Create certificate Error

Help
1

My domain is:jwservices.co.nz

I ran this command:
certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email serveradmin@jwservices.co.nz -d www.jwservices.co.nz

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.jwservices.co.nz
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Cleaning up challenges
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1071, in perform
self.restart()
File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 881, in restart
nginx_restart(self.conf('ctl'), self.nginx_conf)
File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1141, in nginx_restart
"nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
self.funcs-1
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 323, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1090, in cleanup
self.restart()
File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 881, in restart
nginx_restart(self.conf('ctl'), self.nginx_conf)
File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1141, in nginx_restart
"nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''
nginx restart failed:
b''
b''

My web server is (include version):
nginx version: nginx/1.19.6

The operating system my web server runs on is (include version):
Debian 10
My hosting provider, if applicable, is:
self hosted
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

2

What's the output of:

sudo nginx -t
3

hi there,

root@reverse-proxy:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

4

Thanks.

That's weird. How about this one?

nginx -c /etc/nginx/nginx.conf -s reload

If both those commands run without error, then we might need the full /var/log/letsencrypt/letsencrypt.log file to see what's happening.

5

hi there,

root@reverse-proxy:~# nginx -c /etc/nginx/nginx.conf -s reload
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"

at this point I'm thinking of rebuilding the vm from scratch and going from there

6

Before you do that, it might be worth trying to reset the nginx processes fully. Sometimes forking webservers can get into a tricky state.

apt install psmisc
systemctl stop nginx
killall -9 nginx
systemctl start nginx

... then after that's done, try that one again:

nginx -c /etc/nginx/nginx.conf -s reload
2 Likes
7

hi there,

I have tried the commands you gave and retried the command :
certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email serveradmin@jwservices.co.nz -d www.jwservices.co.nz

it has now given me the following, as at least thats new

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.jwservices.co.nz
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.jwservices.co.nz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.jwservices.co.nz/.well-known/acme-challenge/KutAqNW62b6bnoWjwIDicGveOxaCqKOBbS17TXi5LXU [203.94.38.179]: "\r\n502 Bad Gateway\r\n\r\n

502 Bad Gateway

\r\n
nginx/1.19.6"

IMPORTANT NOTES:

I have checked my public IP and it is correct. do i need to change the webservers permissions

8

That's a headscratcher for sure.

If you had a newer version of Certbot (i.e. from snaps) I'd have another suggestion you could try, but it's not available on Certbot 0.30.0.

One thing you could try would be to use the webroot authenticator instead (while still using the nginx installer), but you might need to modify your nginx virtualhost a little bit:

location /.well-known/acme-challenge/ { 
    root /var/www/html; 
}

and

certbot -a webroot -w /var/www/html -i nginx --agree-tos --redirect --hsts --staple-ocsp --email serveradmin@jwservices.co.nz -d www.jwservices.co.nz
9

Hi there,

This is using nginx as a reverse proxy, here is the current configuration from /etc/nginx/conf.d

server {
server_name www.jwservices.co.nz;

# use a variable to store the upstream proxy
set $web 10.1.1.12;

# Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

location / {
    # Proxy main web traffic
    proxy_pass http://$web;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;

    # Disable buffering when the nginx proxy gets very resource heavy upon streaming
    proxy_buffering off;
}


listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.jwservices.co.nz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.jwservices.co.nz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot


ssl_trusted_certificate /etc/letsencrypt/live/www.jwservices.co.nz/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot

}
server {
if ($host = www.jwservices.co.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name www.jwservices.co.nz;

# use a variable to store the upstream proxy
set $web 10.1.1.142;

# Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

location / {
    # Proxy main web traffic
    proxy_pass http://$web;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;

    # Disable buffering when the nginx proxy gets very resource heavy upon streaming
    proxy_buffering off;
}

}

10

How did it get from HTTP to HTTPS request?
[You must have some redirect in place]
I see it now in your post above.

Perhaps you could try using --webroot authentication instead of --nginx

OR
This modification alone might do the trick:

[I would use a more unique root path - but I'm a security freak!]

11

hi there, seems I gave my reply at the same time as your post, should I add the code you suggested into the nginx conf?

12

Definitely.
You can add it to both server blocks without much worry.
Yes, you may only need it in the port 80 block (today).
But you never know... one day you might use a CDN like CloudFlare and then things might just stop renewing.
[better safe than sorry - cover all bases - absolutely harmless code (when a dedicated path is used)]

13

Hi there,

I tried adding the code to both blocks and it still gives the same error

14

You also need to add it to the block which is responding for jwservices.co.nz.

www.jwservices.co.nz looks correct, but the same request to jwservices.co.nz fails.

1 Like
15

I did add the code to the jwservices.co.nz nginx conf and still have the same error

16

If it is not too long, maybe you can post your nginx config and we can help you find where the problem is:
nginx -T

17

hi there,

Here is a link to my nginx configuration.

https://1drv.ms/u/s!AnddMQ3SuG0tjlDgDrac-NGws_sP?e=iMY0Qc

18

I haven't found anything obviously wrong with the config.
What is the exact error that you are getting?

19

here is the command and the error code, the Ip address is correct

root@reverse-proxy:~# certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email serveradmin@jwservices.co.nz -d www.jwservices.co.nz

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.jwservices.co.nz
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.jwservices.co.nz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.jwservices.co.nz/.well-known/acme-challenge/E8cRotkrnOFVq1LYIwpB-S22jwbY6e-SkGDRjm6UDrQ [203.94.38.179]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.19.6</ce"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.jwservices.co.nz
   Type:   unauthorized
   Detail: Invalid response from
   https://www.jwservices.co.nz/.well-known/acme-challenge/E8cRotkrnOFVq1LYIwpB-S22jwbY6e-SkGDRjm6UDrQ
   [203.94.38.179]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.19.6</ce"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
20

You should probably switch to --webroot authentication.

certbot --nginx \
--agree-tos \
--redirect \
--hsts \
--staple-ocsp \
--email serveradmin@jwservices.co.nz \
--webroot -w /var/www/html \
-d www.jwservices.co.nz