Certs expired and now failure on renewal

Nephilimi · July 16, 2018, 8:39pm

Just realized my sites are reporting expired certificates, which I thought was odd. So I went in and ran renew and received the following errors. The last section asking me to check my A records seems odd as the sites are all presently working. You can’t see three of them because they are behind basic authentication but wcexample.harrisisi.com is accessible.

The only thing I see that’s odd is /etc/letsencrypt/live/engtest.harrisisi.com/fullchain.pem (failure) refers to a test site we had but no longer have in nginx, or need. Maybe that needs to be cleaned up?

My domain is: eng.harrisisi.com, forum.harrisisi.com, tech.harrisisi.com, wcexample.harrisisi.com
I ran this command: sudo certbot renew
It produced this output: below
My web server is (include version): Nginx 1.12.2
The operating system my web server runs on is (include version): Ubuntu 16.04
My hosting provider, if applicable, is: Self
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

 sudo certbot renew
[sudo] password for :
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/eng.harrisisi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for eng.harrisisi.com
tls-sni-01 challenge for forum.harrisisi.com
tls-sni-01 challenge for tech.harrisisi.com
tls-sni-01 challenge for wcexample.harrisisi.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (eng.harrisisi.com) from /etc/letsencrypt/renewal/eng.harrisisi.com.conf produced an unexpecte        d error: Failed authorization procedure. eng.harrisisi.com (tls-sni-01): urn:acme:error:unauthorized :: The client lack        s sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 4873cb81fdec6dbb7e7f        0e9b02066d60.1f6c02d4f1f82e075a09c26c0882cb0a.acme.invalid from 165.166.237.234:443. Received 2 certificate(s), first c        ertificate had names "eng.harrisisi.com, forum.harrisisi.com, tech.harrisisi.com, wcexample.harrisisi.com", tech.harris        isi.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation         certificate for tls-sni-01 challenge. Requested 88151d24571fec306daade28c4df8adb.f0ec4f2d6fc09935d51cf4a02eb1f7a5.acme.        invalid from 165.166.237.234:443. Received 2 certificate(s), first certificate had names "eng.harrisisi.com, forum.harr        isisi.com, tech.harrisisi.com, wcexample.harrisisi.com", wcexample.harrisisi.com (tls-sni-01): urn:acme:error:unauthori        zed :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requeste        d 1bb7e5388e5674903ff18a4d62d44047.0fac1d4fcfcaa0e0e8224be65020faa3.acme.invalid from 165.166.237.234:443. Received 2 c        ertificate(s), first certificate had names "eng.harrisisi.com, forum.harrisisi.com, tech.harrisisi.com, wcexample.harri        sisi.com", forum.harrisisi.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :        : Incorrect validation certificate for tls-sni-01 challenge. Requested 9f1600d6725bb646eba7fe7ba6aa9a5c.66fbf068b0639d0        40931fab0adf2d752.acme.invalid from 165.166.237.234:443. Received 2 certificate(s), first certificate had names "eng.ha        rrisisi.com, forum.harrisisi.com, tech.harrisisi.com, wcexample.harrisisi.com". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/engtest.harrisisi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for engtest.harrisisi.com
tls-sni-01 challenge for forumtest.harrisisi.com
tls-sni-01 challenge for techtest.harrisisi.com
tls-sni-01 challenge for wcexample.harrisisi.com
Cleaning up challenges
Attempting to renew cert (engtest.harrisisi.com) from /etc/letsencrypt/renewal/engtest.harrisisi.com.conf produced an u        nexpected error: Could not automatically find a matching server block. Set the `server_name` directive to use the Nginx         installer.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem (failure)
  /etc/letsencrypt/live/engtest.harrisisi.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem (failure)
  /etc/letsencrypt/live/engtest.harrisisi.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: eng.harrisisi.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   4873cb81fdec6dbb7e7f0e9b02066d60.1f6c02d4f1f82e075a09c26c0882cb0a.acme.invalid
   from 165.166.237.234:443. Received 2 certificate(s), first
   certificate had names "eng.harrisisi.com, forum.harrisisi.com,
   tech.harrisisi.com, wcexample.harrisisi.com"

   Domain: tech.harrisisi.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   88151d24571fec306daade28c4df8adb.f0ec4f2d6fc09935d51cf4a02eb1f7a5.acme.invalid
   from 165.166.237.234:443. Received 2 certificate(s), first
   certificate had names "eng.harrisisi.com, forum.harrisisi.com,
   tech.harrisisi.com, wcexample.harrisisi.com"

