Error while renewing certificat

Hi everyone,
I'm having a problem renewing my certificate.
It concerns the isfred.fr platform. For the last 5 months I've been using a script to automatically renew the certificate regularly without any problems:

#!/bin/bash

OLD_MD5_CHAIN=$(md5sum /etc/letsencrypt/live/isfred.fr/fullchain.pem | awk ‘{print $1}’)
OLD_MD5_KEY=$(md5sum /etc/letsencrypt/live/sifred.fr/privkey.pem | awk ‘{print $1}’)

# this will create a standalone server on port 81 for the certificate renewal
# every requests made to ‘http://beyond.bzh/.well-known’ will be forwarded to port 81
docker run -it --rm --name certbot \
    -v ‘/etc/letsencrypt:/etc/letsencrypt’ \
    -v ‘/var/lib/letsencrypt:/var/lib/letsencrypt’ \
    -p 81:81 \
    certbot/certbot renew --standalone --http-01-port 81

NEW_MD5_CHAIN=$(md5sum /etc/letsencrypt/live/isfred.fr/fullchain.pem | awk ‘{print $1}’)
NEW_MD5_KEY=$(md5sum /etc/letsencrypt/live/isfred.fr/privkey.pem | awk ‘{print $1}’)

if [ ‘$OLD_MD5_CHAIN’ != ‘$NEW_MD5_CHAIN’ ] && [ ‘$OLD_MD5_KEY’ != ‘$NEW_MD5_KEY’ ]; then
    echo ‘[$(date +’%Y-%m-%d %H:%M:%S‘)] Changing certificate and key’ >> /root/certbot.log
    cp /etc/letsencrypt/live/isfred.fr/fullchain.pem /home/fred/CTFd/conf/nginx/fullchain.pem
    docker exec nginx nginx -s reload # reload the new configuration
fi

Since today this one does not work any more, here the error which I have lorsequeque when I try to launch it manually:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: isfred.fr
  Type:   unauthorized
  Detail: 51.75.241.163: Invalid response from https://isfred.fr/.well-known/acme-challenge/XITQsEH-x5a5F8GzT_FVgZjSMH9hXLEMo8qnm3Xe3iU: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 81. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate isfred.fr with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/isfred.fr/fullchain.pem (failure)

Thanks for your help in advance.

Welcome to the community @Byrgir

The "404" in the error message is an HTTP error code for Not Found.

With --standalone that almost certainly means something else is handling the HTTP Challenge coming in on port 80. Right now an nginx server replies to test challenge requests. I'm guessing something has changed so that you no longer forward this request to that Certbot container on port 81.

In the test request below a 404 is expected. What is interesting is the Server=nginx.

Request to: isfred.fr/51.75.241.163, Result: [Address=51.75.241.163,Address Type=IPv4,Server=nginx/1.24.0,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404]

Hi,
Ty for your quick respons, not sure to understance what you mean by "With --standalone that almost certainly means something else is handling the HTTP Challenge coming in on port 80. ".

I did'nt change anything, I have only the website on port 80

Well, something must have changed

In the script to run Certbot you use --standalone and set its listening port to 81. And, you expose port 81 to 81 outside the container.

The HTTP Challenge request from the Let's Encrypt server to your domain comes in on port 80. Always has. So, somehow you must have been redirecting that to port 81 if this process worked in the past. But, that is no longer happening.

An nginx server is currently replying to HTTP (port 80) requests. Did it used to proxy certain requests to the container on port 81?

OK, i did just succesfully renew the certificate by stopping every container that were running on the server. I'll need to check confs to be shure that none of them as changed and is now listening on p 80.

Thans for your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.