Certbot force renewal failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: essca.fr

I ran this command: certbot certonly --force-renewal --webroot -w /var/www/letsencrypt --expand -d www.essca.fr,essca.fr,eu-asia.essca.fr,ethique-des-affaires.essca.fr,digital.essca.fr,ipa.essca.fr,parents.essca.fr,www.master-consulting.fr,www.master-webmarketing.fr,master-consulting.fr,master-webmarketing.fr,www.finance-risk-management.fr,finance-risk-management.fr,recherche.essca.fr,vae.essca.fr,european-notepad.essca.fr,executive.essca.fr,tunisie.essca.fr,incub.essca.fr,incubateur.essca.fr,www.incubateur.essca.fr,111.essca.fr,international.essca.fr,apply.essca.fr,candidature.essca.fr

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for apply.essca.fr
http-01 challenge for candidature.essca.fr
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. apply.essca.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from ESSCA [94.23.1.13]: "\n\n\n <meta charset="utf-8" />\n <meta name="viewport" content="width=device-width, initial-scale=1">\n", candidature.essca.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from ESSCA [94.23.1.13]: "\n\n\n <meta charset="utf-8" />\n <meta name="viewport" content="width=device-width, initial-scale=1">\n"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: apply.essca.fr
    Type: unauthorized
    Detail: Invalid response from
    ESSCA [94.23.1.13]:
    "\n\n\n <meta charset="utf-8" />\n

    \n"

    Domain: candidature.essca.fr
    Type: unauthorized
    Detail: Invalid response from
    ESSCA [94.23.1.13]: "\n\n\n <meta charset="utf-8" />\n <meta
    name="viewport" content="width=device-width,
    initial-scale=1">\n"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx/1.15.8

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2

It looks like your apply.essca.fr server is redirecting the http challenge wrong.

The Let's Encrypt server will make a request to a file in the .well-known/acme-challenge path. Like below but see it is redirected to www.essca.fr but without the path or challenge file name

curl -I http://apply.essca.fr/.well-known/acme-challenge/ChallengeFileName

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 12 Apr 2022 02:18:03 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.essca.fr/en/sinscrire-a-l-essca/
X-Frame-Options: SAMEORIGIN

As for your candidate domain, right now there is no DNS entry for that name. That does not match the error you received in your first post so I do not know why that is but you must correct the DNS.

2 Likes
3

Hello Mike,

Thank you for your reply. I have a redirect from apply.essca.fr to essca.fr as this configuration shows:

> nginx -T
> nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
> nginx: configuration file /etc/nginx/nginx.conf test is successful
> # configuration file /etc/nginx/nginx.conf:
> user www-data;
> worker_processes auto;
> pid /run/nginx.pid;
> include /etc/nginx/modules-enabled/*.conf;
> 
> events {
>     worker_connections 1024;
>     multi_accept on;
>     use epoll;
> }
> 
> http {
>     sendfile on;
>     tcp_nopush on;
>     tcp_nodelay on;
>     keepalive_timeout 65;
> 
>     types_hash_max_size 2048;
> 
>     server_tokens off;
>     server_names_hash_bucket_size 128;
>     server_name_in_redirect off;
> 
>     include /etc/nginx/mime.types;
>     default_type application/octet-stream;
> 
>     # First part / © 2018 Seolyzer.io
>     log_format seolyzerFormat-00a4dd5d9bfa4a5983a84687ce1ec84f 'ng   00a4dd5d9bfa4a5983a84687ce1ec84f   $msec   $status   $remote_addr   $host $request   $http_referer   $http_user_agent   $request_time   $bytes_sent   $server_port';
> 
>     access_log /var/log/nginx/access.log;
>     error_log /var/log/nginx/error.log;
> 
>     include /etc/nginx/conf.d/*;
>     include /etc/nginx/sites-enabled/*;
> }
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
> load_module modules/ngx_http_auth_pam_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
> load_module modules/ngx_http_dav_ext_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
> load_module modules/ngx_http_echo_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
> load_module modules/ngx_http_geoip_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
> load_module modules/ngx_http_image_filter_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
> load_module modules/ngx_http_subs_filter_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
> load_module modules/ngx_http_upstream_fair_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
> load_module modules/ngx_http_xslt_filter_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
> load_module modules/ngx_mail_module.so;
> 
> # configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
> load_module modules/ngx_stream_module.so;
> 
> # configuration file /etc/nginx/mime.types:
> 
> types {
>     text/html                             html htm shtml;
>     text/css                              css;
>     text/xml                              xml;
>     image/gif                             gif;
>     image/jpeg                            jpeg jpg;
>     application/javascript                js;
>     application/atom+xml                  atom;
>     application/rss+xml                   rss;
> 
>     text/mathml                           mml;
>     text/plain                            txt;
>     text/vnd.sun.j2me.app-descriptor      jad;
>     text/vnd.wap.wml                      wml;
>     text/x-component                      htc;
> 
>     image/png                             png;
>     image/tiff                            tif tiff;
>     image/vnd.wap.wbmp                    wbmp;
>     image/x-icon                          ico;
>     image/x-jng                           jng;
>     image/x-ms-bmp                        bmp;
>     image/svg+xml                         svg svgz;
>     image/webp                            webp;
> 
>     application/font-woff                 woff;
>     application/java-archive              jar war ear;
>     application/json                      json;
>     application/mac-binhex40              hqx;
>     application/msword                    doc;
>     application/pdf                       pdf;
>     application/postscript                ps eps ai;
>     application/rtf                       rtf;
>     application/vnd.apple.mpegurl         m3u8;
>     application/vnd.ms-excel              xls;
>     application/vnd.ms-fontobject         eot;
>     application/vnd.ms-powerpoint         ppt;
>     application/vnd.wap.wmlc              wmlc;
>     application/vnd.google-earth.kml+xml  kml;
>     application/vnd.google-earth.kmz      kmz;
>     application/x-7z-compressed           7z;
>     application/x-cocoa                   cco;
>     application/x-java-archive-diff       jardiff;
>     application/x-java-jnlp-file          jnlp;
>     application/x-makeself                run;
>     application/x-perl                    pl pm;
>     application/x-pilot                   prc pdb;
>     application/x-rar-compressed          rar;
