Certbot --nginx success but certbot renew fail

My domain is:

card.niconi.co.ni

c.dash.moe

(unrelated domains omitted)

I ran this command:

# certbot --nginx
# certbot renew --dry-run

It produced this output:

[root@dash ~]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: niconi.co.ni
2: card.niconi.co.ni
3: zehuoge.niconi.co.ni
4: c.dash.moe
5: mf.dash.moe
6: en.mf.dash.moe
7: zh.mf.dash.moe
8: mw.dash.moe
9: en.mw.dash.moe
10: zh.mw.dash.moe
11: giftia.moe
12: anime.giftia.moe
13: blog.giftia.moe
14: lovelive-pdp.giftia.moe
15: sukasuka.giftia.moe
16: marioforever.wiki
17: en.marioforever.wiki
18: mw.marioforever.wiki
19: en.mw.marioforever.wiki
20: zh.mw.marioforever.wiki
21: www.marioforever.wiki
22: zh.marioforever.wiki
23: tokuisora.ml
24: zura.ml
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/niconi.co.ni.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for niconi.co.ni
http-01 challenge for card.niconi.co.ni
http-01 challenge for zehuoge.niconi.co.ni
tls-sni-01 challenge for c.dash.moe
tls-sni-01 challenge for mf.dash.moe
tls-sni-01 challenge for en.mf.dash.moe
tls-sni-01 challenge for zh.mf.dash.moe
tls-sni-01 challenge for mw.dash.moe
tls-sni-01 challenge for en.mw.dash.moe
tls-sni-01 challenge for zh.mw.dash.moe
tls-sni-01 challenge for giftia.moe
http-01 challenge for anime.giftia.moe
tls-sni-01 challenge for blog.giftia.moe
tls-sni-01 challenge for lovelive-pdp.giftia.moe
tls-sni-01 challenge for sukasuka.giftia.moe
tls-sni-01 challenge for marioforever.wiki
tls-sni-01 challenge for en.marioforever.wiki
tls-sni-01 challenge for mw.marioforever.wiki
tls-sni-01 challenge for en.mw.marioforever.wiki
tls-sni-01 challenge for zh.mw.marioforever.wiki
tls-sni-01 challenge for www.marioforever.wiki
tls-sni-01 challenge for zh.marioforever.wiki
tls-sni-01 challenge for tokuisora.ml
tls-sni-01 challenge for zura.ml
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/niconi.co.ni.conf for niconi.co.ni
Deployed Certificate to VirtualHost /etc/nginx/conf.d/card.niconi.co.ni.conf for card.niconi.co.ni
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for zh.mw.marioforever.wiki, zh.marioforever.wiki, en.marioforever.wiki, zehuoge.niconi.co.ni, en.mw.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/card.niconi.co.ni.conf for c.dash.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for zh.mf.dash.moe, mf.dash.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for en.mf.dash.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for zh.mf.dash.moe, mf.dash.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for mw.dash.moe, zh.mw.dash.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for en.mw.dash.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for mw.dash.moe, zh.mw.dash.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/giftia.moe.conf for giftia.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/anime.giftia.moe.conf for anime.giftia.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/blog.giftia.moe.conf for blog.giftia.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/lovelive-pdp.giftia.moe.conf for lovelive-pdp.giftia.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/sukasuka.giftia.moe.conf for sukasuka.giftia.moe
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for marioforever.wiki, www.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for zh.mw.marioforever.wiki, zh.marioforever.wiki, en.marioforever.wiki, zehuoge.niconi.co.ni, en.mw.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for mw.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for zh.mw.marioforever.wiki, zh.marioforever.wiki, en.marioforever.wiki, zehuoge.niconi.co.ni, en.mw.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for zh.mw.marioforever.wiki, zh.marioforever.wiki, en.marioforever.wiki, zehuoge.niconi.co.ni, en.mw.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for marioforever.wiki, www.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/marioforever.wiki.conf for zh.mw.marioforever.wiki, zh.marioforever.wiki, en.marioforever.wiki, zehuoge.niconi.co.ni, en.mw.marioforever.wiki
Deployed Certificate to VirtualHost /etc/nginx/conf.d/tokuisora.ml.conf for tokuisora.ml
Deployed Certificate to VirtualHost /etc/nginx/conf.d/zura.ml.conf for zura.ml

