I am trying to create a certificate for secure connection of the domain http://www.nace.network/ I am following this little tutorial https://gorails.com/guides/free-ssl-with-rails-and-nginx-using-let-s-encrypt but when executing ./letsencrypt-auto it shows me the following error:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.nace.network
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification…
Challenge failed for domain www.nace.network
http-01 challenge for www.nace.network
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.nace.network
  Type: unauthorized
  Detail: Invalid response from
  http://www.nace.network/.well-known/acme-challenge/9i4aKGtb8W08p62S49boVhGoGTnsqgHo-XFcbmdTgbo
  [52.33.85.110]: “\r\n404 Not
  Found\r\n\r\n

  404 Not
  Found

  \r\n

  ---

  nginx\r\n”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

I have verified and the domain name has been entered correctly and the DNS A contains ip 52.33.85.110

my application is made in ruby on rails 5 and is hosted on an AWS server

what could be happening?

That is a red herring - ignore

Your problem is here:

Try placing a test file in the location you should find /.well-known/acme-challenge/ files.
See if you can reach it from the Internet.

@rg305 Thanks for responding, I was able to access the test file from the internet

Did you also get a cert?

I can’t access the certificate, it seems that it doesn’t exist, I’m looking in the folder .well-known/acme-challenge/ and I don’t see it

Only challenges go there.
[which are discards after use]

Please show:
./letsencrypt-auto certificates

Requesting to rerun ./letsencrypt-auto with root privileges…
./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: nace.network
Domains: nace.network www.nace.network
Expiry Date: 2019-10-25 12:56:10+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/nace.network/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nace.network/privkey.pem
Certificate Name: www.nace.network
Domains: www.nace.network
Expiry Date: 2019-10-25 12:58:39+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.nace.network/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.nace.network/privkey.pem

Precisely what command did you originally run earlier? What was the complete output?

Do you have any idea why renewal might have stopped working in the last three months? Changes to the web server setup or configuration?

I have no idea why it stopped working, I have not made changes to the webserver setup or configuration. The command I used was

./letsencrypt-auto

and when I execute it the following appears

Requesting to rerun ./letsencrypt-auto with root privileges…
./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: www.nace.network

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.nace.network
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification…
Challenge failed for domain www.nace.network
http-01 challenge for www.nace.network
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.nace.network
  Type: unauthorized
  Detail: Invalid response from
  http://www.nace.network/.well-known/acme-challenge/662QKAjJBZnyJoVBKbnuHeJ6RQfMjDd7-OfNSQH3KU0
  [52.33.85.110]: “\r\n404 Not
  Found\r\n\r\n

  404 Not
  Found

  \r\n

  ---

  nginx\r\n”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

So Certbot’s trying to use its nginx plugin, but things aren’t working out somehow.

Can you post the Nginx virtual host for www.nace.network?

Looking at the website’s headers, Varnish and Phusion Passenger seem to be involved. What’s listening on port 80? Nginx?

I don’t remember how much detail /var/log/letsencrypt/letsencrypt.log includes, but does it show that Certbot has found and is modifying the correct virtual host?

@mnordhoff This is the nginx file left by the previous programmer,

server {
listen 8080 default_server;
listen [::]:8080 default_server ipv6only=on;

    server_name www.nace.network;
    passenger_enabled on;
    rails_env production;
    root /home/ubuntu/nace/public;

    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;

    location / {
            deny 46.229.168.0;
            deny 51.68.152.0;
    }

    location = /50x.html {
            root   html;
    }

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

}

with this command netstat -tulpn | grep :80 it seems that port 80 is not listening to anything
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 14206/nginx: worker
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 14206/nginx: worker
tcp6 0 0 :::80 :::* LISTEN -

What if you run netstat with sudo?

