Certbot nginx does not reload Config

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot renew --dry-run -vvv
It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: cloud.faass.eu
Type: connection
Detail: Fetching http://cloud.faass.eu/.well-known/acme-challenge/lGRcvEyPdMBSWjVFkXUCqlmQ7vzmsyp5amZ3YLR8tCU: Connection refused

My web server is (include version):
nginx version: nginx/1.20.2
The operating system my web server runs on is (include version):
freebsd-version
12.3-RELEASE-p2

My hosting provider, if applicable, is:
none

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

Hi!

I am trying to renew my certificate for some days now and tried a lot of things to get it working.
My nginx normally does not listen on Port 80, so I user the nginx-plugin to create a temporary config for the renewal.
When running certbot renew, this config is created and written to /usr/local/etc/nginx and ./letsencrypt:

(nginx.conf):
user www;
worker_processes auto;

This default error log path is compiled-in to make sure configuration parsing

errors are logged somewhere, especially during unattended boot when stderr

isn't normally logged anywhere. This path will be touched on every nginx

start regardless of error log location configured here. See

#147 (nginx touched /var/log/nginx-error.log even when error_log are switched off) – nginx for more info.

#error_log /var/log/nginx/error.log;

pid /var/run/nginx.pid;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

events {
worker_connections 1024;
}

http {
include /usr/local/etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;
include mime.types;
(.........)

and the included file:
root@ProxyDMZ:~ # cat le_http_01_cert_challenge.conf
server{listen 80;server_name cloud.faass.eu;root /var/db/letsencrypt/http_01_nonexistent;location = /.well-known/acme-challenge/mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0{default_type text/plain;return 200 mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0.0QTF0O8SjxYNL_GH5X72f2am95dc96J9aE_KZbeEYPU;}}

Problem is: The plugin seems to miss the config reload of nginx, when I look at the open sockets while running the renew only 443 is open.

For testing that I'v copied those two files while the renew was running and failed.

After that point I manually copied both to their directory and did a "service nginx reload", now the Challenge is available and working:

URL="http://cloud.faass.eu"$(cat /usr/local/etc/letsencrypt/le_http_01_cert_challenge.conf | sed -n -e 's/^.location = //p' | sed 's/{.//' )

curl -v $URL

  • Trying 176.198.153.26:80...
  • Connected to cloud.faass.eu (176.198.153.26) port 80 (#0)

GET /.well-known/acme-challenge/mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0 HTTP/1.1
Host: cloud.faass.eu
User-Agent: curl/7.80.0
Accept: /

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Server: nginx/1.20.2
    < Date: Fri, 04 Mar 2022 12:14:35 GMT
    < Content-Type: text/plain
    < Content-Length: 87
    < Connection: keep-alive
    < Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    <
  • Connection #0 to host cloud.faass.eu left intact
    mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0.0QTF0O8SjxYNL_GH5X72f2am95dc96J9aE_KZbeEYPU#

Is there anything I can do to tell certbot to reload the nginx config and wait fa few seconds after creating the temp config files?
Or am I missing something different? :wink:

Thanks and greetings from Germany,
Philipp

This sounds like a firewall. Are you accepting connections on port 80?

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-04 17:35 CET
Nmap scan report for cloud.faass.eu (176.198.153.26)
Host is up (0.057s latency).
rDNS record for 176.198.153.26: ip-176-198-153-026.um43.pools.vodafone-ip.de
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds
1 Like

The easier way to do this is

certbot renew --authenticator standalone --installer nginx

3 Likes

There is but it may not help. My experience is that nginx needs a restart after changing ports listened and the certbot nginx plug-in only does a reload.

@9peppe suggestion for standalone authenticator is a good one. Or,

You should just keep port 80 open always. See this recommendation from LE

But, here is the way to sleep in case you want to try anyway

--nginx-sleep-seconds NGINX_SLEEP_SECONDS
                        Number of seconds to wait for nginx configuration
                        changes to apply when reloading. (default: 1)
3 Likes

This is because I do not have port 80 up and running on nginx when I'm nor renewing my certificate.

Okay, can you tell me what the difference is using the standalone authenticator? Because THIS works, using nginx also as authenticator doesn't:

root@ProxyDMZ:~ # certbot renew --authenticator standalone --installer nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/cloud.faass.eu.conf


Renewing an existing certificate for cloud.faass.eu

Reloading nginx server after certificate renewal


Congratulations, all renewals succeeded:

/usr/local/etc/letsencrypt/live/cloud.faass.eu/fullchain.pem (success)


nginx authenticator needs nginx to listen on port 80.

standalone authenticator spins up a bespoke webserver listening on port 80.

You should make nginx listen on port 80 and redirect to https, there is no reason not to. Then, you can use the nginx authenticator (and the standalone one will fail, because something is already bound to port 80).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.