   Domain: wcexample.harrisisi.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   1bb7e5388e5674903ff18a4d62d44047.0fac1d4fcfcaa0e0e8224be65020faa3.acme.invalid
   from 165.166.237.234:443. Received 2 certificate(s), first
   certificate had names "eng.harrisisi.com, forum.harrisisi.com,
   tech.harrisisi.com, wcexample.harrisisi.com"

   Domain: forum.harrisisi.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   9f1600d6725bb646eba7fe7ba6aa9a5c.66fbf068b0639d040931fab0adf2d752.acme.invalid
   from 165.166.237.234:443. Received 2 certificate(s), first
   certificate had names "eng.harrisisi.com, forum.harrisisi.com,
   tech.harrisisi.com, wcexample.harrisisi.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

stevenzhu · July 16, 2018, 8:57pm

Hi,

It seems that there are some trouble renewing via TLS-SNI-01, (although i'm not sure why the problem occur, but this issue might be related to nginx setup & TLS-SNI-01 being depreciated) you could always try renew via http-01...

just run the certbot renew with argument --preferred-challenges http

sample command
sudo certbot renew --preferred-challenges http

Thank you

P.S.

Certbot can't find a correct virtual host with this name... You may want to check your nginx config..

Nephilimi · July 18, 2018, 11:13am

First off all the sites with “test” in their names have been removed. Certbot can’t clean itself up with sites that were removed from nginx? Should I just delete /etc/letsencrypt/live/engtest.harrisisi.com/fullchain.pem?

Still failing with the new challenge. To repeat all these sites are working, just (correctly) showing an expired cert.

Question; will basic authentication kill this type of challenge? Hope not and it doesn’t seem to change the error on wcexample site that doesn’t have basic authentication blocking it.

 sudo certbot renew --preferred-challenges http
[sudo] password for :
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/eng.harrisisi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for eng.harrisisi.com
http-01 challenge for forum.harrisisi.com
http-01 challenge for tech.harrisisi.com
http-01 challenge for wcexample.harrisisi.com
Using default address 80 for authentication.
Using default address 80 for authentication.
Using default address 80 for authentication.
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (eng.harrisisi.com) from /etc/letsencrypt/renewal/eng.harrisisi.com.conf produced an unexpected error: Failed authorization procedure. eng.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://eng.harrisisi.com/.well-known/acme-challenge/dIrJFzQxZD8LdkIseVj8ocDVtYcInSHPbpZt0rwNms8: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", tech.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tech.harrisisi.com/.well-known/acme-challenge/nc760JXgAVnKBl-Xeq_wx84QG2qZ2guvjks3HZVq8z0: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", wcexample.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wcexample.harrisisi.com/.well-known/acme-challenge/wrRFomLNHhGz_B1z6UVpSFwyVAKNTHuRrQDEVJH1nNs: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", forum.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://forum.harrisisi.com/.well-known/acme-challenge/4W9gDGjtDZQ5RKW6oDAZQda3OGlKFP_sIbiwo4aScCo: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/engtest.harrisisi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for engtest.harrisisi.com
http-01 challenge for forumtest.harrisisi.com
http-01 challenge for techtest.harrisisi.com
http-01 challenge for wcexample.harrisisi.com
Using default address 80 for authentication.
Using default address 80 for authentication.
Using default address 80 for authentication.
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (engtest.harrisisi.com) from /etc/letsencrypt/renewal/engtest.harrisisi.com.conf produced an unexpected error: Failed authorization procedure. techtest.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://techtest.harrisisi.com/.well-known/acme-challenge/RTvAQBgimL6mMuoXrE84yHLEAAyl28zAVxIT8mP0GXU: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", forumtest.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://forumtest.harrisisi.com/.well-known/acme-challenge/Zuw2YkeaAyG5w1oo7x0-kG7sthf_sMCWGoCd9_6icBQ: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", wcexample.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wcexample.harrisisi.com/.well-known/acme-challenge/lwyj5tuPHOyX42hMAoex8gHS0MRdLK0acxe3zvUZw-s: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", engtest.harrisisi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://engtest.harrisisi.com/.well-known/acme-challenge/oOXHhdfA-12UMo-MPscT8hQKSkpSIpipOFt27kzJv4o: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem (failure)
  /etc/letsencrypt/live/engtest.harrisisi.com/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem (failure)
  /etc/letsencrypt/live/engtest.harrisisi.com/fullchain.pem (failure)
-------------------------------------------------------------------------------
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: eng.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://eng.harrisisi.com/.well-known/acme-challenge/dIrJFzQxZD8LdkIseVj8ocDVtYcInSHPbpZt0rwNms8:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: tech.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://tech.harrisisi.com/.well-known/acme-challenge/nc760JXgAVnKBl-Xeq_wx84QG2qZ2guvjks3HZVq8z0:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: wcexample.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://wcexample.harrisisi.com/.well-known/acme-challenge/wrRFomLNHhGz_B1z6UVpSFwyVAKNTHuRrQDEVJH1nNs:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: forum.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://forum.harrisisi.com/.well-known/acme-challenge/4W9gDGjtDZQ5RKW6oDAZQda3OGlKFP_sIbiwo4aScCo:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: techtest.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://techtest.harrisisi.com/.well-known/acme-challenge/RTvAQBgimL6mMuoXrE84yHLEAAyl28zAVxIT8mP0GXU:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: forumtest.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://forumtest.harrisisi.com/.well-known/acme-challenge/Zuw2YkeaAyG5w1oo7x0-kG7sthf_sMCWGoCd9_6icBQ:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: wcexample.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://wcexample.harrisisi.com/.well-known/acme-challenge/lwyj5tuPHOyX42hMAoex8gHS0MRdLK0acxe3zvUZw-s:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: engtest.harrisisi.com
   Type:   unauthorized
   Detail: Invalid response from
   http://engtest.harrisisi.com/.well-known/acme-challenge/oOXHhdfA-12UMo-MPscT8hQKSkpSIpipOFt27kzJv4o:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

