Getting an Unauthorized error when trying to -dry-run

My domain is: panel.sneakycraft.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/panel.sneakycraft.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for panel.sneakycraft.com
Waiting for verification...
Challenge failed for domain panel.sneakycraft.com
http-01 challenge for panel.sneakycraft.com
Cleaning up challenges
Attempting to renew cert (panel.sneakycraft.com) from /etc/letsencrypt/renewal/panel.sneakycraft.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/panel.sneakycraft.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/panel.sneakycraft.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: panel.sneakycraft.com
   Type:   unauthorized
   Detail: Invalid response from
   https://panel.sneakycraft.com/auth/login
   [2606:4700:3037::6818:61df]:
   "<html>\n<head>\n<title>SneakyCraft</title>\n<meta
   charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\"
   content=\"IE=edge\">\n<meta cont"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-48-generic x86_64)

My hosting provider, if applicable, is: Digital Ocean VPS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

Server issued certs 5 mins ago just fine. Issue only happens on renewal.

Seen this being used here, no idea how to read this cause I'm an amateur, but maybe it helps someone smarter than me: https://check-your-website.server-daten.de/?q=panel.sneakycraft.com

Please let me know if you need some more information. Thanks!

EDIT: This is a Cloudflare IP. I wonder what's going on. Do I need to Disable Cloudflare on every renewal? That sounds... problematic?

The URL from the error message doesn't represent a regular URL which should include a path with /.well-known/acme-challenge/.

It seems your site redirects the authorization attempt to /auth/login which, obviously, isn't a valid authorization token.

You should exclude requests for the directory /.well-known/acme-challenge/ from such redirects.

1 Like

Hi @yashendra2797

you have created two certificates today:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-10-21 2021-01-19 panel.sneakycraft.com - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2020-10-21 2021-01-19 panel.sneakycraft.com - 1 entries duplicate nr. 1

Looks like you have added the redirect http -> https and the wrong redirect https -> login later.

So now that doesn't work.

Remove the redirect to the login if /.well-known/ is used.

Hi there!

Here's my nginx conf for the site in question:

server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             panel.sneakycraft.com;
    set                     $base /var/www/pterodactyl/;
    root                    $base/public;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/panel.sneakycraft.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/panel.sneakycraft.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/panel.sneakycraft.com/chain.pem;

    # security
    include                 snippets/security.conf;
    add_header              X-Robots-Tag noindex;
    add_header              Content-Security-Policy "frame-ancestors 'self'";

    # logging
    access_log              /var/log/nginx/panel.sneakycraft.com.access.log;
    error_log               /var/log/nginx/panel.sneakycraft.com.error.log warn;

    index                   index.html index.htm index.php;
    
    #PHPMyAdmin
    include                 snippets/phpmyadmin.conf;

    #Pterodactyl Panel
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    #Player Analytics
    location ^~ /plan/ { 
        proxy_pass http://ipaddr:8804/;
        include    snippets/proxy.conf;
    }

    #Dynmap Main
    location ^~ /map/ {
        proxy_pass http://ipaddr:8123/;
        include    snippets/proxy.conf;
    }

    #Dynmap Hub (Consider Deleting this when Done)
    location ^~ /hubmap/ {
        proxy_pass http://ipaddr:8124/;
        include    snippets/proxy.conf;
    }

    #Dynmap Superflat
    location ^~ /superflatmap/ {
        proxy_pass http://ipaddr:8125/;
        include    snippets/proxy.conf;
    }

    # additional config
    include snippets/general.conf;

    # allow larger file uploads and longer script runtimes
    client_max_body_size 100m;
    client_body_timeout 120s;
    sendfile off;

    #handle PHP
    location ~ \.php$ {
        include snippets/php_fastcgi.conf;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
        fastcgi_param HTTP_PROXY "";
        fastcgi_intercept_errors off;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
    }

    location ~ /\.ht {
        deny all;
    }
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name panel.sneakycraft.com;
    include     snippets/letsencrypt.conf;

    location / {
        return 301 https://panel.sneakycraft.com$request_uri;
    }
}

My snippets/letsencrypt.conf:

# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
    root /var/www/_letsencrypt;
}

Do you know where exactly is /.well-known/acme being redirected to /auth/login?

I found something!

This looks similar to my issue: Can't renew cert behind Cloudflare. (LEMP + LetsEncrypt + Cloudflare)

1 Like

I can confirm that turning off Cloudflare (aka switching to the gray cloud), and then running certbot renew --dry-run fixes the issue. However, having Cloudflare is essential for me. How do I switch my renewal from using --nginx to --webroot? Do I just revoke my old cert, delete it, and remake it with --webroot instead? Or is there a config file I can edit?

1 Like

Revoking is almost never necessary. In this case it isn't.

That's also not necessary.

You can just re-run the original command, but with different options. So in stead of --nginx, you'd use --webroot. You don't really need the nginx plugin to install the certificate too, because it's already installed. Without the nginx installer however, you'd need to reload nginx "manually" though, by putting a nginx reload command (something with systemctl I guess, I don't run nginx/systemd myself) in the --deploy-hook option.
If you used the nginx installer to specify the hostnames, that won't work too of course. So you'd need to put the required hostnames on the command line too with -d. You can get all the hostnames of all the certificates on your system with certbot certificates if you have a bunch of them. In your case, it only seems to be that one hostname tho.

So your command would look something like:

certbot certonly --webroot -w /var/www/_letsencrypt -d panel.sneakycraft.com --deploy-hook "systemctl reload nginx"

Use --dry-run to test this. Certbot would probably complain about there already being a valid certificate. If dry-run succeeds, there's not really any point to re-issue the certificate now. However, while manually editing the configuration file to reflect the commands which succesfully run with --dry-run is possible, I wouldn't recommend it unless you absolutely know what you're doing. You could also wait 60 days when renewing is necessary and re-run the command then, but without --dry-run. You could also think "I don't care about unnecessary load on the Let's Encrypt systems" (what's one certificate more compaired to the million certs issued daily), but personally I'm not a big fan of that thought.

I see you already have two certs issued today: https://crt.sh/?q=panel.sneakycraft.com&deduplicate=y And also two more this month. Please be careful and watch out for the rate limits.

1 Like

Thank you so much! The dry run works. Your help is tremendously appreciated!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.