Certificates cannot be updated


#1

My domain is: www.viteunveto.com

I ran this command:
sudo certbot renew --preferred-challenges http

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/viteunveto.ch.conf

expected /etc/letsencrypt/live/viteunveto.ch/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/viteunveto.ch.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/www.viteunveto.be-0001.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.viteunveto.be
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge


Processing /etc/letsencrypt/renewal/viteunveto.com-0001.conf

Cert not yet due for renewal

Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.viteunveto.com
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
Attempting to renew cert (www.viteunveto.com-0001) from /etc/letsencrypt/renewal/www.viteunveto.com-0001.conf produced an unexpected error: Failed authorization procedure. www.viteunveto.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.viteunveto.com/.well-known/acme-challenge/Hs5rwuBOCP-n9uo42Wo8DTzzF2FHf6jQsp52DID4Nws: “\r\n403 Forbidden\r\n<body bgcolor=“white”>\r\n

403 Forbidden

\r\n
”. Skipping.

Processing /etc/letsencrypt/renewal/viteunveto.com.conf

expected /etc/letsencrypt/live/viteunveto.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/viteunveto.com.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/www.viteunveto.com.conf

Cert not yet due for renewal
The following certs could not be renewed:
/etc/letsencrypt/live/www.viteunveto.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.ch-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.fr-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.be/fullchain.pem (failure)
/etc/letsencrypt/live/viteunveto.fr/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/viteunveto.com-0001/fullchain.pem (skipped)
/etc/letsencrypt/live/www.viteunveto.fr/fullchain.pem (skipped)
/etc/letsencrypt/live/load.viteunveto.fr/fullchain.pem (skipped)
/etc/letsencrypt/live/www.viteunveto.ch/fullchain.pem (skipped)
/etc/letsencrypt/live/test.viteunveto.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.viteunveto.com/fullchain.pem (skipped)
The following certs were successfully renewed:
/etc/letsencrypt/live/www.viteunveto.be-0001/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.viteunveto.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.ch-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.fr-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.be/fullchain.pem (failure)
/etc/letsencrypt/live/viteunveto.fr/fullchain.pem (failure)

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/viteunveto.ch.conf (parsefail)
/etc/letsencrypt/renewal/viteunveto.com.conf (parsefail)

5 renew failure(s), 2 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hello for a few days I have a problem to create new certificates everything worked perfectly until now I don’t really understand what’s going on…

As well as my nginx configuration

server {
listen 80;
server_name viteunveto.com;

location ~/.well-known {
allow all;
alias /var/www/html/.well-known;
}
location / {
return 301 https://www.$host$request_uri;
}
}

server {
listen 443 ssl;
listen [::]:443 ssl;

client_max_body_size 25M;
server_name www.viteunveto.com;
location = /favico.ico {
root /app/favico.ico;
}

location ~/.well-known {
allow all;
alias /var/www/html/.well-known;
}

location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}

ssl_certificate /etc/letsencrypt/live/www.viteunveto.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.viteunveto.com-0001/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_dhparam /etc/nginx/dhparam.pem;
}


#2

Hi @projeta618

if you use webroot, what’s your webroot entry in your configuration file?

You must fix the 502 - error, so that domain can send the file.

403 means: Missing rights. So create a file (file name 1234 without extension), save this file under yourWebroot/.well-known/acme-challenge and try to load this file via browser:

http://one-domain.com/.well-known/acme-challenge/1234

#3

It looks like you are already handling the challenge requests in the config.
You should probably just remove the webroot use in the renewal configs.
/etc/letsencrypt/renewal/


#4

Thank you for your solution !!
I am saved.


#5

I’m glad you have a solution.
But for those that may read this later, what was the solution?
(you can just mark that post as the solution)


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.