_az · July 18, 2018, 11:20am

It’s strange that the nginx authenticator would fail like that.

Based on how your server responds, you have some special exclusion for /.well-known/acme-challenge from the basic auth, right?

Would you please be able to share that configuration? It may be causing the directive that the nginx authenticator temporarily adds to not be invoked, which looks something like:

location = /.well-known/acme-challenge/xxx {
    default_type text/plain;
    return 200 'xxx.xxx';
}

Nephilimi · July 18, 2018, 11:45am

I let certbot handle the nginx config changes and it added something similar to what you quote. I might be mistaken but I could have sworn we had authentication before exposing it to the public internet in test and again I am certain we had basic authentication in place when we switched from the test names to the production names and redid the challenge for the new sites. Also just remembered the forum isn’t behind basic auth either.

 cat nginx.conf

user  www-data;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        off;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

        ldap_server adds {
			Things
        }



server {
listen 80;
        #server_name engtest.harrisisi.com techtest.harrisisi.com forumtest.harrisisi.com;
        return 301 https://$host$request_uri;
}
server {
        listen 443 ssl; # managed by Certbot
        server_name eng.harrisisi.com;
        if ($scheme != "https") {
                return 301 https://$host$request_uri;
        } # managed by Certbot
        location / {
                # message shown when accessing this location
                auth_ldap "Enter AD credentials e.g. 'username' with no prefix";
                # LDAP block 'adds' I defined earlier
                auth_ldap_servers adds;
                proxy_pass http://numbers:80/;
                proxy_buffering off;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                #auth_basic "Username and Password Required";
                #auth_basic_user_file /etc/nginx/.htpasswd;
        }
        #### Let's Encrypt dir to challenge
        location /.well-known/acme-challenge/ {
                root /var/www/mydomain;
        }
    ssl_certificate /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/eng.harrisisi.com/privkey.pem; # managed by Certbot



}
server {
        listen 443 ssl; # managed by Certbot
        server_name tech.harrisisi.com;
        if ($scheme != "https") {
                return 301 https://$host$request_uri;
        } # managed by Certbot
        location / {
                # message shown when accessing this location
                auth_ldap "Enter AD credentials e.g. 'username' with no prefix";
                # LDAP block 'adds' I defined earlier
                auth_ldap_servers adds;
                proxy_pass http://numbers:80/;
                proxy_buffering off;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                #auth_basic "Username and Password Required";
                #auth_basic_user_file /etc/nginx/.htpasswd;
        }
        #### Let's Encrypt dir to challenge
        location /.well-known/acme-challenge/ {
                root /var/www/mydomain;
        }
    ssl_certificate /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/eng.harrisisi.com/privkey.pem; # managed by Certbot



