Change of IP adress and domain not available

Hello, i had to return a snapshot to my server and unforunately the domain changed. Now the wenbiste is not available any more (its an odoo12 installation running on ubuntu). Can you help me evaluate whats the problem and how to bring the website back life? Im not familiar with lets encrypt and nginx. So i dont knwo where to search for the problem.

My Server details are:
certbot 0.31.0
Ubuntu 18.04.3 LTS
nginx/1.14.0 (Ubuntu)
domain is: inkontor.com
Hoster: Hetzner
Access through SSH client

I ran this command: sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/inkontor.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for inkontor.com
http-01 challenge for www.inkontor.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (inkontor.com) from /etc/letsencrypt/renewal/inkontor.com.conf produced an unexpected error: Failed authorization procedure. www.inkontor.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.inkontor.com/.well-known/acme-challenge/_5XYDIDbdfy7VuxILcQ2TKRqQTzVEdhryQY3Tz1AZPs: Timeout during connect (likely firewall problem), inkontor.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://inkontor.com/.well-known/acme-challenge/ZzdnPnE2_utSAd2xSOLiNXaCxfsXC0_dWkexhxE0hb8: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkontor.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkontor.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

What is the new IP address of your server?

2 Likes

Hi, its 116.202.19.89

The domain you’ve posted “inkontor.com” points to 116.203.32.72 - which sounds like it is the old address. You should update DNS for “inkontor.com” and “www.inkontor.com” to reference the new IP (116.202.19.89).

2 Likes

oh yes i corrected this now, but my odoo installation is still not available. Also through IP 116.202.19.89 Adress its not available.

I have absolutely no idea what you mean by that, but it should be possible to try and renew your certificates with certbot again.

It appears that DNS propagation has now gotten far enough that I can see your site from here. It still contains the expired SSL Certificate (expired 1/4), but is accessible if I accept the risk of that expired certificate. It should be possible now to renew that certificate on your new server.

1 Like

well, my website isnt available through IP and either through domain inkontor.com. The output of certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"is:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/inkontor.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for inkontor.com
http-01 challenge for www.inkontor.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (inkontor.com) from /etc/letsencrypt/renewal/inkontor.com.conf produced an unexpected error: Failed authorization procedure. inkontor.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://inkontor.com/.well-known/acme-challenge/ZDLX3jZdRrFfnCHh3xOYEOGd4r_C0SAXw4dcSBP4Eyk: Connection refused, www.inkontor.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.inkontor.com/.well-known/acme-challenge/9b2PpfH4a-lgN8vzqzyHFpU7pdj2EnmyTf1YOVt9iEo: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkontor.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkontor.com/fullchain.pem (failure)


Running post-hook command: service nginx start
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Hi, see the output of renewal process below your post.

You're using the webroot authenticator. Why are you running those pre- and post-hooks? That doesn't make sense.

1 Like

well, im not familiar with certbot and thats why i just copied the commands from the certbot website.

To expand on Osiris’ comment, if you use the webroot authentication method, you need to have your web server running when you try to obtain a certificate. Here is a description of this authentication method: https://certbot.eff.org/docs/using.html?highlight=webroot%20path#webroot

It says, among other things, that a certbot webroot request should also contain the certonly parameter. And you should not include either the --pre-hook or --post-hook phrases in your command line.

1 Like

could you give me an example of such request?

Why not just run certbot renew again?

this doesnt help.

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/inkontor.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for inkontor.com
http-01 challenge for www.inkontor.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (inkontor.com) from /etc/letsencrypt/renewal/inkontor.com.conf produced an unexpected error: Failed authorization procedure. inkontor.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.inkontor.com/.well-known/acme-challenge/thuu7onF5JOTqklvfOORTQUmDgXbW0rL0VAotkiAxhQ [116.202.19.89]: "\n404 Not Found\n

Not Found

\n

The requested URL was", www.inkontor.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.inkontor.com/.well-known/acme-challenge/FVyiY7O5-QOTeDrxWrvdMXXqrn9LDPobboQzI4II_BM [116.202.19.89]: "\n404 Not Found\n

Not Found

\n

The requested URL was". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkontor.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkontor.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Well, this is progress. Your server has gone from totally dead to just not being able to serve up the authentication info. You will probably need to create the directories .well-known and .well-known/acme-challenge beneath the root directory for your website. This will give certbot a place to put the challenge responses. And then you should make sure that these directories have the right ownership and permissions set, so that your web server can read files in the .well-known/acme-challenge directory and serve them up when the authentication takes place.

ok so i run the command again. But the same error :frowning:

User rights of the files are:
drwxr-xr-x 2 www-data www-data 4096 Jan 5 2019 public_html
drwxr-xr-x 3 www-data www-data 4096 Jan 13 21:46 .well-known
…
drwxr-xr-x 2 www-data www-data 4096 Jan 13 22:14 acme-challenge

IMPORTANT NOTES:

in the meantime i restarted the server hand he is back now. But without https …

There is some additional problem here. From my web browser, if I try to look at
https://www.inkontor.com/.well-known/acme-challenges/, I get a 404 error. Similarly, if I look at https://www.inkontor.com/.well-known/, I get a 404 error.

But when I try to look at the top level of your site, https://www.inkontor.com/, I receive a 303 Redirect to https://www.inkontor.com/web, and when the browser tries that, it gets another 303 redirect to https:/www…inkontor.com/web/selector.

This looks suspiciously like you have some rewrite rules in your server (or maybe in the root directory for this site), and those rules are directing anyone trying to access the top level of your website down into the hierarchy. The acme challenge will probably follow those redirects the same way my browser did, and find itself not being able to see the challenge files.

If this speculation is correct, I recommend that you add another rewrite rule that will check for the .well-known/acme-challenge request, and not redirect that request. Then your server will probably cough up the challenge responses when askedf.

this is my letsencrypt configuration file for the domain. Maybe you might see some problems here?

Odoo servers

upstream odoo {
server 127.0.0.1:8069;
}

upstream odoochat {
server 127.0.0.1:8072;
}

HTTP -> HTTPS

server {
listen 80;
server_name www.inkontor.com inkontor.com;

include snippets/letsencrypt.conf;
return 301 https://www.inkontor.com$request_uri;

}

WWW -> NON WWW

server {
listen 443 ssl http2;
server_name inkontor.com;

ssl_certificate /etc/letsencrypt/live/inkontor.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/inkontor.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/inkontor.com/chain.pem;
include snippets/ssl.conf;

return 301 https://www.inkontor.com$request_uri;

}

server {
listen 443 ssl http2;
server_name www.inkontor.com;

proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;

# Proxy headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;

# SSL parameters
ssl_certificate /etc/letsencrypt/live/inkontor.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/inkontor.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/inkontor.com/chain.pem;
include snippets/ssl.conf;

# log files
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;

# Handle longpoll requests
location /longpolling {
    proxy_pass http://odoochat;
}

# Handle / requests
location / {
   proxy_redirect off;
   proxy_pass http://odoo;
}

# Cache static files
location ~* /web/static/ {
    proxy_cache_valid 200 90m;
    proxy_buffering on;
    expires 864000;
    proxy_pass http://odoo;
}

# Gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;

}