Certificate installation worked, renewal dry-run fails

My domain is: fritz.debler.net

I ran this command: sudo certbot renew --dry-run

It produced this output:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/fritz.debler.net.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fritz.debler.net
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (fritz.debler.net) from /etc/letsencrypt/renewal/fritz.debler.net.conf produced an unexpected error: Failed authorization procedure. fritz.debler.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://fritz.debler.net/.well-known/acme-challenge/m1_159ZO9C0cpw3wKU08Jjy2bb3-t494HoMi5Xlfb28: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/fritz.debler.net/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/fritz.debler.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: fritz.debler.net
   Type:   unauthorized
   Detail: Invalid response from
   http://fritz.debler.net/.well-known/acme-challenge/m1_159ZO9C0cpw3wKU08Jjy2bb3-t494HoMi5Xlfb28:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx 1.4.6

The operating system my web server runs on is (include version): linux mint 17.3

I can login to a root shell on my machine (yes or no, or I don’t know): yes

My nginx config looks like this in order to redirect external port 80 traffic to port 81, because pi-hole is already running on port 80:

server {
        listen 81 default_server;
        server_name fritz.debler.net 192.168.178.36;
        root /var/www/html;
        index index.html index.htm;
        location ~ /.well-known {
                allow all;
        }
}

I used the automatic installer certbot --nginx and it worked fine, but when running the dry-run renewal command it seems to have problems finding the challenge files.

Place a sample test.txt file at:
http://fritz.debler.net/.well-known/acme-challenge/test.txt
/var/www/html/.well-known/acme-challenge/test.txt

is possibly not an exact dry run of:

Try:
sudo certbot renew --nginx --dry-run

testfile placed and reachable

same error with sudo certbot renew --nginx --dry-run

I think it may be looking for the files in the wrong location.
That is, they get placed in folder A but the Internet points them to folder B

You may be able to “force” them equal via the webroot option

Not sure if this is correct, but I ran sudo certbot --webroot-path /var/www/html renew --dry-run and sudo certbot renew --dry-run --webroot-path /var/www/html and both lead to the same error.

how are you directing 80 to 81?

What about your webserver logs, what do they show?
grep well-known log.file

Port forwarding in the router and changing the nginx listening port in the configuration (as above).

Error log has a bunch of these:

2018/05/08 18:40:00 [error] 11567#0: *10785 open() "/var/www/html/.well-known/acme-challenge/JtC1aupOqGL9ycBoP9sBNtXuzpaOJV4WbGbpd9mnuMs" failed (2: No such file or directory), client: 34.213.106.112, server: fritz.debler.net, request: "GET /.well-known/acme-challenge/JtC1aupOqGL9ycBoP9sBNtXuzpaOJV4WbGbpd9mnuMs HTTP/1.1", host: "fritz.debler.net"

Which seems to point at the test files not being written to that directory.

yes, I’m thinking force it to go to a specific location - a new location for challenges only.
mkdir /ACMEchallenges

location ~ /.well-known {
allow all;
root /ACMEchallenges/;
}

sudo certbot renew --nginx --dry-run
or
sudo certbot renew --nginx --dry-run -w /ACMEchallenges

I created an ACMEchallenges folder in my home directory and edited the nginx conf accordingly.

The error now points to that location, but is still missing the challenge files.

2018/05/08 20:02:54 [error] 19249#0: *64 open() "/home/sicboy/ACMEchallenges/.well-known/acme-challenge/YA7Qa8cXAc86ABYUlW_giEtyZxTupva_lBQQCsGVFt8" failed (2: No such file or directory), client: 34.213.106.112, server: fritz.debler.net, request: "GET /.well-known/acme-challenge/YA7Qa8cXAc86ABYUlW_giEtyZxTupva_lBQQCsGVFt8 HTTP/1.1", host: "fritz.debler.net"

What I don’t understand is why during the automatic installation certbot was able to create those files, but now for the renewal process it cannot.

/home/sicboy/ACMEchallenges/.well-known/acme-challenge/SOMEFILE
and
/home/sicboy/ACMEchallenges/SOMEFILE
are not the same…
We need to force them to use the same one.
change:
location ~ /.well-known {
allow all;
root /home/sicboy/ACMEchallenges/;
}
to:
location /.well-known/acme-challenge/ {
allow all;
root /home/sicboy/ACMEchallenges/;
}

Had you already done this when you obtained the certificate originally?

If not you may need to add the option to your command: --http-01-port 81

Yes, the redirect was there before I started obtaining the certificate in the first place. The installer seemed to find what it needed.
I just ran the installer again (with the redirection to the ACMEchallenges folder in my home directory) and it installed a new certificate just fine.

server {
        listen 81 default_server;
        server_name fritz.debler.net 192.168.178.36;
        root /var/www/html;
        index index.html index.htm;
        location ~ /.well-known/acme-challenge/ {
                allow all;
                root /home/sicboy/ACMEchallenges/;
        }
}

Same result

2018/05/08 20:27:57 [error] 21641#0: *468 open() "/home/sicboy/ACMEchallenges/.well-known/acme-challenge/Lx5amB56Afc9_EFnduUtKQGYE5k8GLFGlehO8p3bcfU" failed (2: No such file or directory), client: 52.29.173.72, server: fritz.debler.net, request: "GET /.well-known/acme-challenge/Lx5amB56Afc9_EFnduUtKQGYE5k8GLFGlehO8p3bcfU HTTP/1.1", host: "fritz.debler.net"

Change:
root /home/sicboy/ACMEchallenges/;
to:
alias /home/sicboy/ACMEchallenges/;

Ok, changing root to alias leads to a port error during the dry run:

Attempting to renew cert (fritz.debler.net) from /etc/letsencrypt/renewal/fritz.debler.net.conf produced an unexpected error: Failed authorization procedure. fritz.debler.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://fritz.debler.net:81/.well-known/acme-challenge/5fvdOVuHwmu1jPQKE9E1YFxMzq7HUxHwfziuBASm0b8/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 81. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/fritz.debler.net/fullchain.pem (failure)

Fetching http://fritz.debler.net:81/.well-known/acme-challenge/...
Invalid port in redirect target.
Only ports 80 and 443 are supported, not 81. Skipping.

This is different than before:
Invalid response from http://fritz.debler.net/.well-known/acme-challenge/...

what else has changed?

If only

then revert back

Nothing, only root–>alias. I changed it back and forth again to see if the error message changes, and it does.

I’m kinda stuck on this one.
We need to bring in some fresh minds…
@schoen can you look into this?

I had a look into the letencrypt.log and found these python errors which might help someone else make sense of the failing challenge files:

2018-05-08 13:30:08,080:DEBUG:certbot.renewal:Traceback was:                                                                                                    [0/1865]
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 422, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1102, in renew_cert
    _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 113, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 297, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 294, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 330, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 79, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 154, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 220, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)