netstat throws this

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ip-172-31-0-204.us:http crawl-66-249-73-3:41666 TIME_WAIT
tcp 0 0 ip-172-31-0-204.us-:ssh 190-36-56-91.dyn.:34172 ESTABLISHED
tcp 32 0 ip-172-31-0-204.u:50467 s3-1.amazonaws.co:https CLOSE_WAIT
tcp 0 0 localhost:http-alt localhost:33718 ESTABLISHED
tcp 0 0 ip-172-31-0-204.us:http crawl-66-249-73-3:37131 TIME_WAIT
tcp 0 0 localhost:33718 localhost:http-alt ESTABLISHED
tcp 0 200 ip-172-31-0-204.us-:ssh 190-36-56-91.dyn.:58148 ESTABLISHED
udp 0 0 localhost:48471 localhost:48471 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 11 DGRAM 9005 /dev/log
unix 3 STREAM CONNECTED 111532442 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 7859 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 111616119
unix 3 STREAM CONNECTED 8758 @/com/ubuntu/upstart
unix 3 STREAM CONNECTED 9015 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 111615070
unix 3 STREAM CONNECTED 111310283
unix 2 DGRAM 111646618
unix 3 STREAM CONNECTED 111615027
unix 2 DGRAM 111646609
unix 3 STREAM CONNECTED 111615451
unix 3 STREAM CONNECTED 7846
unix 2 DGRAM 50695
unix 3 STREAM CONNECTED 111615064
unix 3 STREAM CONNECTED 7858
unix 3 STREAM CONNECTED 7489 @/com/ubuntu/upstart
unix 3 STREAM CONNECTED 111616553 /var/run/mysqld/mysqld.sock
unix 3 STREAM CONNECTED 111310287 /var/run/dbus/system_bus_socket
unix 3 STREAM CONNECTED 111309799
unix 3 STREAM CONNECTED 7288 @/com/ubuntu/upstart
unix 3 STREAM CONNECTED 111616118
unix 3 STREAM CONNECTED 111533314
unix 2 DGRAM 8094
unix 3 STREAM CONNECTED 111615068
unix 3 STREAM CONNECTED 8947 @/com/ubuntu/upstart
unix 2 DGRAM 10349
unix 3 STREAM CONNECTED 111615065
unix 3 STREAM CONNECTED 7474
unix 2 DGRAM 7888
unix 2 DGRAM 111659641
unix 3 STREAM CONNECTED 111615026
unix 3 DGRAM 8428
unix 3 STREAM CONNECTED 111310284
unix 3 STREAM CONNECTED 8959
unix 3 STREAM CONNECTED 111532439
unix 3 STREAM CONNECTED 1630
unix 2 STREAM CONNECTED 111646607
unix 3 STREAM CONNECTED 111615069
unix 3 STREAM CONNECTED 111532440
unix 3 DGRAM 8429
unix 3 STREAM CONNECTED 111615066
unix 3 STREAM CONNECTED 111615071
unix 3 STREAM CONNECTED 7907
unix 3 STREAM CONNECTED 7659
unix 3 STREAM CONNECTED 8960
unix 2 DGRAM 111310186
unix 2 STREAM CONNECTED 111659639
unix 2 DGRAM 111532301
unix 3 STREAM CONNECTED 111615067

I meant “sudo netstat -tulpn | grep :80”.

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 9615/nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1326/varnishd
tcp6 0 0 :::8080 :::* LISTEN 9615/nginx
tcp6 0 0 :::80 :::* LISTEN 1326/varnishd

So it’s Varnish!

It might work if you additionally pass “--http-01-port 8080” to Certbot, along with any other options you’re using.

Thank you very much friend, I was able to renew the certificate with your command, I executed it like this: ./letsencrypt-auto --http-01-port 8080

something curious happens and if I try to access the page from google then it sends me the alert that the site is not safe, until I put the https in the url, I must do something additional so that always access with the https or something ?

You can (should) redirect http to https.

Something more or less like this should work:

RewriteEngine On
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

actually something maybe more like:

  location / {
    return 301 https://$host$request_uri;
  }#location root

But your port 80 and port 443 configs look combined into one.
So I’m not sure how to tell just one config “go to the other config” when they are one and the same.
I would break them up in two, one for http and one for https.
And place the redirection only in the http config (block).

Something like this:

server {
    listen 8080 default_server;
    listen [::]:8080 default_server ipv6only=on;
    server_name www.nace.network;
    root /home/ubuntu/nace/public; #could maybe change this to dummy location like /nul
    location / {
        return 301 https://$host$request_uri;
    }#location
}#server
server {
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    server_name www.nace.network;
    passenger_enabled on;
    rails_env production;
    root /home/ubuntu/nace/public;
    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;
    location / {
            deny 46.229.168.0;
            deny 51.68.152.0;
    }#locatoin
    location = /50x.html {
            root   html;
    }#location
    ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}#server