I have successfully created https certificate and is currently running live on my server. And the certs are due for renewal.
My server environment in AWS is:
Ubuntu 16.04
Nginx server set to https
Node JS server
When I try to renew (even the dry run) I the following error on the terminal window
Attempting to renew cert from /etc/letsencrypt/renewal/xxx.conf produced an unexpected error: Failed authorization procedure. xxx.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to xxx.com, www.xxx.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to www.xxx.com. Skipping.
Maybe you should try again? If i try to access it from [very far away] it works. Get a redirect to HTTPS, then a 404 error. If the server's not configured to serve the challenge files, it will fail to validate, but Let's Encrypt would return a different error message.
Attempting to renew cert from /etc/letsencrypt/renewal/letsnibbl.com.conf produced an unexpected error: Failed authorization procedure. letsnibbl.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://letsnibbl.com/.well-known/acme-challenge/IK3XfSMq-wg7jwNmnB-s-kSFxDAgJgqPZSkpL41lvDg: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.letsnibbl.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.letsnibbl.com/.well-known/acme-challenge/kWjvkpwVLbd93s6bprU289Fck05CS2_7fdQEpfuP7KI: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
I find that the redirection does not seem to be working. When I call the url from my browser, it still throws the error page that NodeJS throws on an invalid url.
The full conf in default of ngnix/sites-enabled is
I created the directory and placed a text file. When I call the url from the browser it shows its content.
However, when I try a dry run using
sudo certbot renew --dry-run
it shows
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/letsnibbl.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for letsnibbl.com
http-01 challenge for www.letsnibbl.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/letsnibbl.com.conf produced an unexpected error: Failed authorization procedure. www.letsnibbl.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.letsnibbl.com/.well-known/acme-challenge/VZ0GyF0hgS_nykbkAR9-NzNgcNihABV5eN9nxatWo_k: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", letsnibbl.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://letsnibbl.com/.well-known/acme-challenge/jqxFZlkHsYBked-T61e9WcHBFZq6tbvacAVZk6uZAg8: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/letsnibbl.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.letsnibbl.com
Type: unauthorized
Detail: Invalid response from
http://www.letsnibbl.com/.well-known/acme-challenge/VZ0GyF0hgS_nykbkAR9-NzNgcNihABV5eN9nxatWo_k:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
Domain: letsnibbl.com
Type: unauthorized
Detail: Invalid response from
http://letsnibbl.com/.well-known/acme-challenge/jqxFZlkHsYBked-T61e9WcHBFZq6tbvacAVZk6uZAg8:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Should I # out the add_header Strict-Transport-Security settings and restart nginx?