>     application/x-redhat-package-manager  rpm;
>     application/x-sea                     sea;
>     application/x-shockwave-flash         swf;
>     application/x-stuffit                 sit;
>     application/x-tcl                     tcl tk;
>     application/x-x509-ca-cert            der pem crt;
>     application/x-xpinstall               xpi;
>     application/xhtml+xml                 xhtml;
>     application/xspf+xml                  xspf;
>     application/zip                       zip;
> 
>     application/octet-stream              bin exe dll;
>     application/octet-stream              deb;
>     application/octet-stream              dmg;
>     application/octet-stream              iso img;
>     application/octet-stream              msi msp msm;
> 
>     application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
>     application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
>     application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
> 
>     audio/midi                            mid midi kar;
>     audio/mpeg                            mp3;
>     audio/ogg                             ogg;
>     audio/x-m4a                           m4a;
>     audio/x-realaudio                     ra;
> 
>     video/3gpp                            3gpp 3gp;
>     video/mp2t                            ts;
>     video/mp4                             mp4;
>     video/mpeg                            mpeg mpg;
>     video/quicktime                       mov;
>     video/webm                            webm;
>     video/x-flv                           flv;
>     video/x-m4v                           m4v;
>     video/x-mng                           mng;
>     video/x-ms-asf                        asx asf;
>     video/x-ms-wmv                        wmv;
>     video/x-msvideo                       avi;
> }
> 
> # configuration file /etc/nginx/conf.d/proxy:
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_buffer_size 128k;
> proxy_buffers 16 1024k;
> proxy_busy_buffers_size 1024k;
> proxy_connect_timeout 15;
> proxy_send_timeout 15;
> proxy_read_timeout 15;
> send_timeout 300;
> 
> 
> # configuration file /etc/nginx/sites-enabled/essca2017-production:
> server {
>     server_name essca.fr master-consulting.fr master-webmarketing.fr formation-superieure-auto.fr finance-risk-management.fr www.incubateur.essca.fr incubateur.essca.fr;
>     listen 80;
> 
>     access_log /var/log/nginx/essca2017-production-80-access.log combined;
>     error_log /var/log/nginx/essca2017-production-80-error.log;
> 
>     include /etc/nginx/snippets/letsencrypt;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://$host$request_uri;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name www.essca.fr eu-asia.essca.fr ethique-des-affaires.essca.fr digital.essca.fr ipa.essca.fr parents.essca.fr www.master-consulting.fr www.master-webmarketing.fr www.finance-risk-management.fr www.formation-superieure-auto.fr master.formation-superieure-auto.fr recherche.essca.fr vae.essca.fr european-notepad.essca.fr executive.essca.fr tunisie.essca.fr www.incub.essca.fr incub.essca.fr 111.essca.fr international.essca.fr;
>     listen 80;
> 
>     access_log /var/log/nginx/essca2017-production-80-access.log combined;
>     error_log /var/log/nginx/essca2017-production-80-error.log;
> 
>     include /etc/nginx/snippets/letsencrypt;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://$host$request_uri;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name apply.essca.fr;
>     listen 80;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://www.essca.fr/en/sinscrire-a-l-essca/;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name candidature.essca.fr;
>     listen 80;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://www.essca.fr/sinscrire-a-lessca/;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name apply.essca.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     add_header Strict-Transport-Security "max-age=0;";
> 
>     index index.html;
> 
>     location @redirect {
>         add_header Strict-Transport-Security "max-age=0;";
>         return 301 https://www.essca.fr/en/sinscrire-a-l-essca/;
>     }
> 
>     location / {
>         add_header Strict-Transport-Security "max-age=0;";
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name candidature.essca.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     index index.html;
> 
