Certificate doesnot renew and cant make a new one

Help
1

Hello guys! I used to have lets'encrypt sertificate for my project and it worked fine for about couple month. But in this time my autorenew didnts work. And i have expired sertificate.

I tried make a new one or renew, but i have this error (What should i do?):

Tryied:
certbot renew --dry-run
sudo certbot certonly --dry-run -d websitename.ru -d www.websitename.ru

Error:

Certbot renew dry run works but not actual renew

  • The following errors were reported by the server:

    Domain: websitename.ru
    Type: unauthorized
    Detail: Invalid response from https://websitename.ru [92.63.00.000]: #hide real ip
    "\n\n\n<!doctype html>\n<html lang="en">\n\n\n\n<title"

    Domain: www.websitename.ru
    Type: unauthorized
    Detail: Invalid response from https://websitename.ru [92.63.00.000] :# hide real ip
    "\n\n\n<!doctype html>\n<html lang="en">\n\n\n\n<title"

My nginx file in sites-enabled:

server {
    server_name websitename.ru www.websitename.ru default_server;
    listen 80;

    return 301 https://websitename.ru;
}

server {
    server_name www.websitename.ru;
    listen 443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/websitename.ru-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/websitename.ru-0001/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/websitename.ru-0001/chain.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security "max-age=31536000";

    return 301 https://websitename.ru$request_uri;
}

server {

    server_name websitename.ru;
    listen 443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/websitename.ru-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/websitename.ru-0001/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/websitename.ru-0001/chain.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    access_log /webapps/vcard_project/logs/nginx-access.log;
    error_log /webapps/vcard_project/logs/nginx-error.log;
    
    add_header Strict-Transport-Security "max-age=31536000";
    add_header X-Frame-Options "SAMEORIGIN";

    location /.well-known {
        root /var/www/html;
    }

    location /static {
        alias /webapps/vcard_project/static/;
    }
    
    location /media {
        alias /webapps/vcard_project/vcard_project/media/;
    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Host $http_host;

        proxy_redirect off;

        if (!-f $request_filename) {
            proxy_pass http://vcard_project_server;
            break;
        }
    }

    # Error pages
    error_page 500 502 503 504 /500.html;
    location = /500.html {
        root /webapps/vcard_project/static/;
    }
}
2

Which authenticator are you using? --webroot or --nginx?

If it's webroot, then your HTTP-to-HTTPS redirect:

would be clobbering the challenge URL.

i.e. When Let's Encrypt connects to your domain, it would first request http://websitename.ru/.well-known/acme-challenge/xxxxx, and your server would redirect it to https://websitename.ru/, and as a result, the challenge would fail.

There's some evidence pointing towards this:

The lack of path in the URL is suggestive that your redirect is the culprit.

A correctly configured redirect would retain the path of the request URL.

3

An alternative is to bypass the redirect for requests to /.well-known/acme-challenge/.

Although IMHO it’s a good thing for redirects to retain their paths, so I would prefer the option presented by @_az :wink:

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.