Failed to renew permanent redirect from .com to .ca

rshpeley · February 10, 2017, 4:42pm

I have one website which redirects the following to https://heartyk9s.ca

  https://www.heartyk9s.ca
  http://heartyk9s.ca
  http://www.heartyk9s.ca
  http://heartyk9s.com
  http://www.heartyk9s.com

EDIT: removed admin and staging subdomain redirects.

  https://admin.heartyk9s.ca
  https://staging.heartyk9s.ca

This is a digitalocean instance running ubuntu 16.04 4.4.0-57-generic, nginx 1.10.2

I followed this article with adjustments for the multiple domain redirects.

The renewal problem seems only related to the .com domains.

Renewal is set up on a cron job. Running sudo letsencrypt renew manually, I get,

Processing /etc/letsencrypt/renewal/heartyk9s.ca.conf
2017-02-10 15:10:22,727:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/heartyk9s.ca.conf produced an unexpected error: Failed authorization procedure. www.heartyk9s.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.heartyk9s.com/.well-known/acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", heartyk9s.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://heartyk9s.com/.well-known/acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/heartyk9s.ca/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.heartyk9s.com
   Type:   unauthorized
   Detail: Invalid response from http://www.heartyk9s.com/.well-known
   /acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: heartyk9s.com
   Type:   unauthorized
   Detail: Invalid response from http://heartyk9s.com/.well-known
   /acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

The website has been up and running about 70 days and this is the first time this issue has come up. Rather than posting everything I thought you may need, I thought I’d let you tell me what to post.

mnordhoff · February 10, 2017, 5:19pm

Please paste your entire Nginx configuration, and the relevant access.log and error.log lines from the Let’s Encrypt validation thing.

The command “nginx -T” can dump the configuration.

Could you also try to create a file, just containing “Hello!” or whatever, at http://heartyk9s.com/.well-known/acme-challenge/test and http://www.heartyk9s.com/.well-known/acme-challenge/test or a similar URL, to help see if it’s configured correctly.

I noticed that the two http validation URLs above redirect to https. Perhaps the https vhost isn’t configured to serve the files correctly?

(To be clear, it’s fine for the challenge URL to redirect, but the destination has to serve the right file.)

Edit: Could you also say what letsencrypt command you originally ran, in particular the webroot path(s)?

rshpeley · February 10, 2017, 10:49pm

This is the output of nginx -T,

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_tokens off;

        server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
# 
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/default.conf:
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}


# configuration file /etc/nginx/sites-enabled/heartyk9s.ca:
# catch root domains for well-known before permanent redirect
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name heartyk9s.ca www.heartyk9s.ca;

    # well-known for let's encrypt
    location /.well-known {
        root /var/www/heartyk9s.ca/html;
    }

    return 301 https://heartyk9s.ca$request_uri;

}

# catch admin subdomain for well-known before permanent redirect
server {
    listen 80;
    listen [::]:80;

    server_name admin.heartyk9s.ca;

    # well-known for let's encrypt
    location /.well-known {
        root /var/www/admin.heartyk9s.ca/html;
    }

    return 301 https://$server_name$request_uri;

}

# catch staging subdomain for well-known before permanent redirect
server {
    listen 80;
    listen [::]:80;

    server_name staging.heartyk9s.ca;

    # well-known for let's encrypt
    location /.well-known {
        root /var/www/staging.heartyk9s.ca/html;
    }

    return 301 https://$server_name$request_uri;

}

# all remaining traffic is https
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name heartyk9s.ca;

    location / {
        root /var/www/heartyk9s.ca/html;
        index index.html index.htm;
        try_files $uri $uri/ =404;
    }

    # error page handling defaults to 404
    error_page 401 403 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /var/www/html;
    }

    # ssl
    include snippets/ssl-heartyk9s.ca.conf;
    include snippets/ssl-params.conf;
}

# redirect https://www.heartyk9s.ca https://heartyk9s.ca
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.heartyk9s.ca;
        
    return 301 https://heartyk9s.ca$request_uri;

}

# admin subdomain
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name admin.heartyk9s.ca;

    location / {
        root /var/www/admin.heartyk9s.ca/html;
        index index.html index.htm;
        try_files $uri $uri/ =404;
    }