>     location @redirect {
> 	return 301 https://www.essca.fr/sinscrire-a-lessca/;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name essca.fr master-consulting.fr master-webmarketing.fr finance-risk-management.fr formation-superieure-auto.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     add_header Strict-Transport-Security "max-age=0;";
> 
>     index index.html;
> 
>     location @redirect {
>         add_header Strict-Transport-Security "max-age=0;";
>         return 301 https://www.$host$request_uri;
>     }
> 
>     location / {
>         add_header Strict-Transport-Security "max-age=0;";
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name master.formation-superieure-auto.fr recherche.essca.fr vae.essca.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://www.essca.fr;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name www.incubateur.essca.fr incub.essca.fr www.incub.essca.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://incubateur.essca.fr;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name www.formation-superieure-auto.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     index index.html;
> 
>     location /master {
>         return 301 https://www.essca.fr/programmes/programme-grande-ecole/programme/programme-master/programme-5eme-annee/programme-master-majeure-e-marketing-mobilites-automobile/;
>     }
> 
>     location @redirect {
> 	return 301 https://www.essca.fr/essca-research-lab/chaires/chaire-distribution-et-service-automobiles;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name www.finance-risk-management.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://www.essca.fr/programmes/programme-grande-ecole/programme-master-en-alternance/finance-risk-management-programme-en-alternance;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name tunisie.essca.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://www.essca.fr/;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> 
> server {
>     server_name eu-asia.essca.fr ethique-des-affaires.essca.fr digital.essca.fr ipa.essca.fr parents.essca.fr www.master-consulting.fr www.master-webmarketing.fr european-notepad.essca.fr executive.essca.fr incubateur.essca.fr 111.essca.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
>     include /etc/nginx/essca2017_redirections;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     add_header Strict-Transport-Security "max-age=0;";
> 
>     index index.html;
> 
>     client_max_body_size 250m;
> 
>     location /autodiscover/autodiscover.xml {
>         access_log off;
>         return 404;
>     }
> 
>     location ~* \.(eot|ttf|woff|woff2)$ {
>         add_header Strict-Transport-Security "max-age=0;";
>         add_header Access-Control-Allow-Origin *;
>         proxy_pass http://127.0.0.1:9121;
>         include snippets/proxy;
>     }
> 
>     location / {
>         add_header Strict-Transport-Security "max-age=0;";
>         proxy_pass http://127.0.0.1:9121;
>         include snippets/proxy;
>     }
> }
> 
> server {
>         server_name international.essca.fr;
>         listen 443 ssl http2;
> 
>         access_log /var/log/nginx/essca2017-production-443-access.log combined;
>         error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>         include /etc/nginx/snippets/ssl;
>         include /etc/nginx/essca2017_redirections;
> 
>         # include /etc/nginx/snippets/auth-basic;
> 
>         ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>         ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>         add_header Strict-Transport-Security "max-age=0;";
> 
>         index index.html;
> 
>         client_max_body_size 250m;
> 
>         location /autodiscover/autodiscover.xml {
>             access_log off;
>             return 404;
>         }
> 
>         location ~* \.(eot|ttf|woff|woff2)$ {
>             add_header Strict-Transport-Security "max-age=0;";
>             add_header Access-Control-Allow-Origin *;
>             proxy_pass http://127.0.0.1:9121;
>             include snippets/proxy;
>         }
> 
>         location / {
>             add_header Strict-Transport-Security "max-age=0;";
>             proxy_pass http://127.0.0.1:9121;
>             include snippets/proxy;
>         }
> }
> 
> server {
>         server_name www.essca.fr;
>         listen 443 ssl http2;
> 
>         # Second part / © 2018 Seolyzer.io
