Certbot failed to authenticate some domains

I'm trying to renew certificates but I get that. How can I fix it?

1 Like

Hi,

It would help to see your nginx configuration.

What's the output of:

sudo nginx -T
1 Like

Hi @_az , Here's the output:

nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
# 
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/bench-dev.conf:
upstream bench-dev-frappe {
        server 127.0.0.1:8001 fail_timeout=0;
}

upstream bench-dev-socketio-server {
        server 127.0.0.1:9001 fail_timeout=0;
}



# setup maps


# server blocks





server {

        listen 80;


        server_name
                second.instance
                ;

        root /home/frappe/bench-dev/sites;



        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;



        add_header X-Frame-Options "SAMEORIGIN";
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        location /assets {
                try_files $uri =404;
        }

        location ~ ^/protected/(.*) {
                internal;
                try_files /second.instance/$1 =404;
        }

        location /socket.io {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Frappe-Site-Name second.instance;
                proxy_set_header Origin $scheme://$http_host;
                proxy_set_header Host $host;

                proxy_pass http://bench-dev-socketio-server;
        }

        location / {

                rewrite ^(.+)/$ $1 permanent;
                rewrite ^(.+)/index\.html$ $1 permanent;
                rewrite ^(.+)\.html$ $1 permanent;

                location ~ ^/files/.*.(htm|html|svg|xml) {
                        add_header Content-disposition "attachment";
                        try_files /second.instance/public/$uri @webserver;
                }

                try_files /second.instance/public/$uri @webserver;
        }

        location @webserver {
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frappe-Site-Name second.instance;
                proxy_set_header Host $host;
                proxy_set_header X-Use-X-Accel-Redirect True;
                proxy_read_timeout 120;
                proxy_redirect off;

                proxy_pass  http://bench-dev-frappe;
        }

        # error pages
        error_page 502 /502.html;
        location /502.html {
                root /home/frappe/.local/lib/python3.8/site-packages/bench/config/templates;
                internal;
        }

        # optimizations
        sendfile on;
        keepalive_timeout 15;
        client_max_body_size 50m;
        client_body_buffer_size 16K;
        client_header_buffer_size 1k;

        # enable gzip compresion
        # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
        gzip on;
        gzip_http_version 1.1;
        gzip_comp_level 5;
        gzip_min_length 256;
        gzip_proxied any;
        gzip_vary on;
        gzip_types
                application/atom+xml
                application/javascript
                application/json
                application/rss+xml
                application/vnd.ms-fontobject
                application/x-font-ttf
                application/font-woff
                application/x-web-app-manifest+json
                application/xhtml+xml
                application/xml
                font/opentype
                image/svg+xml
                image/x-icon
                text/css
                text/plain
                text/x-component
                ;
                # text/html is always compressed by HttpGzipModule
}


server {

        listen 8001;


        server_name
                milimo.me
                ;

        root /home/frappe/bench-dev/sites;



        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;



        add_header X-Frame-Options "SAMEORIGIN";
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        location /assets {
                try_files $uri =404;
        }

        location ~ ^/protected/(.*) {
                internal;
                try_files /milimo.me/$1 =404;
        }

        location /socket.io {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Frappe-Site-Name milimo.me;
                proxy_set_header Origin $scheme://$http_host;
                proxy_set_header Host $host;

                proxy_pass http://bench-dev-socketio-server;
        }

        location / {

                rewrite ^(.+)/$ $1 permanent;
                rewrite ^(.+)/index\.html$ $1 permanent;
                rewrite ^(.+)\.html$ $1 permanent;

                location ~ ^/files/.*.(htm|html|svg|xml) {
                        add_header Content-disposition "attachment";
                        try_files /milimo.me/public/$uri @webserver;
                }

                try_files /milimo.me/public/$uri @webserver;
        }

        location @webserver {
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frappe-Site-Name milimo.me;
                proxy_set_header Host $host;
                proxy_set_header X-Use-X-Accel-Redirect True;
                proxy_read_timeout 120;
                proxy_redirect off;

                proxy_pass  http://bench-dev-frappe;
        }

        # error pages
        error_page 502 /502.html;
        location /502.html {
                root /home/frappe/.local/lib/python3.8/site-packages/bench/config/templates;
                internal;
        }

        # optimizations
        sendfile on;
        keepalive_timeout 15;
        client_max_body_size 50m;
        client_body_buffer_size 16K;
        client_header_buffer_size 1k;

        # enable gzip compresion
        # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
        gzip on;
        gzip_http_version 1.1;
        gzip_comp_level 5;
        gzip_min_length 256;
        gzip_proxied any;
        gzip_vary on;
        gzip_types
                application/atom+xml
                application/javascript
                application/json
                application/rss+xml
                application/vnd.ms-fontobject
                application/x-font-ttf
                application/font-woff
                application/x-web-app-manifest+json
                application/xhtml+xml
                application/xml
                font/opentype
                image/svg+xml
                image/x-icon
                text/css
                text/plain
                text/x-component
                ;
                # text/html is always compressed by HttpGzipModule
}



# configuration file /etc/nginx/conf.d/frappe-bench.conf:
upstream frappe-bench-frappe {
        server 127.0.0.1:8000 fail_timeout=0;
}

upstream frappe-bench-socketio-server {
        server 127.0.0.1:9000 fail_timeout=0;
}



