Certbot Renew Challenge failed

Help
1

My domain is: armenianpartners.com

I ran this command: sudo certbot renew

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/armenianpartners.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: service nginx stop
Error output from pre-hook command service:
Redirecting to /bin/systemctl stop nginx.service

Renewing an existing certificate for armenianpartners.com and 7 more domains
Performing the following challenges:
http-01 challenge for armenianpartners.com
http-01 challenge for backend.armenianpartners.com
http-01 challenge for social.armenianpartners.com
http-01 challenge for storage.armenianpartners.com
Waiting for verification...
Challenge failed for domain armenianpartners.com
Challenge failed for domain backend.armenianpartners.com
Challenge failed for domain social.armenianpartners.com
Challenge failed for domain storage.armenianpartners.com
http-01 challenge for armenianpartners.com
http-01 challenge for backend.armenianpartners.com
http-01 challenge for social.armenianpartners.com
http-01 challenge for storage.armenianpartners.com
Cleaning up challenges
Failed to renew certificate armenianpartners.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/armenianpartners.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://armenianpartners.com/.well-known/acme-challenge/o9BoD4WZSb5pFCVoCgzlHhW-DXln3UcZYDrYHoXFV8M:
   404

   Domain: backend.armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://backend.armenianpartners.com/.well-known/acme-challenge/Osl7QCMc6NrrFVjBJt93hj8VKRW4qlHajBHgJN8MIpU:
   404

   Domain: social.armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://social.armenianpartners.com/.well-known/acme-challenge/r8qBrqh516c-1lVuqERsytKB2rq-b5V1Qh5C3ERVQs8:
   403

   Domain: storage.armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://storage.armenianpartners.com/.well-known/acme-challenge/DoWs_podJuoQCuDofmrWk20Vc0-ITxCT2JAdjjbi7R0:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Amazon linux

My hosting provider, if applicable, is: AWS EC2

My Nginx config:

 #DEFINE MAX HASH
server_names_hash_bucket_size  256;


# HTTPS server

#TLS settings

ssl_certificate      /etc/letsencrypt/live/armenianpartners.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/armenianpartners.com/privkey.pem;

ssl_session_timeout  5m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers   on;

## FRONTEND ##
server {
    listen 443 ssl http2;
    # ssl on;

    root /var/app/current/frontend/web;
    index index.php index.html;

    server_name armenianpartners.com armpartners.eu-west-1.elasticbeanstalk.com;

    charset utf-8;

    # location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|pdf|ppt|txt|bmp|rtf|js)$ {
    #    access_log off;
    #    expires max;
    # }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    client_max_body_size 32m;

    # There is a VirtualBox bug related to sendfile that can lead to
    # corrupted files, if not turned-off
    # sendfile off;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass php-fpm;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
        # fastcgi_read_timeout 1000;

        ## Cache
        # fastcgi_pass_header Cookie; # fill cookie valiables, $cookie_phpsessid for exmaple
        # fastcgi_ignore_headers Cache-Control Expires Set-Cookie; # Use it with caution because it is cause SEO problems
        # fastcgi_cache_key "$request_method|$server_addr:$server_port$request_uri|$cookie_phpsessid"; # generating unique key
        # fastcgi_cache fastcgi_cache; # use fastcgi_cache keys_zone
        # fastcgi_cache_path /tmp/nginx/ levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d;
        # fastcgi_temp_path  /tmp/nginx/temp 1 2; # temp files folder
        # fastcgi_cache_use_stale updating error timeout invalid_header http_500; # show cached page if error (even if it is outdated)
        # fastcgi_cache_valid 200 404 10s; # cache lifetime for 200 404;
        # or fastcgi_cache_valid any 10s; # use it if you want to cache any responses
    }

      location /.well-known/acme-challenge/ {
        allow all;
        root /var/www/html/frontend/web;
    }
}

## SOCIAL HUMHUB ##
server {
    listen 443 ssl http2;
    # ssl on;

    root /var/app/current/humhub;
    index index.php index.html;

    server_name social.armenianpartners.com social.armpartners.eu-west-1.elasticbeanstalk.com;

    charset utf-8;