}

server {
        listen 443 ssl; # managed by Certbot
        server_name forum.harrisisi.com;
        if ($scheme != "https") {
                return 301 https://$host$request_uri;
        } # managed by Certbot
        location / {
                        # message shown when accessing this location
                        #auth_ldap "Enter AD credentials e.g. 'username' with no prefix";
                        # LDAP block 'adds' I defined earlier
                        #auth_ldap_servers adds;
                        proxy_pass http://numbers:80/phpBB3/;
            proxy_buffering off;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            #auth_basic "Username and Password Required";
            #auth_basic_user_file /etc/nginx/.htpasswd;
        }
        #### Let's Encrypt dir to challenge
        location /.well-known/acme-challenge/ {
                root /var/www/mydomain;
        }
    ssl_certificate /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/eng.harrisisi.com/privkey.pem; # managed by Certbot



}


server {
        listen 443 ssl; # managed by Certbot
        server_name wcexample.harrisisi.com;
        if ($scheme != "https") {
                return 301 https://$host$request_uri;
        } # managed by Certbot
        location / {
                        # message shown when accessing this location
                        #auth_ldap "Enter AD credentials e.g. 'username' with no prefix";
                        # LDAP block 'adds' I defined earlier
                        #auth_ldap_servers adds;
                        # --------bypass user prompt for this one thing now, it has it's own user-------
                        proxy_pass http://numbers:11000/;
            proxy_buffering off;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            #auth_basic "Username and Password Required";
            #auth_basic_user_file /etc/nginx/.htpasswd;
        }
        #### Let's Encrypt dir to challenge
        location /.well-known/acme-challenge/ {
                root /var/www/mydomain;
        }
    ssl_certificate /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/eng.harrisisi.com/privkey.pem; # managed by Certbot


}



}

_az · July 18, 2018, 12:00pm

To be honest I’m not sure how Certbot would handle a config like that (one 80 listener).

You can test what config changes Certbot makes during authentication by opening in one terminal:

tail -F /etc/nginx/nginx.conf

and in another terminal:

certbot renew --cert-name eng.harrisisi.com --dry-run

When Cerbot runs, tail should reveal where Certbot is placing the authenticator block. I suspect it is getting confused and putting it in the wrong place.

(Edit: it also occurs to me that you can just make Certbot use your nominated webroot and avoid the trouble.

certbot renew --cert-name eng.harrisisi.com -a webroot -w /var/www/mydomain --dry-run

)

Nephilimi · July 18, 2018, 12:16pm

That was it, the dry run you proposed in your edit worked. So I ran it again without the dry run and renewed the domains successfully. So knowing that I now need to make a permanent change somewhere right? That webroot path is different in a config somewhere??

 sudo certbot renew --cert-name eng.harrisisi.com -a webroot -w /var/www/mydomain
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/eng.harrisisi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for eng.harrisisi.com
http-01 challenge for forum.harrisisi.com
http-01 challenge for tech.harrisisi.com
http-01 challenge for wcexample.harrisisi.com
Using the webroot path /var/www/mydomain for all unmatched domains.
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/eng.harrisisi.com/fullchain.pem (success)
-------------------------------------------------------------------------------

_az · July 18, 2018, 12:17pm

Renewing with altered parameters saves the changes automatically.

if you look in /etc/letsencrypt/renewal/*.conf, you'll see that the authenticator parameters we passed in with that command have been saved to disk.

The nginx authenticator wasn't actually saving to your webroot at all, it was using a custom location block with a static response, like in my earlier post - but it wasn't working for you. What we've done is replaced the nginx authenticator with the less fancy webroot authenticator.

Nephilimi · July 18, 2018, 12:50pm

Thanks for that path, I see what you mean and that’s genuinely helpful.

I have both eng.harrisisi.com.conf engtest.harrisisi.com.conf in that folder. The test one is old and contains domains that are no longer in the current nginx config, should I delete it? Or is there a more appropriate way to clean it up, or maybe not necessary?

_az · July 18, 2018, 12:52pm

If you are sure you want to delete it:

certbot delete --cert-name engtest.harrisisi.com

Just make sure that nginx isn’t configured to rely on that certificate anymore, as nginx will refuse to start if it refers to non-existent certificates.

system · August 17, 2018, 12:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal is failing Help	18	3166	May 14, 2022
Novice User Choking on renew Help	13	1296	February 29, 2020
Cert expired. when renew, the message is Help	7	2898	April 5, 2017
Sudo Certbot renew failed Help	4	748	August 19, 2020
Having trouble renewing Help	20	3329	April 26, 2018

Certs expired and now failure on renewal

Related topics