I’d be very grateful if anyone could be kind enough to help me out on this issue.
Many thanks in advance.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
www.beau.haus
I ran this command:
certbot renew (as root)
It produced this output:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for beau.haus
http-01 challenge for www.beau.haus
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (beau.haus) from /etc/letsencrypt/renewal/beau.haus.conf produced an unexpected error: Failed authorization procedure. beau.haus (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://beau.haus/.well-known/acme-challenge/sLpdZYpU-GA0C60NBleYnkNZez70ns_9HjeLwlnd44w: "
Error
Cannot GET /.well-known/", www.beau.haus (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.beau.haus/.well-known/acme-challenge/p-TtZi14KkT7avQNG1RSvpbPgSqGycfcefDlHBrP2N4: "
Error
Cannot GET /.well-known/". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/beau.haus/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/beau.haus/fullchain.pem (failure)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
root@beauhaus:/#
My web server is (include version):
Linux
The operating system my web server runs on is (include version):
Ubuntu 16.04 (nginx as a reverse proxy)
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
It seems like the /.well-known/acme-challenge/ path gets handled by Express, which returns an error.
You should probably configure Nginx to serve the files, or fix Express.
What’s the Nginx configuration? What’s the web root path Certbot was configured to use? Is there anything in Nginx’s error.log? Express’s log, if it has one?
What’s changed with the web server since the certificate was created or last renewed?
/etc/nginx/sites-available$ cat default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
#adding proxy cache
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=slowfile_cache:10m inactive=60m use_temp_path=off;
proxy_cache_key "$request_uri";
server {
# listen 80 default_server;
# listen [::]:80 default_server;
#JemYoung's Advice from twitter ###
# listen 80;
# listen [::]:80 default_server;
# server_name beau.haus www.beau.haus;
# return 301 https://$request_uri;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
# server_name beau.haus www.beau.haus;
# server_name _;
# location ~ /.well-known/acme-challenge/ {
# allow all;
# default_type "text/plain";
# root /tmp;
# }
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://127.0.0.1:3001;
}
location /slowfile {
proxy_cache_valid 1m;
proxy_ignore_headers Cache-Control;
add_header X-Proxy-Cache $upstream_cache_status;
proxy_cache slowfile_cache;
proxy_pass http://127.0.0.1:3001/slowfile;
}
# Adding -expires headers (expire static assets in 30 days
location /static/ {
expires 30d;
proxy_pass http://127.0.0.1:3001/static/;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
# server {
# listen 80;
# listen [::]:80 default_server;
# server_name beau.haus www.beau.haus;
# return 301 https://$server_name$request_uri;
# root /var/www/;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
# }
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name beau.haus www.beau.haus;
location / {
proxy_pass http://127.0.0.1:3001;
}
ssl_certificate /etc/letsencrypt/live/beau.haus/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/beau.haus/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers '............'
ssl_prefer_server_ciphers on;
}
Could you try posting the nginx configuration again inside ``` lines? If you put a ``` before and after the file, it will render in a fixed-width font without special formatting.
it will look like something like this,
which will be easier to read