Error certbot renew, nginx, vue cli

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rnd.fescom.tech

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/rnd.fescom.tech.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for rnd.fescom.tech
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (rnd.fescom.tech) from /etc/letsencrypt/renewal/rnd.fescom.tech.conf produced an unexpected error: Failed authorization procedure. rnd.fescom.tech (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://rnd.fescom.tech [194.58.102.94]: “<meta http-equiv=X-UA-Compatible content=“IE=edge,chrome=1”><meta name=renderer c”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/rnd.fescom.tech/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/rnd.fescom.tech/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: rnd.fescom.tech
    Type: unauthorized
    Detail: Invalid response from https://rnd.fescom.tech
    [194.58.102.94]: “<meta http-equiv=X-UA-Compatible
    content=“IE=edge,chrome=1”><meta name=renderer c”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.14.1

The operating system my web server runs on is (include version): CentOs 7.5

My hosting provider, if applicable, is: reg.ru

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): VueCli

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2

Nginx.conf

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

#include /etc/nginx/conf.d/*.conf;

server {
listen 194.58.102.94:80;
server_name “”;
return https://rnd.fescom.tech;
}

server {
listen 80 default_server;
return 302 https://rnd.fescom.tech;
}

server {
listen 443 ssl; # managed by Certbot
server_name rnd.fescom.tech www.rnd.fescom.tech;

ssl_certificate /etc/letsencrypt/live/rnd.fescom.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rnd.fescom.tech/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

location / {
  proxy_pass       http://194.58.102.94:9526;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
}

location /api {
  proxy_pass       http://rnd.fescom.tech:3000;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
}

location /event-stream {
  proxy_pass       http://rnd.fescom.tech:3000;
  proxy_http_version 1.1;
  proxy_set_header Connection "";
  proxy_read_timeout 24h;
  # proxy_set_header Host $host;
  # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  # proxy_set_header X-Real-IP $remote_addr;
}

}

server {
listen 9526;

location / {
  root   /opt/nodejs/projects/vue-admin-panel/dist;
  index  index.html index.htm;
}

location ~ \.(gif|jpg|png|svg)$ {
  root /opt/nodejs/projects/vue-admin-panel;
}

}

}

3

Hi @dolgov.denis

checking your domain there is a wrong redirect:

Domainname Http-Status redirect Sec. G
http://rnd.fescom.tech/
194.58.102.94 302 https://rnd.fescom.tech 0.100 A
https://rnd.fescom.tech/
194.58.102.94 200 3.747 B
https://rnd.fescom.tech 200 3.260 B
http://rnd.fescom.tech/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
194.58.102.94 302 https://rnd.fescom.tech 0.100 A

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

But the content is redirected to your /, so Letsencrypt can't find the validation file.

That's wrong:

Add folder and file name to that rule.

PS: A redirect http -> https is ok.

PPS: Something like

return 301 https://rnd.fescom.tech$request_uri;

should do the job.

4

Hi, @JuergenAuer.
What i doing wrong?
Add

location ^~ /.well-known/acme-challenge/

to server 80.

server {
    listen 80 default_server;
    return 301 https://rnd.fescom.tech$request_uri;
    #return 302 https://rnd.fescom.tech;

    ssl_certificate /etc/letsencrypt/live/rnd.fescom.tech/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/rnd.fescom.tech/privkey.pem; # managed by Certbot  

    location ^~ /.well-known/acme-challenge/ {
      alias /var/www/acme-challenge/;
    }
  }

Show error:

Attempting to renew cert (rnd.fescom.tech) from /etc/letsencrypt/renewal/rnd.fescom.tech.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/rnd.fescom.tech/fullchain.pem (failure)

5

Why do you have a ssl_certificate in your port 80?

Why do you have two server definitions?

Rechecked your domain ( https://check-your-website.server-daten.de/?q=rnd.fescom.tech ) there is the wrong redirect to / again.

Define a port 80 server block with a server_name and your domain name, so this explicit block is used.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.