Certbot renew fails due to interference with other server behind nginx reverse proxy


#1

My domain is: mydomain.com

My server nc is behind an nginx reverse proxy configured with these instructions(https://www.techandme.se/set-up-nginx-reverse-proxy/) and there appears to be a conflict with my server json which I am unsure how to resolve.

I ran this command:
certbot renew --no-self-upgrade > /var/log/letsencrypt/renew.log 2>&1

It produced this output:

Log file (/var/log/syslog):
    Apr  1 16:09:32 nc systemd[1]: Stopping The Apache HTTP Server...
    Apr  1 16:09:32 nc apachectl[22564]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using nc.mydomain.com. Set the 'ServerName' directive globally to suppress this message
    Apr  1 16:09:32 nc systemd[1]: Stopped The Apache HTTP Server.
    Apr  1 16:09:37 nc systemd[1]: Starting The Apache HTTP Server...
    Apr  1 16:09:37 nc apachectl[22604]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using nc.mydomain.com. Set the 'ServerName' directive globally to suppress this message
    Apr  1 16:09:37 nc systemd[1]: Started The Apache HTTP Server.

Log file (/var/log/letsencrypt/renew.log)

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/nc.mydomain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for nc.mydomain.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nc.mydomain.com) from /etc/letsencrypt/renewal/nc.mydomain.com.conf produced an unexpected error: Failed authorization procedure. nc.mydomain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 80c537b06f49c5279b406dd02d6496ce.482d5b1bb770e5cd186bd6e430af5c9c.acme.invalid from 24.193.26.188:443. Received 2 certificate(s), first certificate had names "json.mydomain.com". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nc.mydomain.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nc.mydomain.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: service apache2 start
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nc.mydomain.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   nlRk9KQ2p4tY9WorBYoczUYqgDajtIuk.uzNwMwLhjBQeQMir98WPWc3l3BirL1g1.acme.invalid
   from 46.23.894.11:443. Received 2 certificate(s), first
   certificate had names "json.mydomain.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache/2.4.33 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.4

My hosting provider, if applicable, is: self

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

Many thanks to any who can help! I also ran it without the no-self-upgrade switch with the same result.


#2

The “standalone” plugin will conflict with a running web service.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.