user link restriction policy)

My web server is (include version):
nginx/1.10.3

The operating system my web server runs on is (include version): Centos 6.1

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.0.0 (certbot-auto)

JuergenAuer · December 10, 2019, 7:33am

Hi @hniemi

there you have your problem. Looks like you have multipe definitions.

Every combination von port and domain name must be unique.

What says

nginx -T

hniemi · December 10, 2019, 7:41am

Find the output here:

hannu

JuergenAuer · December 10, 2019, 9:59am

What's the complete error message?

hniemi · December 10, 2019, 10:07am

The errors are here:

The file contains two parts:
First what came to the stderr and second part (after cat errors.txt) what certbot outputted to file with certbot renew --dry-run > errors.txt

hannu

JuergenAuer · December 10, 2019, 10:12am

Please do your job: There

nginx: [warn] conflicting server name "shop.kunnat.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "shop.kommunerna.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "shop.kt.fi" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "shop.kuntatyonantajat.fi" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "shop.kommunarbetsgivarna.fi" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "testshop.kunnat.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "shop.kuntaliitto.fi" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "shop.kommunforbundet.fi" on 0.0.0.0:80, ignored

are the errors you have to fix.

If your configuration is buggy, Certbot will not work.

hniemi · December 10, 2019, 10:16am

Yes, I understand that. The only problem is that I can’t figure out from where they do come. I think there hasn’t be any big changes (probably none changes at all - it’s a server that is being replaced with newer servers) since I requested the certificate.

I am (IMHO) quite proficient with nginx (not so much with certbot, though) and have looked all the “normal” problem causes. But you are right, it’s my job so I just have to find where the problem lies…

Thank you for your trouble

hannu

JuergenAuer · December 10, 2019, 10:31am

That

listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/shop.kuntaliitto.fi/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/shop.kuntaliitto.fi/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

looks bad. Listen 80 and listen 443 in the same server block. Looks like that server block is buggy and not used. Split it into two vHosts - one 80, one 443.

So the standard vHost is used -> that doesn’t work with --nginx.

hniemi · December 10, 2019, 11:33am

Thanks again. I split the conf but still the same error.

I am very uncertain, how certbot-renew shows that conflicting server name but nginx -t doesn’t. If I do it on purpose with another conf-file, nginx -t complains about right away. And yes, I have restarted the nginx service after every change

I am starting to wonder if the problem could lie in the load balancer which I don’t handle and the guy responsible for it will be back tomorrow.

hannu

hniemi · December 16, 2019, 6:12am

I am now even more confused…

It took a bit time until we got around the load balancer and - well, you probably guessed it - the wait was for nothing, still the same problem.

I have read another discussion thread and the guy there had to rewrite the conf file many times, until it started to work, so I decided to try the same.

I renamed the .conf file like .conf.old and just for the interest and for the fun decided to re-run the certbot-auto renew --dry-run. You can imagine my astonishment when the --dry-run went through. I renamed the conf file back and - yes, sure the renewal date was still very close. Uhm, of course, forgot that there was that --dry-run. Renaming trick again and still everything went fine. Again renaming the conf file back and restart nginx and - behold! The certificate is now valid until March 2020.

So the imminent problem is solved. Fortunately this certificate should work as long as the site is needed (crossing fingers), but it still haunts me as I can’t figure out, how and why the problem was really solved.

I wanted to document it here, just in case someone else needs the same drastic means on a dire situation. Gosh, it might be even me with this memory of mine nowadays

Thanks for the support, Juergen, I really do appreciate, even though I finally solved (quite a big word in this case) it myself.

wbr

hannu

system · January 15, 2020, 6:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.