    # location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|pdf|ppt|txt|bmp|rtf|js)$ {
    #    access_log off;
    #    expires max;
    # }

    location / {
        index  index.php index.html ;
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ ^/(protected|framework|themes/\w+/views|\.|uploads/file) {
        deny all;
    }

    location ~ ^/(assets|static|themes|uploads) {
        expires 10d;
        add_header Cache-Control "public, no-transform";
    }

    client_max_body_size 256m;

    # There is a VirtualBox bug related to sendfile that can lead to
    # corrupted files, if not turned-off
    # sendfile off;

    location ~ \.php$ {
        fastcgi_split_path_info  ^(.+\.php)(.*)$;
        #let yii catch the calls to unexisting PHP files
        set $fsn /index.php;
        if (-f $document_root$fastcgi_script_name){
                set $fsn $fastcgi_script_name;
        }
        fastcgi_pass php-fpm;
        include /etc/nginx/fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fsn;
        fastcgi_read_timeout 1000;

        ## Cache
        # fastcgi_pass_header Cookie; # fill cookie valiables, $cookie_phpsessid for exmaple
        # fastcgi_ignore_headers Cache-Control Expires Set-Cookie; # Use it with caution because it is cause SEO problems
        # fastcgi_cache_key "$request_method|$server_addr:$server_port$request_uri|$cookie_phpsessid"; # generating unique key
        # fastcgi_cache fastcgi_cache; # use fastcgi_cache keys_zone
        # fastcgi_cache_path /tmp/nginx/ levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d;
        # fastcgi_temp_path  /tmp/nginx/temp 1 2; # temp files folder
        # fastcgi_cache_use_stale updating error timeout invalid_header http_500; # show cached page if error (even if it is outdated)
        # fastcgi_cache_valid 200 404 10s; # cache lifetime for 200 404;
        # or fastcgi_cache_valid any 10s; # use it if you want to cache any responses
    }

       location /.well-known/acme-challenge/ {
        allow all;
        root /var/www/html/humhub;
    }
}

## BACKEND ##
server {
    listen 443 ssl http2;
    # ssl on;

    root /var/app/current/backend/web;
    index index.php index.html;

    server_name backend.armenianpartners.com backend.armpartners.eu-west-1.elasticbeanstalk.com;

    charset utf-8;

    client_max_body_size 16m;

    # There is a VirtualBox bug related to sendfile that can lead to
    # corrupted files, if not turned-off on Vagrant based setup
    # sendfile off;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|pdf|ppt|txt|bmp|rtf|js)$ {
    #     access_log off;
    #    expires max;
    # }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass php-fpm;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
   location /.well-known/acme-challenge/ {
        allow all;
        root /var/www/html/backend/web;
    }
}

## STORAGE ##
server {
    listen 443 ssl http2;
    # ssl on;

    root /var/app/current/storage/web;
    index index.html;

    server_name storage.armenianpartners.com storage.armpartners.eu-west-1.elasticbeanstalk.com;

    # expires max;

    # There is a VirtualBox bug related to sendfile that can lead to
    # corrupted files, if not turned-off
    # sendfile off;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass php-fpm;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

       location /.well-known/acme-challenge/ {
        allow all;
        root /var/www/html/storage/web;
    }
}

## MISC ##
### WWW Redirect ###

server {
    listen       80;
    listen       443 ssl;
    server_name  www.armenianpartners.com www.armpartners.eu-west-1.elasticbeanstalk.com;
    return       301 https://armenianpartners.com$request_uri;
}

server {
    listen       80;
    listen       443 ssl;
    server_name  www.backend.armenianpartners.com www.backend.armpartners.eu-west-1.elasticbeanstalk.com;
    return       301 https://backend.armenianpartners.com$request_uri;
}

server {
    listen       80;
    listen       443 ssl;
    server_name  www.storage.armenianpartners.com www.storage.armpartners.eu-west-1.elasticbeanstalk.com;
    return       301 https://storage.armenianpartners.com$request_uri;
}

server {
    listen       80;
    listen       443 ssl;
    server_name  www.social.armenianpartners.com www.social.armpartners.eu-west-1.elasticbeanstalk.com;
    return       301 https://social.armenianpartners.com$request_uri;
}


## MISC ##
### OTHER sub-domains redirect ###
### NOT WORKING FOR HTTPS AS BROWSER WARNS REGARDING CERTIFICATE AND AFTER CLICKING CONTINUE SERVER REDIRECTS TO MAIN DOMAIN
server {
    listen       80;
    listen       443 ssl;
    server_name  *.armenianpartners.com *.armpartners.eu-west-1.elasticbeanstalk.com;
    return       301 https://armenianpartners.com;
}
2

Welcome to the community @mikayelkotanjyan

The error message shows using an HTTPS:// URL which gets a 404 response.