    # error page handling defaults to 404
    error_page 401 403 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /var/www/html;
    }

    # ssl
    include snippets/ssl-heartyk9s.ca.conf;
    include snippets/ssl-params.conf;
}

# staging subdomain
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name staging.heartyk9s.ca;

    location / {
        root /var/www/staging.heartyk9s.ca/html;
        index index.html index.htm;
        try_files $uri $uri/ =404;
    }

    # error page handling defaults to 404
    error_page 401 403 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /var/www/html;
    }

    # ssl
    include snippets/ssl-heartyk9s.ca.conf;
    include snippets/ssl-params.conf;
}


# configuration file /etc/nginx/snippets/ssl-heartyk9s.ca.conf:
ssl_certificate /etc/letsencrypt/live/heartyk9s.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heartyk9s.ca/privkey.pem;

# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;


# configuration file /etc/nginx/snippets/ssl-heartyk9s.ca.conf:
ssl_certificate /etc/letsencrypt/live/heartyk9s.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heartyk9s.ca/privkey.pem;

# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;


# configuration file /etc/nginx/snippets/ssl-heartyk9s.ca.conf:
ssl_certificate /etc/letsencrypt/live/heartyk9s.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/heartyk9s.ca/privkey.pem;

# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;


# configuration file /etc/nginx/sites-enabled/heartyk9s.com:
# catch root domains for well-known before permanent redirect
server {
    listen 80;
    listen [::]:80;

    server_name heartyk9s.com www.heartyk9s.com;

    # well-known for let's encrypt
    location /.well-known {
        allow all;
        root /var/www/heartyk9s.com/html;
    }

    return 301 https://heartyk9s.ca$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name heartyk9s.com www.heartyk9s.com;

    return 301 https://heartyk9s.ca$request_uri;
}

I’ve uploaded a test file containing “Hello!” to the one server which all of these redirect to at https://heartyk9s.ca/.well-known/acme-challenge/test. All of them download the test file except the subdomain urls mentioned previously in my first post.

EDIT3:
There are now test.txt files in each root which identify themselves as Hello! root. On testing,

https://www.heartyk9s.ca/.well-known/acme-challenge/test.txt
http://heartyk9s.ca/.well-known/acme-challenge/test.txt
http://www.heartyk9s.ca/.well-known/acme-challenge/test.txt

redirect to https://heartyk9s.ca/.well-known/acme-challenge/test.txt which displays Hello! heartyk9s.ca.

Staging and admin https subdomains display their respective test files.

The .com domains,

https://heartyk9s.com/.well-known/acme-challenge/test.txt
https://www.heartyk9s.com/.well-known/acme-challenge/test.txt
http://heartyk9s.com/.well-known/acme-challenge/test.txt
http://www.heartyk9s.com/.well-known/acme-challenge/test.txt

redirect to https://heartyk9s.ca/.well-known/acme-challenge/test.txt which displays Hello! heartyk9s.ca, not Hello! heartyk9s.com.

I think the https vhost is serving the files correctly in terms of the needs of the webserver, but probably not in terms of the renewal requirements. How many “right files” are needed in my case?

The letsencrypt command,

sudo letsencrypt certonly --webroot -w /var/www/heartyk9s.ca/html -d heartyk9s.ca -d www.heartyk9s.ca -w /var/www/admin.heartyk9s.ca/html -d admin.heartyk9s.ca -w /var/www/staging.heartyk9s.ca/html -d staging.heartyk9s.ca -w /var/www/heartyk9s.com/html -d heartyk9s.com -d www.heartyk9s.com

EDIT: To make it clear… I did upload a test file also to http://heartyk9s.com/.well-known/acme-challenge/test but it is never reached.

