Certbot renew --dry-run works but certbot renew fails

Help
1

I am able to run certbot renew --dry-run
but then I run certbot renew it fails

My domain is:
banksprinting.com www.banksprinting.com
I ran this command:
certbot renew --dry-run worked certbot renew and certbot renew --preferred-challenges http fails
It produced this output:
root@houston /e/n/sputnik.d# certbot renew --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/banksprinting.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for banksprinting.com
http-01 challenge for www.banksprinting.com
Waiting for verification...
Challenge failed for domain banksprinting.com
Challenge failed for domain www.banksprinting.com
http-01 challenge for banksprinting.com
http-01 challenge for www.banksprinting.com
Cleaning up challenges
Attempting to renew cert (banksprinting.com) from /etc/letsencrypt/renewal/banksprinting.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/clintonprinting.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/demoprintsites.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/design.fullcolorpr.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mycroftsigns.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sign-s-mart.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/signsyourself.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/banksprinting.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/clintonprinting.com/fullchain.pem expires on 2019-10-05 (skipped)
  /etc/letsencrypt/live/demoprintsites.com/fullchain.pem expires on 2019-10-04 (skipped)
  /etc/letsencrypt/live/design.fullcolorpr.com/fullchain.pem expires on 2019-10-06 (skipped)
  /etc/letsencrypt/live/mycroftsigns.com/fullchain.pem expires on 2019-10-24 (skipped)
  /etc/letsencrypt/live/sign-s-mart.com/fullchain.pem expires on 2019-09-25 (skipped)
  /etc/letsencrypt/live/signsyourself.com/fullchain.pem expires on 2019-10-04 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/banksprinting.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: banksprinting.com
   Type:   unauthorized
   Detail: Invalid response from https://banksprinting.com/login
   [13.58.190.188]: "<!doctype html>\n<html>\n    <head>\n
   \n                    <title>BanksPrinting.com</title>\n
   "

   Domain: www.banksprinting.com
   Type:   unauthorized
   Detail: Invalid response from https://www.banksprinting.com/login
   [13.58.190.188]: "<!doctype html>\n<html>\n    <head>\n
   \n                    <title>BanksPrinting.com</title>\n
   "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):
centos 7 and nginx
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.36.0

server block having issue renewing

server {
        listen 80;
        server_name banksprinting.com www.banksprinting.com;
        if ($host = www.banksprinting.com) {
                return 301 https://$host$request_uri;
        }
        if ($host = banksprinting.com) {
                return 301 https://$host$request_uri;
        }
}

server {
        server_name banksprinting.com www.banksprinting.com;
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/banksprinting.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/banksprinting.com/privkey.pem;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        access_log /var/log/nginx/banksprinting.com.access.log;
        error_log /var/log/nginx/banksprinting.com.error.log;
        include /etc/nginx/shared.d/external-shared.conf;
        location / {
                include /etc/nginx/shared.d/proxy-pass.conf;
                proxy_pass http://10.210.100.96:8004;
        }
}

includes
/etc/nginx/shared.d/external-shared.conf

   root /opt/letsencrypt;
	error_page 404 /404.html;
	location = /40x.html {}
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {}

/etc/nginx/shared.d/proxy-pass.conf

       # Shared proxy config
    	client_max_body_size 204800M;
    	proxy_set_header Host $host;
    	proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    	proxy_set_header X-NginX-Proxy true;
    	proxy_http_version 1.1;
    	proxy_set_header Upgrade $http_upgrade;
    	proxy_set_header Connection 'upgrade';
    	proxy_cache_bypass $http_upgrade;
2

Hi @skrawcke

there you see the problem.

You have a redirect to https (that's ok) and /login (that's a problem). So Letsencrypt can't check the validation file Certbot has created.

Oh - checking your configuration via https://check-your-website.server-daten.de/?q=banksprinting.com that's not good:

http + /.well-known/acme-challenge/random-filename is redirected to https, that's redirected to http + /login, that's redirected to https + /login.

And your nginx authenticator should skip these redirects, so that part doesn't work.

What says

nginx -T

Perhaps you have duplicated vHost definitions.

Or remove the redirect to /login if the folder starts with /.well-known/acme-challenge, then use the webroot authenticator.

https://certbot.eff.org/docs/using.html

1 Like
3

the /login redirect is from the proxied backend

if I add this location block to the https server block I still get a 404, and it fails.

location ^~ /.well-known/acme-challenge/ {
	root /opt/letsencrypt/.well-known/acme-challenge;
}

taking a look at the log, it looks like the renew changing the configs

listen 80;
server_name banksprinting.com www.banksprinting.com;
if ($host = www.banksprinting.com) {
        return 301 https://$host$request_uri;
}
if ($host = banksprinting.com) {
        return 301 https://$host$request_uri;
}
location = /.well-known/acme-challenge/hPymVs7ebeMX0aoZt21AaEVjIgwm67ePupy1ybaxXQY{default_type text/plain;return 200 hPymVs7ebeMX0aoZt21AaEVjIgwm67ePupy1ybaxXQY.Q-1heslYkpgiO20J_1pIn5xGi1h8HoViEFhwVgg7rr0;} # managed by Certbot

location = /.well-known/acme-challenge/0VYp2Q_ZCp-bvctqB5z7CCReJBsADo4kEY2Tl39vdM4{default_type text/plain;return 200 0VYp2Q_ZCp-bvctqB5z7CCReJBsADo4kEY2Tl39vdM4.Q-1heslYkpgiO20J_1pIn5xGi1h8HoViEFhwVgg7rr0;} # managed by Certbot

}

could it be adding it to late? or should it be adding it to the https server block?

so it is redirecting
http + /.well-known/acme-challenge/random-filename > https + /.well-known/acme-challenge/random-filename (404 since it does not exist ) 404 > https + /login.

any other thing to try?

4

also --dry-run does work

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/banksprinting.com/fullchain.pem (success)
5

well I just ran it again today and it worked, no changes on my end.

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.