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://niconi.co.ni,
https://card.niconi.co.ni, https://zehuoge.niconi.co.ni, https://c.dash.moe,
https://mf.dash.moe, https://en.mf.dash.moe, https://zh.mf.dash.moe,
https://mw.dash.moe, https://en.mw.dash.moe, https://zh.mw.dash.moe,
https://giftia.moe, https://anime.giftia.moe, https://blog.giftia.moe,
https://lovelive-pdp.giftia.moe, https://sukasuka.giftia.moe,
https://marioforever.wiki, https://en.marioforever.wiki,
https://mw.marioforever.wiki, https://en.mw.marioforever.wiki,
https://zh.mw.marioforever.wiki, https://www.marioforever.wiki,
https://zh.marioforever.wiki, https://tokuisora.ml, and https://zura.ml

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=niconi.co.ni
https://www.ssllabs.com/ssltest/analyze.html?d=card.niconi.co.ni
https://www.ssllabs.com/ssltest/analyze.html?d=zehuoge.niconi.co.ni
https://www.ssllabs.com/ssltest/analyze.html?d=c.dash.moe
https://www.ssllabs.com/ssltest/analyze.html?d=mf.dash.moe
https://www.ssllabs.com/ssltest/analyze.html?d=en.mf.dash.moe
https://www.ssllabs.com/ssltest/analyze.html?d=zh.mf.dash.moe
https://www.ssllabs.com/ssltest/analyze.html?d=mw.dash.moe
https://www.ssllabs.com/ssltest/analyze.html?d=en.mw.dash.moe
https://www.ssllabs.com/ssltest/analyze.html?d=zh.mw.dash.moe
https://www.ssllabs.com/ssltest/analyze.html?d=giftia.moe
https://www.ssllabs.com/ssltest/analyze.html?d=anime.giftia.moe
https://www.ssllabs.com/ssltest/analyze.html?d=blog.giftia.moe
https://www.ssllabs.com/ssltest/analyze.html?d=lovelive-pdp.giftia.moe
https://www.ssllabs.com/ssltest/analyze.html?d=sukasuka.giftia.moe
https://www.ssllabs.com/ssltest/analyze.html?d=marioforever.wiki
https://www.ssllabs.com/ssltest/analyze.html?d=en.marioforever.wiki
https://www.ssllabs.com/ssltest/analyze.html?d=mw.marioforever.wiki
https://www.ssllabs.com/ssltest/analyze.html?d=en.mw.marioforever.wiki
https://www.ssllabs.com/ssltest/analyze.html?d=zh.mw.marioforever.wiki
https://www.ssllabs.com/ssltest/analyze.html?d=www.marioforever.wiki
https://www.ssllabs.com/ssltest/analyze.html?d=zh.marioforever.wiki
https://www.ssllabs.com/ssltest/analyze.html?d=tokuisora.ml
https://www.ssllabs.com/ssltest/analyze.html?d=zura.ml
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/niconi.co.ni/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/niconi.co.ni/privkey.pem
   Your cert will expire on 2018-05-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
[root@dash ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/niconi.co.ni.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for niconi.co.ni
http-01 challenge for anime.giftia.moe
http-01 challenge for blog.giftia.moe
http-01 challenge for c.dash.moe
http-01 challenge for card.niconi.co.ni
http-01 challenge for en.marioforever.wiki
http-01 challenge for en.mf.dash.moe
http-01 challenge for en.mw.dash.moe
http-01 challenge for en.mw.marioforever.wiki
http-01 challenge for giftia.moe
http-01 challenge for lovelive-pdp.giftia.moe
http-01 challenge for marioforever.wiki
http-01 challenge for mf.dash.moe
http-01 challenge for mw.dash.moe
http-01 challenge for mw.marioforever.wiki
http-01 challenge for sukasuka.giftia.moe
http-01 challenge for tokuisora.ml
http-01 challenge for www.marioforever.wiki
http-01 challenge for zehuoge.niconi.co.ni
http-01 challenge for zh.marioforever.wiki
http-01 challenge for zh.mf.dash.moe
http-01 challenge for zh.mw.dash.moe
http-01 challenge for zh.mw.marioforever.wiki
http-01 challenge for zura.ml
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (niconi.co.ni) from /etc/letsencrypt/renewal/niconi.co.ni.conf produced an unexpected error: Failed authorization procedure. c.dash.moe (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://c.dash.moe/.well-known/acme-challenge/XEbuAcTVs9jaVH1eXf_U7UGfuygazn86UOVcImnFTcc: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.or". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/niconi.co.ni/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/niconi.co.ni/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: c.dash.moe
   Type:   unauthorized
   Detail: Invalid response from
   http://c.dash.moe/.well-known/acme-challenge/XEbuAcTVs9jaVH1eXf_U7UGfuygazn86UOVcImnFTcc:
   "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
   "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

   <html xmlns="http://www.w3.or"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): CentOS Linux release 7.4.1708 (Core)

My hosting provider, if applicable, is: cat.net

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO, my configure files are ALL WRITTEN MANUALLY.