EDIT2: Access log,

sudo cat /var/log/nginx/access.log | grep letsencrypt
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss HTTP/1.1" 404 136 "http://heartyk9s.com/.well-known/acme-challenge/wgJKaAk5hAKKkEJpslD5wzQ57fSnYTLQFAnr1Q2t3ss" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:15:10:18 +0000] "GET /.well-known/acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk HTTP/1.1" 404 136 "http://www.heartyk9s.com/.well-known/acme-challenge/I434MmU6V3VDkbYo4REBZVTv6bMrg1ZzWcNbgFA7Auk" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

and error log (some of which may not be related to renewal),

sudo cat /var/log/nginx/error.log | grep well-known
2017/02/10 15:16:46 [error] 18465#18465: *70573 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 174.35.133.122, server: heartyk9s.ca, request: "GET /.well-known/ HTTP/2.0", host: "heartyk9s.ca"
2017/02/10 20:33:25 [error] 18465#18465: *71199 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 52.200.43.245, server: heartyk9s.ca, request: "HEAD /.well-known/ HTTP/2.0", host: "heartyk9s.ca"
2017/02/10 20:33:25 [error] 18465#18465: *71200 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 52.200.43.245, server: heartyk9s.ca, request: "HEAD /.well-known/ HTTP/2.0", host: "heartyk9s.ca"
2017/02/10 22:44:42 [error] 18465#18465: *71427 directory index of "/var/www/heartyk9s.ca/html/.well-known/" is forbidden, client: 174.35.133.122, server: heartyk9s.ca, request: "GET /.well-known/ HTTP/2.0", host: "heartyk9s.ca"

rshpeley · February 11, 2017, 6:05pm

According to crt.sh the heartyk9s.com domains are not part of the heartyk9s.ca identity,

Criteria	Identity LIKE '%heartyk9s.ca'

Certificates	
crt.sh ID	 Logged At  ⇧	Not Before	Identity	Issuer Name
56858634	2016-12-01	2016-12-01	admin.heartyk9s.ca	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
56858634	2016-12-01	2016-12-01	heartyk9s.ca	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
56858634	2016-12-01	2016-12-01	staging.heartyk9s.ca	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
56858634	2016-12-01	2016-12-01	www.heartyk9s.ca	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3

This may be an unrelated issue…

rshpeley · February 15, 2017, 3:48am

Any suggestions as to how to fix the problem??

mnordhoff · February 17, 2017, 7:49am

I think there's one or two things off with this section, and the other equivalent ones. Try:

location /.well-known/acme-challenge/ {
    root /var/www/heartyk9s.ca/html;
}

location / {
    return 301 https://heartyk9s.ca$request_uri;
}

... and the equivalent derivatives in your other server blocks.

"/.well-known'" could be a minor problem. It covers any other files or subdirectories you might add to /.well-known/ in the future.

More critically, because the "return" directive is in the top level of the server block, i think the location block is effectively ignored.

Therefore, the requests to http://heartyk9s.com/.well-known/acme-challenge/ and http://www.heartyk9s.com/.well-known/acme-challenge/ go to https://heartyk9s.ca/.well-known/acme-challenge/, which has a different root configured, and the files can't be found.

(For the heartyk9s.ca sites, the redirect is harmless, since the HTTP and HTTPS versions would have the same root anyway.)

Those two server blocks are missing ssl_certificate and ssl_certificate_key directives (and your other SSL settings, of course). Nginx will be unhappy about that; you'd need to either add certificates (even if they're self-signed or for another domain or something) or disable those server blocks.

They're not related to the renewal. Does error.log have anything else within a second or two of the timestamps in access.log?

Thoguh it doesn't matter if i have figured out what was wrong.

mnordhoff · February 17, 2017, 7:52am

It's okay. You searched for heartyk9s.ca, so it's only showing results for heartyk9s.ca. If you search for heartyk9s.com, it will give you the exact same certificate, listing each of the matching heartyk9s.com names.

If you click on the crt.sh ID, 56858634, you can see all of the certificate's information, including all of the names it covers, from both domains.

rshpeley · February 17, 2017, 7:16pm

Thanks. I’ll get to this later tonight when traffic on the website is lower.

rshpeley · March 1, 2017, 8:52am

Hey mnordoff! Finally got back to this and it works after your suggested changes to .well-known. Can I buy you a beer?

Thanks!!

rshpeley · March 1, 2017, 8:09pm

Spoke too soon. Manual renewal says it updated but surfing the website says the certificate has expired. What’s up with that?

rshpeley · March 1, 2017, 8:13pm

The error is NET::ERR_CERT_DATE_INVALID

serverco · March 1, 2017, 8:25pm

Looking at https://crt.sh/?id=97927775 you correctly obtained a certificate.

Have you restarted your nginx so it loads and uses the certificate ?

system · March 31, 2017, 8:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.