Failure when renewing SSL certificate

Chrischuck · April 4, 2017, 3:45am

Please fill out the fields below so we can help you better.

I ran this command: sudo letsencrypt renew

It produced this output: 2017-04-04 03:44:48,351:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/bareminimum.co.conf produced an unexpected error: Failed authorization procedure. bareminimum.co (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bareminimum.co/.well-known/acme-challenge/bdgKx2JfC5EQD0rh3sJrRDDlq7x4YI8ZDos6P6THlkY: "

My operating system is (include version): Ubuntu 16.04.1 x64

My web server is (include version): nginx

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

This is the first time I’ve ever set up a webpage on a server so please excuse any simple things I don’t understand. I was able to set up my website but now I need to renew the SSL certificate and I am unable to.

I used the following links to set up my server:

When I run
sudo letsencrypt renew

I get the following error:

and my nginx config looks like this:

        listen 80 default_server;
        listen [::]:80 default_server;
        server_name bareminimum.co www.bareminimum.co;

        location ~ /.well-known {
                allow all;
         }

        return 301 https://bareminimum.co/grade-calculator;
}
server {
        # SSL configuration

        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        include snippets/ssl-bareminimum.co.conf;
        include snippets/ssl-params.conf;

        root /www/bare-minimum/dist;
        index index.php index.html index.htm;

        server_name -;

        location ~ /.well-known {
                allow all;
         }
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-Nginx_Proxy true;

                proxy_pass http://localhost:8080;
                proxy_redirect off;
        }

}

Thanks for the help!

Osiris · April 4, 2017, 7:31am

That's the culprit.

Boulder, the Let's Encrypt verification software, follows redirects like that. That wouldn't be a problem if requests for http://bareminimum.co/.well-known/acme-challenge/... were redirected to https://bareminimum.co/.well-known/acme-challenge/..., but in stead they are redirected to just https://bareminimum.co/grade-calculator. And that of course is a problem, because now the "acme-challenge" is gone!

Chrischuck · April 4, 2017, 7:50am

I commented out the 301 and I still get the same error. Could it be that my app redirects any unknown routes as well? But I am not sure if that is the case because http://www.bareminimum.co/.well-known/acme-challenge/Hkd4S9BR8IvO4Ug7yO6xHItR76zBtSPdGoKpjRBeo84 doesn’t redirect to my not found route but nginx’s 404 page.

Thanks again for the help!

Osiris · April 4, 2017, 7:53am

Your listen 80 server block doesn’t provide a root directive, so it doesn’t know where to serve files from. It probably defaults to some nginx default root, while certbot probably uses /www/bare-minimum/dist (but that’s an assumption).

Best way of action (IMO) would be to provide the HTTP server block with a root directive (you could use the same /www/bare-minimum/dist if you want) and come up with a redirect directive which only excludes /.well-known/acme-challenge/ but redirects for everything else.

Chrischuck · April 4, 2017, 8:13am

Awesome, my certs just got renewed.

Here is my updated nginx config if anybody needs for future reference.

        listen 80 default_server;
        listen [::]:80 default_server;
        server_name bareminimum.co www.bareminimum.co;
        root /www/bare-minimum/dist;
        index index.php index.html index.htm;

        location ~ /.well-known {
                allow all;
         }

#       return 301 https://bareminimum.co/grade-calculator; will recomment this back in
}
server {
        # SSL configuration

        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        include snippets/ssl-bareminimum.co.conf;
        include snippets/ssl-params.conf;

        root /www/bare-minimum/dist; #added this line
        index index.php index.html index.htm; ## and this line

        server_name -;

        location ~ /.well-known {
                allow all;
         }
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-Nginx_Proxy true;

                proxy_pass http://localhost:8080;
                proxy_redirect off;
        }

}

Again thank you so much for the help, it’s very much appreciated!

Osiris · April 4, 2017, 8:57am

You might want to look at Creating NGINX Rewrite Rules, especially the try_files part, for future reference (although I’m not sure the “internal redirect” mentioned there also works as an “external” redirect, i.e., with 301 found headers et cetera).

system · May 4, 2017, 8:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.