Certbot not renewing for correct domain

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

ottawakaraoke.com

I ran this command:
certbot
It produced this output:

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/conf.d/wordpress_https.conf
nginx: [warn] conflicting server name "ottawakaraoke.com" on 0.0.0.0:443, ignored

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
No matching insecure server blocks listening on port 80 found.
nginx: [warn] conflicting server name "ottawakaraoke.com" on 0.0.0.0:443, ignored

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ottawakaraoke.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ottawakaraoke.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
ubuntu 16
The operating system my web server runs on is (include version):
nginx
My hosting provider, if applicable, is:
secret company
I can login to a root shell on my machine (yes or no, or I don't know):
putty.exe
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
putty.exe
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

latest

1 Like
#2

Hello @ianarman1,

Here we are again :wink:

Seems there is a bit mess on your nginx conf, your domain ottawakaraoke.com is using the cert issued to athena.ottawakaraoke.com and athena.ottawakaraoke.com is using the cert issued to ottawakaraoke.com

Could you please show us the output of these commands?

sudo certbot certificates
sudo nginx -T

Cheers,
sahsanu

1 Like
#3

Your configuration needs to be working correctly.
certbot won't fix configuration problems.

1 Like
#4

oh hey! @sahsanu

Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/athena.ottawakaraoke.com.conf with version 0.31.0 of Certbot. This might not work.
Renewal configuration file /etc/letsencrypt/renewal/athena.ottawakaraoke.com.conf produced an unexpected error: expected /etc/letsencrypt/live/athena.ottawakaraoke.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/athena1.ottawakaraoke.com.conf produced an unexpected error: expected /etc/letsencrypt/live/athena1.ottawakaraoke.com/cert.pem to be a symlink. Skipping.
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/help.ottawakaraoke.com.conf with version 0.31.0 of Certbot. This might not work.
Renewal configuration file /etc/letsencrypt/renewal/help.ottawakaraoke.com.conf produced an unexpected error: expected /etc/letsencrypt/live/help.ottawakaraoke.com/cert.pem to be a symlink. Skipping.
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/ottawakaraoke.com.conf with version 0.31.0 of Certbot. This might not work.
Renewal configuration file /etc/letsencrypt/renewal/ottawakaraoke.com.conf produced an unexpected error: expected /etc/letsencrypt/live/ottawakaraoke.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/pallas.ottawakaraoke.com.conf produced an unexpected error: expected /etc/letsencrypt/live/pallas.ottawakaraoke.com/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
 Certificate Name: ottawakaraoke.com-0001
   Domains: ottawakaraoke.com athena.ottawakaraoke.com
   Expiry Date: 2021-03-23 09:58:09+00:00 (VALID: 87 days)
   Certificate Path: /etc/letsencrypt/live/ottawakaraoke.com-0001/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/ottawakaraoke.com-0001/privkey.pem
 Certificate Name: ottawakaraoke.com-0002
   Domains: ottawakaraoke.com
   Expiry Date: 2021-03-26 07:15:42+00:00 (VALID: 89 days)
   Certificate Path: /etc/letsencrypt/live/ottawakaraoke.com-0002/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/ottawakaraoke.com-0002/privkey.pem

The following renewal configurations were invalid:
 /etc/letsencrypt/renewal/athena.ottawakaraoke.com.conf
 /etc/letsencrypt/renewal/athena1.ottawakaraoke.com.conf
 /etc/letsencrypt/renewal/help.ottawakaraoke.com.conf
 /etc/letsencrypt/renewal/ottawakaraoke.com.conf
 /etc/letsencrypt/renewal/pallas.ottawakaraoke.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


