Certbot renew failing on .well-known acme challenge


#1

I’d be very grateful if anyone could be kind enough to help me out on this issue.

Many thanks in advance.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.beau.haus
I ran this command:
certbot renew (as root)
It produced this output:

Processing /etc/letsencrypt/renewal/beau.haus.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for beau.haus
http-01 challenge for www.beau.haus
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (beau.haus) from /etc/letsencrypt/renewal/beau.haus.conf produced an unexpected error: Failed authorization procedure. beau.haus (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://beau.haus/.well-known/acme-challenge/sLpdZYpU-GA0C60NBleYnkNZez70ns_9HjeLwlnd44w: "

Error
Cannot GET /.well-known/", www.beau.haus (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.beau.haus/.well-known/acme-challenge/p-TtZi14KkT7avQNG1RSvpbPgSqGycfcefDlHBrP2N4: "



Error


Cannot GET /.well-known/". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/beau.haus/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/beau.haus/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Linux

The operating system my web server runs on is (include version):
Ubuntu 16.04 (nginx as a reverse proxy)

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

It seems like the /.well-known/acme-challenge/ path gets handled by Express, which returns an error.

You should probably configure Nginx to serve the files, or fix Express.

What’s the Nginx configuration? What’s the web root path Certbot was configured to use? Is there anything in Nginx’s error.log? Express’s log, if it has one?

What’s changed with the web server since the certificate was created or last renewed?


#3

I’m a noob at this, but I’ll try to answer those questions. be right back

*I currently have no firewall (through the digital ocean panel)

–edit–
my complete app.js file

‘use strict’;

const express = require(“express”);
const app = express();

app.use(’/’, express.static(__dirname + ‘/public’));

app.get("/", function(req, res) {
res.sendFile( __dirname + ‘/public’);
});

const port = 3001;

// Start server
app.listen(port, function() {
console.log("Listening on " + port);
});

************************* nginx/sites-available/default contents*******************

/etc/nginx/sites-available$ cat default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#

#adding proxy cache
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=slowfile_cache:10m inactive=60m use_temp_path=off;

proxy_cache_key "$request_uri";

server {
#	listen 80 default_server;
#	listen [::]:80 default_server;


#JemYoung's Advice from twitter ###
#	listen 80;
#        listen [::]:80 default_server;
#	server_name beau.haus www.beau.haus;
#	return 301 https://$request_uri;


	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	# server_name beau.haus www.beau.haus;
	# server_name _;

#        location ~ /.well-known/acme-challenge/ {
#            allow all;
#            default_type "text/plain";
#            root /tmp;
#        }

	location / {
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection “upgrade”;

		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		proxy_pass http://127.0.0.1:3001;
	}

	location /slowfile {
       		 proxy_cache_valid 1m;
       		 proxy_ignore_headers Cache-Control;
        	 add_header X-Proxy-Cache $upstream_cache_status;
       		 proxy_cache slowfile_cache;
        	 proxy_pass http://127.0.0.1:3001/slowfile;
	}

	# Adding -expires headers (expire static assets in 30 days

	location /static/ {
            expires 30d;
            proxy_pass http://127.0.0.1:3001/static/;
        }


	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
# server {
#	listen 80;
#	listen [::]:80 default_server;
#	server_name beau.haus www.beau.haus;

#	return 301 https://$server_name$request_uri;

#	root /var/www/;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
# }


server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name beau.haus www.beau.haus;

    location / {
        proxy_pass http://127.0.0.1:3001;
    }

    ssl_certificate /etc/letsencrypt/live/beau.haus/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/beau.haus/privkey.pem;
    ssl_protocols TLSv1.2;
    ssl_ciphers '............'
    ssl_prefer_server_ciphers on;
}

UFW STATUS*********

ufw status
Status: active

To Action From


443 ALLOW Anywhere
22 ALLOW Anywhere
443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)


#4

catting error.log yields no text (?)
---------------------------------------nginx error.log---------------------------
cat error.log.1
2018/06/18 18:13:14 [crit] 32703#32703: *70852 SSL_do_handshake() failed (SSL: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding error:1408B010:SSL routines:ssl3_get_client_key_exchange:EC lib) while SSL handshaking, client: 81.171.157.121, server: 0.0.0.0:443


#5

I’m sorry, I’m not quite certain how to get an error from express. :frowning:
I’d post it immediately, if I knew how.


#6

Latest update

based on this stackoverflow post, I’ve tried to remedy the cat nginx/error.log yielding no text

I’ve tried:
sudo rm -f /var/log/nginx/*
sudo service nginx restart

Alas, cat error.log still gives me nothing.


#7

Could you try posting the nginx configuration again inside ``` lines? If you put a ``` before and after the file, it will render in a fixed-width font without special formatting.

it will look like something like this,
which will be easier to read

#8

AH! Thank you! --YES I’ll get on it! :slight_smile:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.