Certbot renew failure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://musingsofamaverick.org

I ran this command: sudo certbot renew

It produced this output:
$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/musingsofamaverick.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.musingsofamaverick.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (musingsofamaverick.org) from /etc/letsencrypt/renewal/musingsofamaverick.org.conf produced an unexpected error: Failed authorization procedure. www.musingsofamaverick.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://musingsofamaverick.org.com/.well-known/acme-challenge/6n0th2geRTBcbs9iBAHdyQ7iLzL7hMkqz4T_kkImRF8: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/musingsofamaverick.org/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/musingsofamaverick.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.musingsofamaverick.org
    Type: connection
    Detail: Fetching
    https://musingsofamaverick.org.com/.well-known/acme-challenge/6n0th2geRTBcbs9iBAHdyQ7iLzL7hMkqz4T_kkImRF8:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx 1.14.0

The operating system my web server runs on is (include version): ubuntu 18.04.3 bionic

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

You’ve got redirect issues. The .com TLD redirects to .org.com or something like that.

3 Likes

curl -Iki http://www.musingsofamaverick.org/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 24 Oct 2019 22:35:44 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://www.musingsofamaverick.org/

curl -Iki https://www.musingsofamaverick.org/
HTTP/2 301
server: nginx/1.14.0 (Ubuntu)
date: Thu, 24 Oct 2019 22:35:59 GMT
content-type: text/html
content-length: 194
location: https://musingsofamaverick.org.com/

Yes, I see that, but I have no idea where that came from and I have no idea how to locate the source. It is not from my domain registrar and, to the best of my knowledge it is no in any config file. So how do I go about finding the source of that problem?

It seems to be generated by an nginx 1.14.0 on Ubuntu, which definitely sounds like your nginx… could you look more closely in /etc/nginx?

Thanks. I did, and I found the error in line 46
return 301 https://musingsofamaverick.org.com$request_uri;
and corrected it so that it now reads
return 301 https://musingsofamaverick.org$request_uri;
Then I restarted nginx, re-ran certbot renew and got the certificate successfully renewed for musings, but not for www.musings.

Below is my nginx server block. Hopefully, you can tell me why I’m not getting a certificate for www.musings…

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

    server_name musingsofamaverick.org www.musingsofamaverick.org;
    root /var/www/wordpress;
    index index.html index.php;

if ($host != "musingsofamaverick.org") {
       return 301 https://musingsofamaverick.org$request_uri;
}

include snippets/well-known;

ssl_certificate /etc/letsencrypt/live/musingsofamaverick.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/musingsofamaverick.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/musingsofamaverick.org/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

access_log /var/log/nginx/musingsofamaverick.org.access.log;
error_log /var/log/nginx/musingsofamaverick.org.error.log;

client_max_body_size 100M;

autoindex off;

:

Please show the command you ran to (attempt to) get the cert.
And show the :80 vhost config that would serve those names.

Please show output of:
certbot certificates

You are cutting this very close:

wayne@wrkserver:~$ sudo certbot certificates
[sudo] password for wayne:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: musingsofamaverick.org
Domains: musingsofamaverick.org www.musingsofamaverick.org
Expiry Date: 2020-01-22 23:45:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/musingsofamaverick.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/musingsofamaverick.org/privkey.pem


I’m afraid I responded to your next reply before reading this one. I think the command to get the certs is the one you asked me to run below, i.e., sudo certbot certificates. If that/s not correct, then I don’t know what command to use. Anyway, the output of certbot certificates is shown below.

As to the :80 vhost config, I am totally ignorant and have no idea if it exists or where to find it.

It looks like I may have the problem solved. If I am not mistaken, I don’t need a separate certificate for the subdomain www.musingsofamaverick.org. If true, then my certificate is renewed and goog for both.

My remaining redirect issue (after correcting the server block) appears to be due to not clearing my browser cache.

So, unless something else crops up, PROBLEM SOLVED!
Many thanks.

3 Likes

You need certificates that cover both names, but your existing certificate does this, so you don't need a separate certificate for the www subdomain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.