Certbot renewal error


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

my domain is : kib.viriback.com

I ran this command: /usr/bin/certbot renew --quiet

It produced this output:

Attempting to renew cert (kib.domain.com) from /etc/letsencrypt/renewal/kib.domain.com.conf produced an unexpected error: Failed authorization procedure. kib.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https:///.well-known/acme-challenge/GXB8AMxMZcJky9qz0TNPdLXCTqGoa_7kAdPOCr2ZbmE: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kib.domain.com/fullchain.pem (failure)

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

You’ll need to share us your domain name so we can solve your question.

Thank you


#3

Why did you remove the real domain name?


#4

I am removing the firewall before trying to do the renewal.

Isnt that part of the error the cause:

“Fetching https:///.well-known/acme-challenge/GXB8AMxMZcJky9qz0TNPdLXCTqGoa_7kAdPOCr2ZbmE”

See how there is no domain in the fetching url…


#5

This is a non protected, by means of login, dashboard, I only protect by firewall rules… didnt want to publicise further the domain.


#6

False sense of obscurity…
All certs are public information.
Whomever is looking for them can find that info easily without having to scrape these pages.

If you are really paranoid, you should issue a wildcard cert and change your hostname on a daily basis - LOL


#7

Actually I’d assumed you’d just deleted it before posting - another reason not to do that :stuck_out_tongue:

Do you have a HTTP to HTTPS redirect in place already? If so, maybe there is something wrong with it. The validation request always goes to HTTP first and will only use HTTPS if it gets redirected. Maybe the redirect is somehow removing the hostname?


#8

Yes, my nginx config for this site look like this:

server {
    listen 80 default_server;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 default_server ssl http2;

    server_name kibana.example.com;

    ssl_certificate           /etc/letsencrypt/live/kibana.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/kibana.example.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

#9

The firewall seems to still be blocking.


#10

I’m not too familiar with nginx config syntax but I’m guessing maybe $server_name isn’t available when you don’t define a server_name in the block?


#11

I think he deleted server name too…

@viriback if you don’t disclose your domain, we can’t help you. (Since this is pure server side)

Thank you


#12

I havent deleted the domain… sorry for the confusion. domain is now present in current response.

after jmorahan comment, I added the a $server_name variable in my config and now I get:

> Attempting to renew cert (kib.viriback.com) from /etc/letsencrypt/renewal/kib.viriback.com.conf produced an unexpected error: Failed authorization procedure. kib.viriback.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kib.viriback.com/.well-known/acme-challenge/1CwwDrltPGHgWG55Nqn8-XIZYpWBskYKZU2RQ1lUteg: "<html>
> <head><title>502 Bad Gateway</title></head>
> <body bgcolor="white">
> <center><h1>502 Bad Gateway</h1></center>
> <hr><cen". Skipping.
> All renewal attempts failed. The following certs could not be renewed:
>   /etc/letsencrypt/live/kib.viriback.com/fullchain.pem (failure)

#13

@jmorahan, you are right

@viriback you are not defining a server_name directive in that server block so variable $server_name is empty, you can define a server_name directive with your domain or replace $server_name by $host


#14

Okay, so far so good. It seems the problem now is that the validation request is being redirected to HTTPS, where it is served by your 443 server block, but that block is then trying to proxy it to localhost:5601 and failing.

Could you post the contents of the renewal configuration file for your certificate (in /etc/letsencrypt/renewal/)? Also, what version of certbot are you using (certbot --version)?


#15

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 434567890637ee0baff9aba34bdd8e9e
webroot_path = /var/www/html,
[[webroot_map]]
kib.viriback.com = /var/www/html

certbot 0.22.2


#16

Okay, in that case please try this:

certbot renew -a nginx

#17

did the trick. thank you.


#18

Great. That should also have saved the updated authenticator option to the renewal file so a simple certbot renew should work again in the future.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.