>         access_log /var/log/nginx/seolyzerLogUbNg-00a4dd5d9bfa4a5983a84687ce1ec84f.log seolyzerFormat-00a4dd5d9bfa4a5983a84687ce1ec84f;
>         error_log /var/log/nginx/essca2017-production-443-error.log;
> 
>         include /etc/nginx/snippets/ssl;
>         include /etc/nginx/essca2017_redirections;
> 
>         ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>         ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>         add_header Strict-Transport-Security "max-age=0;";
> 
>         index index.html;
> 
>         client_max_body_size 250m;
> 
>         location /autodiscover/autodiscover.xml {
>             access_log off;
>             return 404;
>         }
> 
>         location ~* \.(eot|ttf|woff|woff2)$ {
>             add_header Strict-Transport-Security "max-age=0;";
>             add_header Access-Control-Allow-Origin *;
>             proxy_pass http://127.0.0.1:9121;
>             include snippets/proxy;
>         }
> 
>         location / {
>             add_header Strict-Transport-Security "max-age=0;";
>             proxy_pass http://127.0.0.1:9121;
>             include snippets/proxy;
>         }
> }
> 
> # configuration file /etc/nginx/snippets/letsencrypt:
> location /.well-known {
>     root /var/www/letsencrypt;
>     try_files $uri =404;
> }
> 
> 
> 
> # configuration file /etc/nginx/snippets/ssl:
> add_header X-Frame-Options SAMEORIGIN;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_prefer_server_ciphers on;
> ssl_dhparam /etc/nginx/dhparams.pem;
> ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
> ssl_session_timeout 1d;
> ssl_session_cache shared:SSL:50m;
> ssl_stapling on;
> ssl_stapling_verify on;
> 
> 
> # configuration file /etc/nginx/essca2017_redirections:
> # Campagnes emailing
> # new 001 hai.nguyen
> rewrite ^/campagnes/?(.*)?$ https://www.essca.fr/wp-admin/campagnes/$1 permanent;
> 
> # Sub-Websites redirections
> # note: change from 2 rewrite rules to 1, use regex /? to catch both conditions , hai.nguyen
> rewrite ^/blogs/recherche/?(.*)?$ https://recherche.essca.fr/$1 permanent;
> rewrite ^/blogs/ethique-des-affaires/?(.*)?$ https://ethique-des-affaires.essca.fr/$1 permanent;
> rewrite ^/blogs/eu-asia/?(.*)?$ https://eu-asia.essca.fr/$1 permanent;
> rewrite ^/blogs/digital/?(.*)?$ https://digital.essca.fr/$1 permanent;
> rewrite ^/blogs/vae/?(.*)?$ https://vae.essca.fr/$1 permanent;
> rewrite ^/vae/?(.*)?$ https://vae.essca.fr/$1 permanent;
> rewrite ^/blogs/ipa/?(.*)?$ https://ipa.essca.fr/$1 permanent;
> rewrite ^/ipa/?(.*)?$ https://ipa.essca.fr/$1 permanent;
> rewrite ^/eu-asia/?(.*)?$ https://eu-asia.essca.fr/$1 permanent;
> rewrite ^/EU-Asia/?(.*)?$ https://eu-asia.essca.fr/$1 permanent;
> rewrite ^/blogs/parents/?(.*)?$ https://parents.essca.fr/$1 permanent;
> 
> # PDF deleted to redirect
> rewrite ^/wp-content/uploads/sites/1/2014/03/plaquette-BADGE-MESMS.pdf https://www.essca.fr/programmes/formation-continue/programme-badge permanent;
> rewrite ^/wp-content/uploads/sites/1/2014/11/Brochure-ESSCA-DigitalManagement-BachelorExpert.pdf https://www.essca.fr/programmes/bachelors-en-management permanent;
> rewrite ^/wp-content/uploads/sites/1/2015/12/Brochure-ESSCA-MBA.pdf https://www.essca.fr/ permanent;
> rewrite ^/wp-content/uploads/2018/10/MSc-digital-marketing-and-business.pdf https://www.essca.fr/programmes/master-of-science permanent;
> rewrite ^/wp-content/uploads/sites/1/2016/05/Bachelor-manager-operationnel-economie-numerique.pdf https://www.essca.fr/programmes/bachelors-en-management permanent;
> rewrite ^/wp-content/uploads/sites/1/2016/05/dossier-candidature-bachelor-MOEN.pdf https://www.essca.fr/programmes/bachelors-en-management permanent;
> rewrite ^/wp-content/uploads/2016/02/MSc-global-fast-moving-consumer-goods-marketing.pdf https://www.essca.fr/programmes/master-of-science permanent;
> rewrite ^/wp-content/uploads/2016/02/MSc-financial-management-and-control.pdf https://www.essca.fr/programmes/master-of-science permanent;
> rewrite ^/wp-content/uploads/2016/02/MSc-financial-analysis.pdf https://www.essca.fr/programmes/master-of-science permanent;
> 
> # configuration file /etc/nginx/snippets/proxy:
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Real-Port $remote_port;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_buffer_size 1024k;
> proxy_buffers 4 1024k;
> proxy_busy_buffers_size 1024k;
> proxy_connect_timeout 600;
> proxy_send_timeout 600;
> proxy_read_timeout 600;
