Certbot renew failed on nginx

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:legrand.com.cn

I ran this command:certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.legrand.com.cn.conf

Renewing an existing certificate for www.legrand.com.cn and legrand.com.cn

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: legrand.com.cn
Type: unauthorized
Detail: Invalid response from Site Offline [120.79.94.47]: "\n\n\nSite Offline\n\n body {\n width: 35em;\n margin: 0 auto;\n "

Domain: www.legrand.com.cn
Type: unauthorized
Detail: Invalid response from Site Offline [120.79.94.47]: "\n\n\nSite Offline\n\n body {\n width: 35em;\n margin: 0 auto;\n "

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.legrand.com.cn with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.legrand.com.cn/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):nginx version: nginx/1.20.1

The operating system my web server runs on is (include version):
NAME="CentOS Linux"
VERSION="7 (Core)"

My hosting provider, if applicable, is:aliyun

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.23.0

2 Likes
2

Hi @Trongtran and welcome to the LE community forum :slight_smile:

Please show the outputs of:

  • certbot certificates
  • nginx -T
3 Likes
3

Hi @rg305 ,
This is the output for these command:

  • certbot certificates

Found the following certs:
Certificate Name: www.legrand.com.cn
Serial Number: 4668d7f67168f30cfeb59a460400eca7226
Key Type: RSA
Domains: www.legrand.com.cn legrand.com.cn
Expiry Date: 2022-03-05 12:02:42+00:00 (VALID: 4 days)
Certificate Path: /etc/letsencrypt/live/www.legrand.com.cn/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.legrand.com.cn/privkey.pem

  • nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  4;
worker_rlimit_nofile 102400;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  102400;
    multi_accept on;
    use epoll;
}


http {
    server_tokens off;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    log_format timing  '$remote_addr - $remote_user [$time_local]  $request '
                       'upstream_http_content_type: $upstream_http_content_type'
                       'upstream_response_time: $upstream_response_time '
                       'request_time: $request_time';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay on;

    keepalive_timeout  15;

    client_header_timeout 10;
    client_body_timeout 10;
    reset_timedout_connection on;
    send_timeout 10;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
#    fastcgi_buffer_size 64k;
#    fastcgi_buffers 16 64k;
#    fastcgi_busy_buffers_size 128k;
#    fastcgi_temp_file_write_size 128k;

#    fastcgi_cache_path /etc/nginx/fastcgi_cache levels=1:2
#            keys_zone=TEST:512m
#            inactive=30m
#            max_size=2000M;
#    fastcgi_cache TEST;
#    fastcgi_cache_valid 200 302 1h;
#    fastcgi_cache_valid 301 1d;
#    fastcgi_cache_valid any 1m;
#    fastcgi_cache_min_uses 1;
#    fastcgi_cache_use_stale error timeout invalid_header http_500;
#    fastcgi_cache_key $host$request_uri;

    server_names_hash_bucket_size 128;
    client_header_buffer_size 4k;
    large_client_header_buffers 4 4k;
    client_max_body_size 1024M;

    #gzip  on;
    gzip on;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_min_length 1k;
    gzip_buffers     4 16k;
    gzip_comp_level 4;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;


    upstream apache_proxy {
        server 192.168.0.195:8088;
    }


    limit_req_zone  $binary_remote_addr  zone=myzone:10m   rate=10r/s;
    limit_req zone=myzone burst=5;
    limit_req_zone $anti_spider zone=anti_spider:10m rate=30r/m;
    limit_req_zone $binary_remote_addr zone=ecata:10m rate=20r/m;

    include /etc/nginx/conf.d/*.conf;
}

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/legrand.com.cn_ssl.conf:
geo $limited {
default 0;
#Baidu
123.125.67.0/24 1;
220.181.51.0/24 1;
123.125.71.0/24 1;
220.181.108.0/24 1;
222.186.34.0/24 1;
123.98.52.31/32 1;
123.98.49.88/32 1;
82.165.148.43/32 1;
123.126.113.0/24 1;
#20170424
193.70.15.60/32 1;
}

map $limited $limit {
1 $binary_remote_addr;
0 "";
}

limit_req_zone $limit zone=bot:10m rate=30r/m;

