Certbot renewal fails on nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @edatastyle

checking your domain there are a lot of older certificates ( https://check-your-website.server-daten.de/?q=athemeart.com#ct-logs ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1269901196 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-08 22:33:30 2019-06-06 21:33:30 athemeart.com, www.athemeart.com
2 entries
1091161359 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-01-07 22:16:49 2019-04-07 21:16:49 athemeart.com, www.athemeart.com
2 entries
930961221 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-11-08 22:07:07 2019-02-06 22:07:07 athemeart.com, www.athemeart.com
2 entries
776612634 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-09-09 21:19:02 2018-12-08 22:19:02 athemeart.com, www.athemeart.com
2 entries
617232069 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-07-11 21:10:11 2018-10-09 21:10:11 athemeart.com, www.athemeart.com
2 entries
458798177 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-05-12 21:31:01 2018-08-10 21:31:01 athemeart.com, www.athemeart.com
2 entries
354715116 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-03-13 22:25:12 2018-06-11 21:25:12 athemeart.com, www.athemeart.com
2 entries
301920271 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-01-12 22:04:24 2018-04-12 21:04:24 athemeart.com, www.athemeart.com
2 entries
253431273 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2017-11-13 17:54:12 2018-02-11 17:54:12 athemeart.com, www.athemeart.com
2 entries
191137001 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2017-08-15 16:25:00 2017-11-13 17:25:00 athemeart.com, www.athemeart.com
2 entries

Started 2017-11-13, last is from 2019-03-08.

Looks like you have used tls-sni-01 validation via port 443. That’s not longer supported, support ended ~~ 2019-03-15.

So you have to switch to another validation method.

Checking your standard urls that looks good:

Domainname Http-Status redirect Sec. G
http://athemeart.com/
159.203.191.206 301 https://athemeart.com/ 0.213 A
http://www.athemeart.com/
159.203.191.206 301 https://www.athemeart.com/ 0.210 A
https://www.athemeart.com/
159.203.191.206 301 https://athemeart.com/ 1.040 N
Certificate error: RemoteCertificateChainErrors
https://athemeart.com/
159.203.191.206 200 1.580 N
Certificate error: RemoteCertificateChainErrors
http://athemeart.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
159.203.191.206 301 https://athemeart.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.210 A
Visible Content: 301 Moved Permanently nginx/1.10.3 (Ubuntu)
http://www.athemeart.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
159.203.191.206 301 https://www.athemeart.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.210 A
Visible Content: 301 Moved Permanently nginx/1.10.3 (Ubuntu)
https://athemeart.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.177 N

Using http-01 validation, Certbot creates a file under /.well-known/acme-challenge, Letsencrypt checks that file.

Port 80 is open and redirects to https, Letsencrypt follows these redirects.

So find your root in your port 443 vHost and use that.

certbot run -a webroot -i nginx -w yourRoot -d athemeart.com -d www.athemeart.com

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.