Hi all,
The ssl certificate for my website was working just fine until recently when I started getting the following error message:
NET::ERR_CERT_DATE_INVALID
Subject: spacs-money.com
Issuer: R3
Expires on: Jul 11, 2021
Current date: Jul 20, 2021
It seems that the certificate has expired. I got the following error when trying to renew it.
My domain is: spacs-money.com
I ran this command: sudo certbot --nginx
It produced this output: Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: spacs-money.com
Type: unauthorized
Detail: Invalid response from http://spacs-money.com/.well-known/acme-challenge/5tbiIzPfsa79gd6aXfryJhqv8svnCUI2lKoFOjLHENo [2600:3c00::f03c:92ff:fe2f:92d7]: "\r\n404 Not Found\r\n\r\n
404 Not Found \r\n
nginx/1.18.0 (Ub"
My web server is (include version): Nginx
The operating system my web server runs on is (include version): Ubuntu
My hosting provider, if applicable, is: Ubuntu 20.10
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 1.17.0
1 Like
_az
July 20, 2021, 7:35am
2
It looks like your nginx server is responding to HTTP requests differently, based on whether the visitor is using IPv4 or IPv6:
IPv4:
# curl -X GET -I -4 spacs-money.com/.well-known/acme-challenge/xx
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 20 Jul 2021 07:32:43 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://spacs-money.com/.well-known/acme-challenge/xx
IPv6:
# curl -X GET -I -6 spacs-money.com/.well-known/acme-challenge/xx
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 20 Jul 2021 07:32:46 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
It might help to post the nginx configuration for the spacs-money.com
virtual host here, and maybe we'll be able to see why it's not treating the two address families the same way.
3 Likes
Thanks a lot for looking into this. Here's my Nginx settings:
# the upstream component nginx needs to connect to
upstream django {
server unix:///home/alexa/spacs_money_project/spacs_money_project.sock;
}
# configuration of the server
server {
server_name 45.33.13.202 spacs-money.com www.spacs-money.com;
charset utf-8;
# max upload size
client_max_body_size 1024M;
# Django media and static files
location /research_files {
alias /home/alexa/spacs_money_project/research_files;
}
location /media {
alias /home/alexa/spacs_money_project/static/images;
}
location /static {
alias /home/alexa/spac_money_project/static;
}
# Send all non-media requests to the Django server.
location / {
uwsgi_pass django;
include /home/alexa/spacs_money_project/uwsgi_params;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/spacs-money.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/spacs-money.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.spacs-money.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = spacs-money.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
# listen [::]:80;
server_name 45.33.13.202 spacs-money.com www.spacs-money.com;
return 404; # managed by Certbot
}
1 Like
_az
July 20, 2021, 9:56pm
5
alexgav:
# listen [::]:80;
Looks relevant, since IPv6 is behaving differently. Why is it commented out?
1 Like
I am really not sure why that line was commented out. After making it execute again I was able to run certbot successfully. Thank you again for the assistance.
2 Likes
system
Closed
August 20, 2021, 6:18am
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.