# setup maps

map $host $site_name_ymzdeji {
        maeja.ml chipo.maeja;
        matcreations.tk matcreations.com;
        default $host;

}

# server blocks

server {


        server_name
                chipo.maeja
                maeja.ml
                matcreations.com
                matcreations.tk
                ;

        root /home/frappe/frappe-bench/sites;



        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;



        add_header X-Frame-Options "SAMEORIGIN";
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        location /assets {
                try_files $uri =404;
        }

        location ~ ^/protected/(.*) {
                internal;
                try_files /$site_name_ymzdeji/$1 =404;
        }

        location /socket.io {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Frappe-Site-Name $site_name_ymzdeji;
                proxy_set_header Origin $scheme://$http_host;
                proxy_set_header Host $host;

                proxy_pass http://frappe-bench-socketio-server;
        }

        location / {

                rewrite ^(.+)/$ $1 permanent;
                rewrite ^(.+)/index\.html$ $1 permanent;
                rewrite ^(.+)\.html$ $1 permanent;

                location ~ ^/files/.*.(htm|html|svg|xml) {
                        add_header Content-disposition "attachment";
                        try_files /$site_name_ymzdeji/public/$uri @webserver;
                }

                try_files /$site_name_ymzdeji/public/$uri @webserver;
        }

        location @webserver {
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frappe-Site-Name $site_name_ymzdeji;
                proxy_set_header Host $host;
                proxy_set_header X-Use-X-Accel-Redirect True;
                proxy_read_timeout 120;
                proxy_redirect off;

                proxy_pass  http://frappe-bench-frappe;
        }

        # error pages
        error_page 502 /502.html;
        location /502.html {
                root /usr/local/lib/python3.8/dist-packages/bench/config/templates;
                internal;
        }

        # optimizations
        sendfile on;
        keepalive_timeout 15;
        client_max_body_size 50m;
        client_body_buffer_size 16K;
        client_header_buffer_size 1k;

        # enable gzip compresion
        # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
        gzip on;
        gzip_http_version 1.1;
        gzip_comp_level 5;
        gzip_min_length 256;
        gzip_proxied any;
        gzip_vary on;
        gzip_types
                application/atom+xml
                application/javascript
                application/json
                application/rss+xml
                application/vnd.ms-fontobject
                application/x-font-ttf
                application/font-woff
                application/x-web-app-manifest+json
                application/xhtml+xml
                application/xml
                font/opentype
                image/svg+xml
                image/x-icon
                text/css
                text/plain
                text/x-component
                ;
                # text/html is always compressed by HttpGzipModule

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/maeja.ml/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/maeja.ml/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}







server {
    if ($host = maeja.ml) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = matcreations.tk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



        listen 80;


        server_name
                chipo.maeja
                maeja.ml
                matcreations.com
                matcreations.tk
                ;
    return 404; # managed by Certbot




}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";```

Thanks. I don't see anything obviously wrong. It seems like it should work and I'm able to renew locally using your nginx configuration.

What version of Certbot do you have?

certbot --version

Does renewing with --nginx-sleep-seconds help?

certbot certonly --dry-run --nginx -d maeja.ml -d matcreations.tk --nginx-sleep-seconds 10

I'm using certbot 1.20.0 and certbot certonly --dry-run --nginx -d maeja.ml -d matcreations.tk --nginx-sleep-seconds 10 has same result

Hi @dev123 and welcome to the LE community forum :slight_smile:

The HTTP challenge requests are being redirected to HTTPS.
The HTTPS vhost proxies those requests to the @webserver.
[proxy_pass http://frappe-bench-frappe;]

I would replace the current HTTP vhost as follows; Adding a dedicated path and matching location handler in the HTTP vhost for the challenge requests.
Like:

server {
        listen 80;
        server_name
                chipo.maeja
                maeja.ml
                matcreations.com
                matcreations.tk
                ;
  location ^/(?!\.well-known) {            # skip challenge requests
    return 301 https://$host$request_uri;  # send all requests to HTTPS
  }# location
  root /new/dedicated/challenge/path;      # path for challenge requests
}

Be sure to create that "new dedicated challenge path".

1 Like

Hello @rg305 and thanks for the reply. I'm not specialized in this stuff and I'm new to all this. Can you kindly list what I have to do exactly step by step๐Ÿ™

1 Like

Step #1: Create a new path (directory) specifically for the challenge files to be served from.
mkdir -p /whatever/path/you/choose

Step #2 Edit the file you showed above.
Replace the server section that handles HTTP with the server section I provided.
[be sure to use the actual path you created in Step #1]

Step #3 Restart web service

Step #4 TEST
certbot certonly --nginx -d maeja.ml -d matcreations.tk --dry-run

If TEST fails, STOP and reply with failing message.
Step #5 Issue cert
certbot certonly --nginx -d maeja.ml -d matcreations.tk

Step #6 Use the cert
[I leave that for you to decide how to best use it]

1 Like

I'm getting same error when I test.... Is there a way I can just restart everything

Please show the modified vhost config file.
And the error message returned.

There is always a way to restart everything...
I just don't see how that will remove the problem.

I some how messed up the nginx config when I tried to do what you said. I'm trying to fix it at the moment. I let you know when I'm done so that I'll send it