server {
listen 80;
server_name www.tcllegrand.com.cn;
return 301 https://www.legrand.com.cn$request_uri;
}
server {
listen 80;
server_name www.shideanlegrand.com.cn;
return 301 https://www.legrand.com.cn$request_uri;
}
server {
listen 80;
server_name www.legrandgroup.cn;
return 301 https://www.legrand.com.cn$request_uri;
}
server {
listen 80;
server_name tcllegrand.com.cn;
return 301 https://www.legrand.com.cn$request_uri;
}
server {
listen 80;
server_name shideanlegrand.com.cn;
return 301 https://www.legrand.com.cn$request_uri;
}
server {
listen 80;
server_name legrandgroup.cn;
return 301 https://www.legrand.com.cn$request_uri;
}
#server {
#listen 80;
#server_name legrand.com.cn;
#return 301 http://www.legrand.com.cn$request_uri;
#}
server {
    listen 80;
    server_name legrand.com.cn www.legrand.com.cn;

location /.well-known {
    root /var/www/letsencrypt;
    auth_basic off;
    try_files $uri =404;
}

#    root /var/www/legrand.com.cn;
    return 301 https://www.legrand.com.cn$request_uri;
}

server {
    #listen 80;
    server_name www.legrand.com.cn;
    #server_name 120.79.94.47;
    proxy_connect_timeout 1200;
    proxy_read_timeout       1200;
    proxy_send_timeout       1200;
    deny 14.214.10.219;
    deny 150.109.125.127;
    deny 96.44.161.8;
    listen              443 ssl;

	proxy_buffer_size  128k;
	proxy_buffers   32 32k;
	proxy_busy_buffers_size 128k;

	fastcgi_buffer_size 128k;
	fastcgi_buffers 4 256k;
	fastcgi_busy_buffers_size 256k;
	client_max_body_size 1024m;

    keepalive_timeout   0;
#    ssl_session_cache   builtin:4000 shared:SSL:10m;
    ssl_session_timeout 10m;

    #resolver            $DNS-IP-1 $DNS-IP-2 valid=300s;
    resolver_timeout    8s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    ssl_session_tickets off;
    ssl_ecdh_curve      secp384r1;
    #ssl_stapling        on;
    #    #ssl_stapling_verify on;
    #
    ssl_certificate     /etc/letsencrypt/live/www.legrand.com.cn/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.legrand.com.cn/privkey.pem;
#    ssl_protocols       TLSv1.2;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;


    #return 301 http://www.legrand.com.cn$request_uri;
    limit_req zone=anti_spider burst=50 nodelay;
    limit_req_status 429;
    limit_req zone=bot burst=40 nodelay;
    if ($http_user_agent ~* "Baiduspider") {
    set $anti_spider $http_user_agent;
    }
    if ($http_user_agent ~* "Sogou web spider") {
    set $anti_spider $http_user_agent;
    }
    #if ($http_user_agent ~* "Gecko") {
    #set $anti_spider $http_user_agent;
    #}
    #if ($http_user_agent ~* "iPhone") {
    #set $anti_spider $http_user_agent;
    #}
    if ($http_user_agent ~* "qihoobot|Googlebot-Modile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Yahoo! SSlurp  China|YoudaoBot|Sosospider|Sogou spider|MSNBot|Bytespider") {
        return 403;
    }
    access_log /var/log/nginx/legrand.com/legrand.com-access.log main;
    error_log /var/log/nginx/legrand.com/legrand.com-error.log;
    #rewrite_log off;
    root /var/www/legrand.com.cn/;
    #error_page   404 /404.html;
    #location = /404.html {
    #  root /var/new-www/sites/legrand.com/;
    #}
    error_page   502 503 504  = /error/50x.html;
    error_page   401 403 404  = /error/40x.html;
    #error_page 404 = /error/40x.html;

location /.well-known {
    root /var/www/letsencrypt;
    allow all;
    auth_basic off;
    try_files $uri =404;
}

    location = /50x.html {
      root /usr/share/nginx/html/;
    }
    index index.php index.html index.htm;

    location / {
	#return 503;
        if ( $query_string ~* .*user.* ){
        return 301 http://www.legrand.com.cn;
        }
        try_files $uri @rewrite;
    }