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

server {
    if ($host = card.niconi.co.ni) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name card.niconi.co.ni;
    location / {
        proxy_pass http://127.0.0.1:8080/;
        #root /usr/share/nginx/tsubasa/card.niconi.co.ni_maintenance;
        #index index.html;
    }

}
server {
    listen 443;
    server_name card.niconi.co.ni;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/niconi.co.ni/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/niconi.co.ni/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    location / {
        proxy_pass http://127.0.0.1:8080/;
        #root /usr/share/nginx/tsubasa/card.niconi.co.ni_maintenance;
        #index index.html;
    }

}

server {
    listen 80;
    server_name c.dash.moe;
    rewrite ^/(.*)$ https://card.niconi.co.ni/$1 permanent;

}

server {
    listen 443;
    server_name c.dash.moe;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/niconi.co.ni/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/niconi.co.ni/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    rewrite ^/(.*)$ https://card.niconi.co.ni/$1 permanent;

}

Here is a Certbot log showing the issue (if available):

letsencrypt.log

Hi @NijiharaTsubasa,

The way that the nginx plugin handles challenges from the CA has changed recently, and it might have changed in between when you obtained the certificate and when you try to renew it. Alternatively, you may have changed your nginx configuration in some way in between when you obtained the certificate and when you tried to renew it, with the result that the nginx plugin was confused by it.

This is potentially a result of a bug in the Certbot nginx plugin because it should ordinarily be able to configure your server successfully to pass the challenge, but apparently here it failed to do so. It may have had trouble parsing your nginx configuration for some reason, or the temporary changes that it made to the configuration in order to pass the challenge may have been ineffective.

@erica, would you mind taking a look at this? It looks like a renewal using --nginx and HTTP-01 for a site with a hand-written server block has failed.

Actually, I have a new diagnosis after looking more closely: you are advertising an IPv6 record (2400:ddc0:2333:6666::6b8e:a3b0) for c.dash.moe, yet the site served by the IPv6 server is different from the site served by the IPv4 server. This is much more likely to be the basis of the problem, rather than a Certbot bug—you should make sure that the IPv4 and the IPv6 sites are pointing to the same server and that it’s configured to listen to both. (The certificate authority is checking the IPv6 address in preference to the IPv4 site for the verification.)

1 Like

I ran certbot renew --dry-run immediately after I ran certbot --nginx to test out automated renew and failed.

Nothing was changed between the two commands.

Thsnks, I’ll add listen [::]:443 or listen [::]:80 to all configure blocks and try again

Interesting! So, a different challenge type was used for the initial issuance and for the renewal (and I'm not sure why that was; it has something to do with the deprecation of the TLS-SNI-01 method but it isn't what I would expect).

I believe that the discrepancy between the success of one and the failure of the other nonetheless has to do with the IPv6 issue. But I think that this discrepancy brings me back to suspecting a Certbot bug, because Certbot in principle should have been capable of succeeding with either method, not just with TLS-SNI-01.

@erica, I think the various server blocks in this configuration are discrepant in terms of whether they listen [::]:80, and the nginx plugin then succeeded with TLS-SNI-01 but failed with HTTP-01, perhaps because of the difference between whether individual server blocks listen [::]:80. If that revised interpretation turns out to be right, should we consider that a minor bug in the authenticator, or should we just say that Certbot can't be expected to guess correctly whether or not your site supports IPv6 if you don't consistently tell nginx whether it does?

Actually, I have a new diagnosis after looking more closely: you are advertising an IPv6 record (2400:ddc0:2333:6666::6b8e:a3b0) for c.dash.moe, yet the site served by the IPv6 server is different from the site served by the IPv4 server. This is much more likely to be the basis of the problem, rather than a Certbot bug—you should make sure that the IPv4 and the IPv6 sites are pointing to the same server and that it’s configured to listen to both. (The certificate authority is checking the IPv6 address in preference to the IPv4 site for the verification.)

Thank you very much! It IS the cause of the problem. Because I have no IPv6 connections I never tested it out myself…

Probably because the renewal used --dry-run and therefore the staging server where it would have a different account?

1 Like

Yes, that would be the exact reason. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.