> send_timeout 600;
> 
> # configuration file /etc/nginx/sites-enabled/essca2017-production-cdn:
> server {
>     server_name assets.essca.fr;
>     listen 80;
> 
>     access_log /var/log/nginx/essca2017-production-cdn-80-access.log combined;
>     error_log /var/log/nginx/essca2017-production-cdn-80-error.log;
> 
>     include /etc/nginx/snippets/letsencrypt;
> 
>     index index.html;
> 
>     client_max_body_size 250m;
> 
>     location / {
>         proxy_pass http://127.0.0.1:9121;
>         include snippets/proxy;
>     }
> }
> 
> server {
>     server_name assets.essca.fr;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-production-cdn-443-access.log combined;
>     error_log /var/log/nginx/essca2017-production-cdn-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
>     include /etc/nginx/essca2017_redirections;
> 
>     ssl_certificate /etc/letsencrypt/live/www.essca.fr-0002/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.essca.fr-0002/privkey.pem;
> 
>     index index.html;
> 
>     client_max_body_size 250m;
> 
>     location / {
>         proxy_pass http://127.0.0.1:9121;
>         include snippets/proxy;
> 
>         if ($http_origin ~* (https?://[^/]*\.essca.fr(:[0-9]+)?)$) {
>             add_header 'Access-Control-Allow-Origin' "${http_origin}";
>         }
>         if ($http_origin ~* (https?://[^/]*\.master-consulting.fr(:[0-9]+)?)$) {
>             add_header 'Access-Control-Allow-Origin' "${http_origin}";
>         }
>         if ($http_origin ~* (https?://[^/]*\.master-webmarketing.fr(:[0-9]+)?)$) {
>             add_header 'Access-Control-Allow-Origin' "${http_origin}";
>         }
> 	if ($http_origin ~* (https://international.essca.fr(:[0-9]+)?)$) {
>             add_header 'Access-Control-Allow-Origin' "${http_origin}";
>         }
>     }
> }
> 
> # configuration file /etc/nginx/sites-enabled/essca2017-staging:
> server {
>     server_name essca2017.it-consultis.net eu-asia.essca2017.it-consultis.net ethique-des-affaires.essca2017.it-consultis.net digital.essca2017.it-consultis.net ipa.essca2017.it-consultis.net parents.essca2017.it-consultis.net master-consulting.essca2017.it-consultis.net master-webmarketing.essca2017.it-consultis.net european-notepad.essca2017.it-consultis.net executive.essca2017.it-consultis.net tunisie.essca2017.it-consultis.net incubateur.essca2017.it-consultis.net essca-111.essca2017.it-consultis.net international.essca2017.it-consultis.net;
>     listen 80;
> 
>     access_log /var/log/nginx/essca2017-staging-80-access.log combined;
>     error_log /var/log/nginx/essca2017-staging-80-error.log;
> 
>     include /etc/nginx/snippets/letsencrypt;
>     include /etc/nginx/snippets/disallow-robots;
> #    include /etc/nginx/snippets/auth-basic;
> 
>     client_max_body_size 250m;
>     index index.html;
> 
>     location @redirect {
>         return 301 https://$host$request_uri;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name essca2017.it-consultis.net eu-asia.essca2017.it-consultis.net ethique-des-affaires.essca2017.it-consultis.net digital.essca2017.it-consultis.net ipa.essca2017.it-consultis.net parents.essca2017.it-consultis.net master-consulting.essca2017.it-consultis.net master-webmarketing.essca2017.it-consultis.net european-notepad.essca2017.it-consultis.net executive.essca2017.it-consultis.net tunisie.essca2017.it-consultis.net incubateur.essca2017.it-consultis.net essca-111.essca2017.it-consultis.net international.essca2017.it-consultis.net;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/essca2017-staging-443-access.log combined;
>     error_log /var/log/nginx/essca2017-staging-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
>     include /etc/nginx/snippets/disallow-robots;
> #    include /etc/nginx/snippets/auth-basic;
> 
>     ssl_certificate /etc/letsencrypt/live/essca2017.it-consultis.net-0001/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/essca2017.it-consultis.net-0001/privkey.pem;
> 
>     index index.html;
> 
>     client_max_body_size 250m;
>     client_body_timeout 300;
>     location ~* \.(eot|ttf|woff|woff2)$ {
>         add_header Access-Control-Allow-Origin *;
>         proxy_pass http://127.0.0.1:9110;
>         include snippets/proxy;
>     }
> 
>     location / {
>         proxy_pass http://127.0.0.1:9110;
>         include snippets/proxy;
>     }
> }
> 
> # configuration file /etc/nginx/snippets/disallow-robots:
> location = /robots.txt {
>     root /etc/nginx/resources/robots;
>     try_files $uri =404;
> }
> 
> # configuration file /etc/nginx/sites-enabled/esscatedx_production:
> server {
>     server_name www.tedxessca.com tedxessca.com;
>     listen 80;
> 
>     access_log /var/log/nginx/esscatedx-production-80-access.log combined;
>     error_log /var/log/nginx/esscatedx-production-80-error.log;
> 
>     include /etc/nginx/snippets/letsencrypt;
> 
>     index index.html;
> 
>     location @redirect {
>         return 301 https://$host$request_uri;
>     }
> 
>     location / {
>         try_files $uri @redirect;
>     }
> }
> 
> server {
>     server_name www.tedxessca.com tedxessca.com;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/esscatedx-production-443-access.log combined;
>     error_log /var/log/nginx/esscatedx-production-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
> 
>     ssl_certificate /etc/letsencrypt/live/www.tedxessca.com/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/www.tedxessca.com/privkey.pem;index index.html;
> 
>     client_max_body_size 250m;
> 
>     index index.html;
> 
>     location / {
>         proxy_pass http://127.0.0.1:8001;
>         include snippets/proxy;
>     }
> }
> 
> # configuration file /etc/nginx/sites-enabled/esscatedx_staging:
> server {
>     server_name tedxessca.it-consultis.net;
>     listen 80;
> 
>     access_log /var/log/nginx/esscatedx-staging-80-access.log combined;
>     error_log /var/log/nginx/esscatedx-staging-80-error.log;
> 
>     include /etc/nginx/snippets/letsencrypt;
>     include /etc/nginx/snippets/disallow-robots;
>     include /etc/nginx/snippets/auth-basic;
> 
>     index index.html;
> 
>     location / {
>                proxy_pass http://127.0.0.1:8002;
>                include snippets/proxy;
>      }
> }
> 
> server {
>     server_name tedxessca.it-consultis.net;
>     listen 443 ssl http2;
> 
>     access_log /var/log/nginx/esscatedx-staging-443-access.log combined;
>     error_log /var/log/nginx/esscatedx-staging-443-error.log;
> 
>     include /etc/nginx/snippets/ssl;
>     include /etc/nginx/snippets/disallow-robots;
>     include /etc/nginx/snippets/auth-basic;
> 
>     ssl_certificate /etc/letsencrypt/live/tedxessca.it-consultis.net/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/tedxessca.it-consultis.net/privkey.pem;index index.html;
> 
>     client_max_body_size 250m;
> 
>     location / {
>         proxy_pass http://127.0.0.1:8002;
>         include snippets/proxy;
>     }
> }
> 
> # configuration file /etc/nginx/snippets/auth-basic:
> auth_basic "Restricted";
> auth_basic_user_file /etc/nginx/htpasswords;
> 
> 
> # configuration file /etc/nginx/sites-enabled/eu-periscope.essca.fr.conf:
> server {
>         ## Your website name goes here.
>         server_name eu-periscope.essca.fr;
>         ## Your only path reference.
>         root /home/eu-periscope/eu-periscope.essca.fr/src;
>         ## This should be in your http block and if it is, it's not needed here.
>         index index.php;
> 
>         client_max_body_size 250m;
> 
>         location / {
>             add_header Strict-Transport-Security "max-age=0;";
>             proxy_pass http://127.0.0.1:8888;
>             include snippets/proxy;
>         }
> 
>         location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
>             add_header Strict-Transport-Security "max-age=0;";
>             add_header Access-Control-Allow-Origin *;
>             proxy_pass http://127.0.0.1:8888;
>             include snippets/proxy;
>         }
> }
1 Like
4

It looks to me like you are sharing a cert and webroot path between www.essca.fr and apply.essca.fr (and others). That is fine.

But, you are using a different method to handle the Let's Encrypt challenge in apply which is not working. This is the include you use for the server that works. I am not sure what you are trying to do with your servers. But, it seems like you should use the same include for apply too for the challenge.

3 Likes
5

Sorry, my mistake. The domain was candidature and looks the same as the apply domain

2 Likes
6

Hello Mike,

That's exactly the problem. After I add

include /etc/nginx/snippets/letsencrypt;

For both apply.essca.fr and candidature.essca.fr , it's working now. Thank you very much for your support.

image
image1174×744 82.2 KB

2 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.