Certbot renew not working

TheAxeMan · September 6, 2023, 5:59pm

lease fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
randoblazer.com

I ran this command:
sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/randoblazer.com.conf

Renewing an existing certificate for randoblazer.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: randoblazer.com
Type: unauthorized
Detail: x.x.x.x: Invalid response from http://randoblazer.com/.well-known/acme-challenge/Ojuwdp8NuhJMZrCPAsiFHHfG4a85-72yBduug6e-r8A: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate randoblazer.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/randoblazer.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

TheAxeMan · September 6, 2023, 6:04pm

I saw something about adding a listen on port 80 but could not get nginx to run with an additional listen.

9peppe · September 6, 2023, 6:07pm

This is a renewal, so the certificate was issued, somehow, in the past.

Show us this file, and the output of nginx -T

TheAxeMan · September 6, 2023, 7:13pm

# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/randoblazer.com
cert = /etc/letsencrypt/live/randoblazer.com/cert.pem
privkey = /etc/letsencrypt/live/randoblazer.com/privkey.pem
chain = /etc/letsencrypt/live/randoblazer.com/chain.pem
fullchain = /etc/letsencrypt/live/randoblazer.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = f708e9223841b6ebb7a93422de4af6a1
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    sendfile on;
    keepalive_timeout 65;
    tcp_nopush on;
    tcp_nodelay on;
    types_hash_max_size 2048;
    # server_tokens off;

    server_names_hash_bucket_size 128;
    # server_names_hash_max_size 512;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    types {
        application/wasm wasm;
    }

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_proxied any;
    gzip_buffers 16 8k;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_types
      text/plain
      text/css
      text/js
      text/xml
      text/javascript
      application/javascript
      application/x-javascript
      application/json
      application/xml
      application/rss+xml
      image/svg+xml;

    #server {
        #listen 80;
        #server_name randoblazer.com;

        # Redirect http traffic to https - fixes certbot renewal request
        #return 301 https://$host$request_uri;
    #}

    server {
        #listen 80;
        listen 443 ssl;
        listen [::]:443 ssl;

        server_name randoblazer.com;
        root /var/www/randoblazer/;
        index index.html;

        ssl_certificate /etc/letsencrypt/live/randoblazer.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/randoblazer.com/privkey.pem; # managed by Certbot

        # These options get managed by Certbot
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

        location /favicon.ico {
            alias /var/www/favicon.ico;
        }

        location / {
            try_files $uri $uri/ =404;
        }
        location /beta {
            alias /var/www/randoblazer/beta/;
            index index.html;
        }

        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
        location /weekly {
            try_files $uri $uri/ =404;
            index index.php;
        }
#        location /testweekly {
#            try_files $uri $uri/ =404;
#            index index.php;
#        }
    }

    server {
        listen 443 ssl;
        listen [::]:443 ssl;

        server_name ec2-52-9-74-59.us-west-1.compute.amazonaws.com;

        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        # Example for how to set up php. The two nested blocks seem to be important.
#        location /phptest {
#            root /var/www/html/actualphptest/;
#            index info.php;
#            try_files $uri $uri/ /phptest/info.php;
#
#            location ~ \.php$ {
#               include snippets/fastcgi-php.conf;
#               fastcgi_pass unix:/run/php/php7.4-fpm.sock;
#            }
#        }

        # phpmyadmin - disabled for security unless needed
#        location /phpmyadmin {
#            root /usr/share/;
#            index index.php;
#
#            location ~ \.php$ {
#               include snippets/fastcgi-php.conf;
#               fastcgi_pass unix:/run/php/php8.1-fpm.sock;
#            }
#        }

        location /favicon.ico {
            alias /var/www/favicon.ico;
        }
        location /comics {
            alias /var/www/comics/comics.html;
            default_type text/html;
        }

        #location /randoblazer/ {
            #alias /var/www/randoblazer/;
            #index index.html;
            #try_files $uri $uri/ =404;
        #}

        location = / {
            #alias /home/ubuntu/www/comics;
            #autoindex off;
            #index comics.html;
            try_files $uri $uri/ =404;
        }
    }

    ##
    # Virtual Host Configs
    ##

    #include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites-enabled/*;   # default causes error
}



# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

9peppe · September 6, 2023, 7:16pm

You should have a listen 80 somewhere, yes. It can be an empty server block.

(Empty, I mean listen and maybe server_name)

TheAxeMan · September 6, 2023, 7:17pm

Also I don't remember have any trouble with the initial setup, it was very smooth. I did make some changes to my nginx config once I had the certs working and that might be causing the problems.

TheAxeMan · September 6, 2023, 7:21pm

When I add another block with listen 80 and the same server_name nginx fails. Same with another listen in the same block. No errors except for the general nginx failure.

9peppe · September 6, 2023, 7:24pm

You can only have each combination server_name listen port once.

If it complains if you have it already. (Does it?)

Aaaaaarg.

❯ curl -IL randoblazer.com
HTTP/1.1 200 OK
Date: Wed, 06 Sep 2023 19:22:56 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sat, 10 Jun 2023 15:13:49 GMT
ETag: "29af-5fdc7eebc0dbc"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

It complains because Apache is running on port 80, not because it's a double. Did you install Apache? Are you using it?

TheAxeMan · September 6, 2023, 7:25pm

ah I guess I may have installed it. I am not using it, I'll get rid of that and see if that fixes it.

TheAxeMan · September 6, 2023, 7:57pm

Yes, that was it. No problem renewing now. Thank you so much!

rg305 · September 6, 2023, 8:03pm

TheAxeMan:

    #server {
        #listen 80;
        #server_name randoblazer.com;

        # Redirect http traffic to https - fixes certbot renewal request
        #return 301 https://$host$request_uri;
    #}

It seems to have been commented out.

To make space for Apache - LOL