This means something (like nginx) saw the HTTP request and redirected it to HTTPS. And the 404 means "Not Found".

The --standalone option you tried never redirects HTTP requests. So, I think your pre-hook that stops nginx did not work. Or, maybe something else went wrong.

We don't recommend using --standalone when you have a working web server (like nginx). It is better to use a method that lets your nginx keep running.

But, your nginx server blocks would need to have several changes to use either --nginx or --webroot method. Your technique is not invalid it is just unusual. The --nginx method would be best but I don't think it would work with your server blocks as they are.

I could instruct you as to how to get this to work better. Let me know if you want instructions on how to make --nginx work for you.

Otherwise, you should see why nginx did not stop. Maybe try stopping it from the command prompt manually. Make sure it is stopped. Then try
sudo certbot renew --dry-run

To further assist it would be helpful to know which Amazon Linux you are using (1, 2, 3). And, result of sudo certbot --version

2 Likes
3

Hi, thank you for your response.
My certbot version is 1.11.0
Linux information:

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

I tried stopping nginx but got this

[ec2-user@ip-172-31-8-204 ~]$ sudo systemctl stop nginx
[ec2-user@ip-172-31-8-204 ~]$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/armenianpartners.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: service nginx stop
Error output from pre-hook command service:
Redirecting to /bin/systemctl stop nginx.service

Simulating renewal of an existing certificate for armenianpartners.com and 7 more domains
Performing the following challenges:
http-01 challenge for armenianpartners.com
http-01 challenge for armpartners.eu-west-1.elasticbeanstalk.com
http-01 challenge for backend.armenianpartners.com
http-01 challenge for social.armenianpartners.com
http-01 challenge for storage.armenianpartners.com
http-01 challenge for storage.armpartners.eu-west-1.elasticbeanstalk.com
http-01 challenge for backend.armpartners.eu-west-1.elasticbeanstalk.com
http-01 challenge for social.armpartners.eu-west-1.elasticbeanstalk.com
Waiting for verification...
Challenge failed for domain armenianpartners.com
Challenge failed for domain backend.armenianpartners.com
Challenge failed for domain social.armenianpartners.com
Challenge failed for domain storage.armenianpartners.com
http-01 challenge for armenianpartners.com
http-01 challenge for backend.armenianpartners.com
http-01 challenge for social.armenianpartners.com
http-01 challenge for storage.armenianpartners.com
Cleaning up challenges
Failed to renew certificate armenianpartners.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/armenianpartners.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://armenianpartners.com/.well-known/acme-challenge/2zPt2CCWuYLzjVQN_aYEHk5Fx0jvlDwesnrhKpO3V0Q:
   404

   Domain: backend.armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://backend.armenianpartners.com/.well-known/acme-challenge/pzE0F6NspWSiHB0lH-QCDzhZSVO5a3u9cz02HghgTNQ:
   404

   Domain: social.armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://social.armenianpartners.com/.well-known/acme-challenge/a8rcHx_AlaArYlDmIZPqPkvJlq1XTwPC6J7fHj0uapM:
   403

   Domain: storage.armenianpartners.com
   Type:   unauthorized
   Detail: 34.240.171.41: Invalid response from
   https://storage.armenianpartners.com/.well-known/acme-challenge/35BpGynVHXRu-5CM1mGwAopq1wksxvHxMNqiRMZ2T9U:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like
4

Is nginx still stopped? Because I can still see one running.

After you stop it manually, what does this show?

sudo ss -pant | grep -i listen | grep -Ei ':80|:443'
3 Likes
5

image
image1920×655 141 KB

6

when i accessed armenianpartners.com ubuntu nginx responds for it: did you updated DNS recods to this EC2?

2 Likes
7

No I didn't

8

than obviously it wouldn't : it's checking from public dns to where to look

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.