Creation & renewal fail after upgrade from 1.7.0 to 1.9.0

adinovic · December 14, 2020, 10:22am

2 weeks ago i was using cerbot 1.7.0 (installed not from snap) and flawlessly create several virtualhost and valid letsencrypt. from then, i upgrade to certbot 1.9.0, i do not create any virtualhost until now, and then i notice that creation of new SSL from LE are broken, showing error below, as the DNS record doesn't valid, however the DNS record is valid. there is no problem when I create virtualhost from current domain on the another CentOS server with certbot 1.7.0. also the server already running certbot for 144 day, so i think there is problem with the latest certbot (1.9.0).

i'm planning to upgrade 1.10 using snap. but i'm going the explore more before upgrading since i'm not convinced that upgrading to 1.10 will solve the problem.

My domain is: teacher.e-ducare.id

I ran this command: cerbot --nginx -d teacher.e-ducare.id , cerbot renew

It produced this output:

Domain: teacher.e-ducare.id
Type:   unauthorized
Detail: Invalid response from http://teacher.e-ducare.id/.well-known/acme-challenge/gmpfgm3Sr6dHXy7vqLZjnkJhc_32KuHZ9ygknmeoGoo [128.199.96.58]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-12-14 17:05:26,697:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2020-12-14 17:05:26,697:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-12-14 17:05:26,697:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-12-14 17:05:29,464:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.9.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1362, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1108, in run
    certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 122, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 418, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 351, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 398, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2020-12-14 17:05:29,465:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): Nginx 1.16.1

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009

My hosting provider, if applicable, is: digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

JuergenAuer · December 14, 2020, 11:01am

Hi @adinovic

that's not an upgrade-problem, Certbot doesn't understand your config.

What says

nginx -T

adinovic · December 14, 2020, 11:36am

I'm not sure if it's nginx problem, but previously it works, i even use same vhost template. i've also tried to remove new vhost configuration.

user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}

http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 100M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /etc/nginx/dhparam.pem;

	# Mozilla Intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# load configs
	include /etc/nginx/conf.d/*.conf;
	#upstream timeout
	fastcgi_read_timeout 600s;
}
server {
	server_name  teacher.e-ducare.id;
	root   /var/xxx/teacher.e-ducare.id/dist;
	index index.php index.html index.htm;

        error_log   /var/log/nginx/teacher.educare-error.log warn;
        access_log  /var/log/nginx/teacher.educare-access.log;
	#upstream sent too big header
	fastcgi_buffers 16 16k; 
	fastcgi_buffer_size 32k;


	error_page 404 /404.php;
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
        	root /usr/share/nginx/html;
	}

	location / {
	        try_files $uri $uri/ =404;
	}

	location ~ /(config) {
		deny all;
		return 404;
	}

        location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {
            try_files $uri =404;
        }

	# favicon.ico
	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}

	# robots.txt
	location = /robots.txt {
		log_not_found off;
		access_log off;
	}

	# assets, media
	location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
		expires 7d;
		access_log off;
	}

	# svg, fonts
	location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
		add_header Access-Control-Allow-Origin "*";
		expires 7d;
		access_log off;
	}

	# gzip
	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

	# security headers
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Referrer-Policy "no-referrer-when-downgrade" always;
	add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

	# . files
	location ~ /\.(?!well-known) {
		allow all;
	}
}

JuergenAuer · December 14, 2020, 1:17pm

Use your root, create the two subdirectories /.well-known/acme-challenge, there a file (file name 1234), then try to load that file via

http://teacher.e-ducare.id/.well-known/acme-challenge/1234

If that works, use that root as --webroot, see

adinovic · December 14, 2020, 1:59pm

thanks @JuergenAuer using
certbot --webroot -w /var/xxx/teacher.e-ducare.id/dist -d teacher.e-ducare.id
it does work. how do i renew the existing vhost? from renewal configuration, should i change the version and renewal params to use webroot as follow ?

   version = 1.7.0 -> 1.9.0
   [renewalparams]
    authenticator = webroot
    account = xxx
    webroot_path = /var/xxx/educare/teacher.e-ducare.id/dist,
    server = https://acme-v02.api.letsencrypt.org/directory
    [[webroot_map]]
    teacher.e-ducare.id = /var/xxx/teacher.e-ducare.id/dist`

or is it better to request new certificate with webroot?

JuergenAuer · December 14, 2020, 4:28pm

Certbot should update the config file.

Or you have created a second certificate (001 / 002 etc.).

adinovic · December 18, 2020, 2:30am

thanks. in the end i create all new certificate based on webroot then i can use normal certbot renew to renew all certificates. still have no clue why certbot nginx coincidentally break after upgrading to 1.9.0

system · January 17, 2021, 2:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.