Certificate renewal test fails

Hello,

I have a Flask app running on Google’s Compute Engine and got a domain (lightravel.me) from Porkbun. I configured the IP of the instance to be static, I created all the necessary DNS records in GCP Cloud DNS (name servers for google cloud, A records for lightravel.me and www.lightravel.me, and an SOA for google cloud domains.), added the name servers to the Porkbun records, and then installed Certbot on the server.

The installation of the certificate went without problems but when I did a dry run test for certificate renewal I got some errors and I can’t figure out what is the problem.

Can anyone give me a hand in figuring out what the problem is and fix it? Thank you!

My domain is: lightravel.me

I ran this command: sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/lightravel.me.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.lightravel.me
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (lightravel.me) from /etc/letsencrypt/renewal/lightravel.me.conf produced an unexpected error: Failed authorization pr
ocedure. www.lightravel.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response
from https://lightravel.me/ [34.68.73.142]: “<!doctype html>\n\n\n \n Deals \n \n <script src=“https://kit.fontawe
some.com/223223d3d8.js” crossorigin=”". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lightravel.me/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lightravel.me/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

• The following errors were reported by the server:
  Domain: www.lightravel.me
  Type: unauthorized
  Detail: Invalid response from https://lightravel.me/
  [34.68.73.142]: “<!doctype html>\n\n\n \n Deals
  \n \n <script
  src=“https://kit.fontawesome.com/223223d3d8.js” crossorigin=”"
  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: the app runs on Google Compute Engine

I can log in to a root shell on my machine (yes or no, or I don’t know): Yes I can. I use the web SSH client of GCP

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The Certbot version: 0.31.0

Hi @calinbule

checking your domain there are different ip addresses - and different answers - https://check-your-website.server-daten.de/?q=lightravel.me

Checking /.well-known/acme-challenge there is a 404 or a 301 or a 307

The result is a http or a https answer.

Normally, authenticator nginx should add a location, so Letsencrypt should not see a redirect. Looks like you have different vHosts with different answers.

Where do you run Certbot? Changes Certbot all ip addresses?

Hi,

First of all, thank you so much for your reply.

I nevertheless need to mention that I’m super new to this, like the-day-before-yesterday-new to Nginx and yesterday-new to Certbot.

Two days ago I was trying to serve the app with Nginx and for some reason that I yet have to identify, it did not work. Given that I had installed a lot of stuff, of which I do not need everything, I deleted the instance, created a new one, and then reserved another static IP in Google Cloud. This happened a couple of times. The old IPs however I released. Could this be the reason why there are more IPs?

Anyway, I installed Certbot (and the certificate) only after making sure that the application is served and accessible online at the domain address. I passed the link on to some friends and for some of them, it did not work. They could not access it due to some Chrome error (ERR_SSL_PROTOCOL_ERROR). I asked them to access it again today and, after clearing cache and temporary files, it seemed to be working. I taught it must have been because the DNS settings were not yet visible, but I’m starting to think that it has more to do with the problems you pointed out.

Another thing I noticed while using the Brave browser is that, while the app is loading for the first time, the browser tells me the connection is not secure which and I’m quite sure this isn’t supposed to happen.

This is only to provide further context to the problem. And now to answer your question: I run Certbot on the GCE instance (Ubuntu 18.04). Until now I had no idea that there are multiple IPs so I could not say if Certbot changes them. There is something I noticed though: the first time I noticed the error I pointed out to in my initial question, inside the error message there was something about the IP starting with 34 (in the link you posted). I checked and noticed that it was not the IP of my current instance so I ran the command sudo certbot --nginx -d lightravel.me -d www.ightravel.me hoping that the problem was related to that IP and it will be ok once I reinstall the certificate. It seems that it didn’t.

Could you please help me further to fix my problem?

Thank you,
Calin

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.