nginx: [warn] conflicting server name "ottawakaraoke.com" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

```````````````````

here is my conf file

upstream php-handler-https {
        server 127.0.0.1:9000;
}
server {
        listen 443 ssl default_server;
        server_name ottawakaraoke.com;

        #server_name wordpress.example.com;
    ssl_certificate /etc/letsencrypt/live/ottawakaraoke.com-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ottawakaraoke.com-0002/privkey.pem; # managed by Certbot

#Security Policy
add_header Content-Security-Policy "default-src 'none';
    script-src 'self' 'unsafe-inline' 'unsafe-eval'
        https://apis.google.com
        www.google-analytics.com
        *.googlesyndication.com
        *.doubleclick.net
        *.cloudflare.com
        *.bootstrapcdn.com;
    style-src 'self' 'unsafe-inline'
        https://fonts.googleapis.com
        *.bootstrapcdn.com;
    img-src 'self' data:
        www.google.com
        www.google.fr
        www.google-analytics.com
        *.cloudflare.com
        *.doubleclick.net;
    font-src 'self'
        https://fonts.googleapis.com
        https://fonts.gstatic.com
        *.bootstrapcdn.com;
        connect-src 'self';
    frame-src 'self' 'unsafe-inline'
        *.doubleclick.net;
    frame-ancestors 'none';
    form-action 'none';
    upgrade-insecure-requests;
    block-all-mixed-content;
    reflected-xss block;
    base-uri 123run.com www.123run.com;
    referrer no-referrer-when-downgrade";
#       root /var/www/html/;
        root /var/www/html/songportal.dev.ottawakaraoke.com/html/;
        index index.html;
        # set max upload size
        client_max_body_size 2G;
        fastcgi_buffers 64 4K;
        access_log /var/log/nginx/wordpress_https_access.log combined;
        error_log /var/log/nginx/wordpress_https_error.log;
#5

Did you happen to delete anything from the letsencrypt folder?

1 Like
#6

no - although I'm trying to change my domain name from the subdomain to the actual domain.

the subdomain was for dev.

the files still exist.

-rw-r--r-- 1 root root 576 Nov 15 03:32 /etc/letsencrypt/renewal/athena.ottawakaraoke.com.conf
1 Like
#7

I suppose that is part of the problem.
Again, certbot can't fix your nginx configuration.
You need to review your nginx configuration and get it working as you would like it to be.
Then you can run certbot.
[which should just work - but may still show problems related to those "missing" files.]

1 Like
#8

the domain in the config is correct and the dns is pointing correctly and Wordpress has the correct domain in the db.

ottawakaraoke.com

it's very strange.

1 Like
#9

There are some obviously troubling things with this output:

  1. both certs have one (overlapping) name.
  2. both certs end with -000# (which means they were conflicting with yet another presumed now deleted cert.)

The entire config was requested:

Only a small part was shown.
If you can't show the entire config (as requested), maybe you can show this output:
nginx -T | grep -Ei 'listen|root|server_name|cert|encrypt|virt|config|location'
Otherwise it will be quite difficult for anyone here to help you.

2 Likes
#10 
nginx: [warn] conflicting server name "ottawakaraoke.com" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# configuration file /etc/nginx/mime.types:
    application/x-x509-ca-cert                       der pem crt;
# configuration file /etc/nginx/conf.d/cockpit.conf:
        listen 9080 ssl;
        server_name _;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
        location / {
                location ~* \.(htaccess|htpasswd) { #COCKPIT_AUTH
# configuration file /etc/nginx/conf.d/wordpress_http.conf:
        server_name ottawakaraoke.com;
        #server_name wordpress.example.com;
#       root /var/www/html/athena/html/;
        root /var/www/html/songportal.dev.ottawakaraoke.com/html/;
        location = /favicon.ico {
        location = /robots.txt {
        location / {
        location ^~ /xhprof/xhprof_html/ {
                location ~ \.php(?:$|/) {
                  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ^~ /mysqladmin/ {
                location ~ \.php(?:$|/) {
                  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ^~ /wp-admin/ {
                location ~* \.(htaccess|htpasswd) {
                location ~ \.php(?:$|/) {
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ~* \.(htaccess|htpasswd) {
        location ~ \.php(?:$|/) {
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/athena.ottawakaraoke.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/athena.ottawakaraoke.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    } # managed by Certbot
        listen 80 default_server;
        server_name pallas.ottawakaraoke.com;
    return 404; # managed by Certbot
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_NAME        $server_name;
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# configuration file /etc/nginx/conf.d/wordpress_https.conf:
        listen 443 ssl default_server;
        server_name ottawakaraoke.com;
        #server_name wordpress.example.com;
    ssl_certificate /etc/letsencrypt/live/ottawakaraoke.com-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ottawakaraoke.com-0002/privkey.pem; # managed by Certbot
#       root /var/www/html/;
        root /var/www/html/songportal.dev.ottawakaraoke.com/html/;
        location = /favicon.ico {
        location = /robots.txt {
        location / {
        location ^~ /xhprof/xhprof_html/ {
                location ~ \.php(?:$|/) {
                  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ^~ /mysqladmin/ {
                location ~ \.php(?:$|/) {
                  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ^~ /wp-admin/ {
                location ~* \.(htaccess|htpasswd) {
                location ~ \.php(?:$|/) {
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ~* \.(htaccess|htpasswd) {
        location ~ \.php(?:$|/) {
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {


```````````````
1 Like
#11

Both of these files listen on port 443 for the same name:

configuration file /etc/nginx/conf.d/wordpress_http.conf:
configuration file /etc/nginx/conf.d/wordpress_https.conf:

Judging by the file names, the first should only be listening to HTTP (port 80), but it is listening to 80 and 443.
Each [IP:PORT:FQDN] combination must be unique.

1 Like