    location ~* /user.css.* {
        auth_basic off;
    }
    # Limit access backend
    location ~* ^/(admin|user).* {
#        proxy_redirect off;
#        proxy_set_header Host $host;
#
#        proxy_set_header X-Forwarded-Host $host;
#        proxy_set_header X-Forwarded-Server $host;
#        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#        proxy_http_version 1.1;
#        proxy_pass_request_headers on;
#        proxy_set_header Connection "keep-alive";
#        proxy_store off;
        satisfy any;
        # Internal
        allow 192.168.0.0/24;
        allow 127.0.0.1;
        # Legrand
        allow 116.6.195.114;
        allow 221.4.230.155;
        allow 58.250.243.80;
        allow 153.35.185.26;
        # eWave
        allow 113.106.3.2;
        allow 183.237.19.146;
        allow 120.239.88.29;
        allow 160.20.60.74;
        allow 211.161.65.64;
        allow 211.161.64.238;
        allow 122.112.250.163;
        allow 183.194.40.146;
        allow 211.161.67.159;
        allow 116.225.105.192;
        allow 116.230.53.102;
        allow 180.175.255.127;
        allow 61.93.15.68;
        allow 116.230.57.65;
        allow 211.161.64.23;
        allow 211.161.65.54;
        allow 10.109.74.117;
        #allow 120.230.157.70;
		allow 116.230.63.54;
		allow 116.230.63.28;
		allow 183.62.208.100;
        #error_page 401  = /error/401.html;
        error_page 403  = /error/403.html;
        error_page 404  = /error/404.html;
        error_page 500 501 502 505 = /error/50x.html;
        deny all;
        auth_basic "Please Login";
        auth_basic_user_file /etc/nginx/conf.d/http_auth;
        try_files $uri @rewrite;
    }


#    location /EN {
#        try_files $uri @rewrite_en;
#    }
    rewrite ^/(en|EN)(.*) https://www.legrand.com.cn/ permanent;


    location @rewrite {
	rewrite ^/(.*)$ /index.php?q=$1;
    }
    location @rewrite_en {
        rewrite ^/([^/]*)/(.*)(/?)$ /$1/index.php?q=$2&$args;
    }
    location = /znjj/ {
        root /var/www/legrand.com.cn/;
        index index.html index.php;
    }

#    location = /EN/ {
#        index index.html index.php;
#    }

    location ^~ \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        access_log off;
    }


    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# Ensure the php file exists. Mitigates CVE-2019-11043
        try_files $fastcgi_script_name =404;
	fastcgi_param HTTP_PROXY "";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_intercept_errors on;
        include                   fastcgi_params;
#        fastcgi_buffer_size       128k;
#        fastcgi_buffers           64 128k;
#        fastcgi_intercept_errors on;
        #fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_pass             unix:/run/php.sock;
        #fastcgi_pass             127.0.0.1:9000;
	#rewrite ^/ecatalogue/(.*)$  http://10.51.183.201:8088/$1;
    }

    location ~ ^/sites/.*/files/styles/ {
        try_files $uri @rewrite;
        expires max;
        access_log off;
    }

    location ~ ^/sites/default/files/css/ {
        try_files $uri @rewrite;
        expires max;
        access_log off;
    }


    # this is for proxy_pass to another apacher server "ecatalogue" directory
    location ^~ /ecatalogue/ {
	#proxy_redirect off;
    proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header REMOTE-HOST $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass https://192.168.0.202:443/ecatalogue/;

    proxy_http_version 1.1;
    proxy_set_header Connection "";
    add_header 'Content-Length' '';
	#proxy_pass  http://apache_proxy/;
    }
    location ^~ /rest/ {
        proxy_connect_timeout 1200;
        proxy_read_timeout       1200;
        proxy_send_timeout       1200;
        #proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://192.168.0.202:443/rest/;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        add_header 'Content-Length' '';
        #proxy_pass  http://apache_proxy/;
    }
    location ^~ /static/ {
        proxy_connect_timeout 1200;
        proxy_read_timeout       1200;
        proxy_send_timeout       1200;
        #proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://192.168.0.202:443/static/;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        add_header 'Content-Length' '';
        #proxy_pass  http://apache_proxy/;
    }

    location ^~ /media/ {
        proxy_connect_timeout 1200;
        proxy_read_timeout       1200;
        proxy_send_timeout       1200;
        #proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://192.168.0.202:443/media/;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        add_header 'Content-Length' '';
        #proxy_pass  http://apache_proxy/;
    }
	rewrite ^/customer/account/ https://www.legrand.com.cn/ecatalogue/cn/customer/account/login permanent;
    rewrite ^/customer/quick/ https://www.legrand.com.cn/ecatalogue/cn/customer/quick/create/ permanent;
    rewrite ^/customer/ https://www.legrand.com.cn/ecatalogue/cn/customer/ permanent;

