Error on sudo certbot renew --dry-run

When I run this “http://cep.************.com/.well-known/acme-challenge/W8mZnUe-RGvVQBpllM-9q_QLn4w0g0zQpxChnXS9u0U” on my laptop safari says:

Safari can’t open page because the server unexpectedly dropped the connection.

In my nginx config I redirect everything to https. Can this be a problem? If so how to test “http://cep.************.com/.well-known/acme-challenge/W8mZnUe-RGvVQBpllM-9q_QLn4w0g0zQpxChnXS9u0U” ?

Can anyone tell me where is this file in ubuntu?

.well-known/acme-challenge/

I might not have this file and I am not sure

Also in my nginx config I have only this cep.***************.com. But in stackowerflow it says I have to put www. as well. Is that the problem that I am having?

server {
    charset UTF-8;
    listen      80;
    listen [::]:80;
    server_name  cep.***************.com;

I found the answer! My first server in my nginx.conf only went to the site without "www." in front of it, also adding "www." as a server name solved the issue.

I found my certbot version is 0.31.0 but no auto version. I also run sudo find /etc/letsencrypt/live/ -type l* which shows the certificate. But when I run sudo tail -f /var/log/letsencrypt/letsencrypt.log I have an error on line 477.

Any idea or should I open a new questions?

niyazi@niyazi-virtual-machine:~$ certbot --version
**certbot 0.31.0**
niyazi@niyazi-virtual-machine:~$ certbot-auto --version
**certbot-auto: command not found**
niyazi@niyazi-virtual-machine:~$ 


niyazi@niyazi-virtual-machine:~$ **sudo tail -f  /var/log/letsencrypt/letsencrypt.log**
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)


niyazi@niyazi-virtual-machine:~$ **sudo find /etc/letsencrypt/live/ -type l**
/etc/letsencrypt/live/cep.niyazibankasi.com/fullchain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/chain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/privkey.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/cert.pem
niyazi@niyazi-virtual-machine:~$

I found my certbot version is 0.31.0 but no auto version. I also run sudo find /etc/letsencrypt/live/ -type l* which shows the certificate. But when I run sudo tail -f /var/log/letsencrypt/letsencrypt.log I have an error on line 477.

Any idea ?

niyazi@niyazi-virtual-machine:~$ certbot --version
**certbot 0.31.0**
niyazi@niyazi-virtual-machine:~$ certbot-auto --version
**certbot-auto: command not found**
niyazi@niyazi-virtual-machine:~$ 


niyazi@niyazi-virtual-machine:~$ **sudo tail -f  /var/log/letsencrypt/letsencrypt.log**
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)


niyazi@niyazi-virtual-machine:~$ **sudo find /etc/letsencrypt/live/ -type l**
/etc/letsencrypt/live/cep.niyazibankasi.com/fullchain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/chain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/privkey.pem

In this site https://www.tmn.io/posts/lets-encrypt-with-nginx-auto-renewal its talkin about adding

# letsencrypt acme challenge for domain verification
location '/.well-known/acme-challenge/' {
     root /usr/local/etc/nginx/letsencrypt;
}

to nginx config. I am using ubuntu 18.04. where is the /.well-known/acme-challenge/?

This is fine. You only need one of the two.

Nowhere.

That config is just telling nginx to take files from /usr/local/etc/nginx/letsencrypt when someone asks for example.com/.well-known/acme-challenge/

I am not sure it is needed, I think it isn’t.

Thanks @9peppe, Yesterday I post a question about sudo certbot renew --dry-run error. I got answer that I should check something blocking the renewal process. I have fortigate firewall and I have only IPS. other than all the required port in and out is okay.

How to or where should I look into inside my ubuntu machine that my renewal will be okay if IU run --dry-run again? I am not sure what is blocking and don’t know where to look.

What should I do so I can correct error that showing below?

File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

You should definitely not get a python traceback thrown at you.

Is your server listening on port 80? (unsecured http)

I read @JuergenAuer told you already to check your firewall. It is incredibly difficult to help you without knowing the full domain name and without the possibility to run tests against it.

There may be other firewalls in front of your own.

thanks again @9peppe full domain is https://cep..com and http://cep..com is redirected to https. Front of ubuntu there is a FortiGate firewall and IPS on it

It isn’t, not from my point of view. It looks like on http I get kicked away by your fortigate.

On https I can see a webpage.

That very strange. I am from out of office and trying from home using different network and when I type http://cep..com it redirects to me to https://cep..com

I guess it blocks my ip but not yours. I’m connecting from Italy, if that helps your debugging.

I don’t have any ip blocking but I will look inti it.

I saw your ufw config, yeah, but I have no idea what fortigate is doing.

@9peppe I am checking fortigate inbound and outbound config. There is a IPS filter but I will write here bit more detail in 30 min.

Ok, @9peppe

I have IPS filter and it is on and tested. Whats is it mean these liens?

If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

If I am serving correct than than some thing wrong in my firewall config.

I have IPS filter also I have fortigate ssl inspection is on. Do you know if fortigate ssl inspection blocks my renewal?

I don’t know but I don’t think so. Right now I can connect to your website on unencrypted http just fine, and I get the redirect.

@9peppe

In firewall there was a application filter setting was on. I turn that off and try again. Than I run --dry-run and my certificate renewed.

Thank you very much.

Solution to my problem its simply turn off the application filter in fortigate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.