    #rewrite ^/diypc/index/solution/(.*)$  https://www.legrand.com.cn/ecatalogue/cn/diy/index/solution/ permanent;
    #rewrite ^/diy(.*) https://www.legrand.com.cn/ecatalogue/cn/diy/ permanent;
    #rewrite ^/diypc/ https://www.legrand.com.cn/ecatalogue/cn/diypc/ permanent;
    #rewrite ^/diypc/index/solution$  https://www.legrand.com.cn/ecatalogue/cn/diy/index/solution permanent;

    rewrite ^/checkout/ https://www.legrand.com.cn/ecatalogue/cn/checkout/ permanent;
    #rewrite ^/webform/buy https://www.legrand.com.cn/ecatalogue/cn/webform/buy permanent;
    rewrite ^/cart/ https://www.legrand.com.cn/ecatalogue/cn/cart/ permanent;
    #############################################################################################################
    #rewrite ^/customer/account/ http://47.115.161.127/ecatalogue/cn//customer/account/login/ permanent;
    #rewrite ^/customer/quick/ http://47.115.161.127/ecatalogue/cn/customer/quick/create/ permanent;
    #rewrite ^/customer/ http://47.115.161.127/ecatalogue/cn/customer/ permanent;
    #rewrite ^/diy/ http://47.115.161.127/ecatalogue/cn/diy/ permanent;
    #rewrite ^/diypc/ http://47.115.161.127/ecatalogue/cn/diypc/ permanent;
    #rewrite ^/checkout/ http://47.115.161.127/ecatalogue/cn/checkout/ permanent;
    #rewrite ^/webform/buy http://47.115.161.127/ecatalogue/cn/webform/buy permanent;
    #rewrite ^/cart/ http://47.115.161.127/ecatalogue/cn/cart/ permanent;

    location ^~ /ecatalogue/(cn|en)/(.*)$ {
        limit_req zone=ecata burst=30 nodelay;
        limit_req_status 429;
        add_header 'Content-Length' '';
    }

    location ^~ /ecata_legrand/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://192.168.0.202:443/ecata_legrand/;
        #proxy_pass http://192.168.0.195:8088/ecatalogue/index.php/admin/admin_1596/;
        #proxy_redirect http://www.legrand.com.cn/index.php/admin/admin_1596/  http://www.legrand.com.cn/ecatalogue/index.php/admin/admin_1596/;
		#proxy_redirect http://http://192.168.0.195:8088/index.php/admin/admin_1596/  /ecatalogue/index.php/admin/admin_1596/;
	}


    # Block access to hidden files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;
3 Likes
4

@Trongtran Can you also show the contents of this file:

/etc/letsencrypt/renewal/www.legrand.com.cn.conf
4 Likes
5

Hello @MikeMcQ ,
Thank you for the reply. Here is the content of that file
/etc/letsencrypt/renewal/www.legrand.com.cn.conf

renew_before_expiry = 30 days

version = 1.21.0
archive_dir = /etc/letsencrypt/archive/www.legrand.com.cn
cert = /etc/letsencrypt/live/www.legrand.com.cn/cert.pem
privkey = /etc/letsencrypt/live/www.legrand.com.cn/privkey.pem
chain = /etc/letsencrypt/live/www.legrand.com.cn/chain.pem
fullchain = /etc/letsencrypt/live/www.legrand.com.cn/fullchain.pem

Options used in the renewal process

[renewalparams]
account = a39c03d649092f5472558838b5621366
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
legrand.com.cn = /var/www/letsencrypt
www.legrand.com.cn = /var/www/letsencrypt

3 Likes
6

Thanks. Hmm. I do not see exactly why your server sends the wrong data to the ACME http challenge. But, I think adding a location around the redirect in your http server will resolve the problem and is generally better anyway. Without such a location the ACME challenge are also redirected to your (somewhat busy) https server block and something in that causes the wrong response to the challenge.

server {
    listen 80;
    server_name legrand.com.cn www.legrand.com.cn;

location /.well-known {
    root /var/www/letsencrypt;
    auth_basic off;
    try_files $uri =404;
}

#    root /var/www/legrand.com.cn;
location / {
    return 301 https://www.legrand.com.cn$request_uri;
}
}
6 Likes
7

Hello @MikeMcQ , that's exactly the problem. After I add the location, server sends data to the ACME challenge and I can renew ssl now.

image
image976×594 63.4 KB

Thank you very much for your analysis and research. I'm really appreciated it from LE community forum.

4 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.