Ackis
March 10, 2020, 2:28am
21
I didn't issue any command with webroot. I just ran certbot renew -a nginx
like you suggested.
There's a bug with nginx where the installer doesn't work on some installs, so I was forced to use the webroot method.
opened 04:16AM - 04 Oct 19 UTC
closed 07:52PM - 27 Jul 20 UTC
bug
area: nginx
Detailed conversation could be found here:
https://community.letsencrypt.org/t/… cannot-renew-create-a-new-cert-when-i-had-no-issue-previously/103040/
## My operating system is (include version):
Ubuntu 18.04.3 LTS
Nginx 1.17.4 (note, this isn't the version of nginx that's part of Ubuntu's repo's)
## I installed Certbot with (certbot-auto, OS package manager, pip, etc):
## I ran this command and it produced this output:
`sudo certbot renew --cert-name ackis.duckdns.org --debug-challenges --dry-run`
```
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ackis.duckdns.org
Waiting for verification...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cleaning up challenges
Attempting to renew cert (ackis.duckdns.org) from /etc/letsencrypt/renewal/ackis.duckdns.org.conf produced an unexpected error: Failed authorization procedure. ackis.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://ackis.duckdns.org/.well-known/acme-challenge/7bO_DNxtDDyO_hPdRJcpGWEJHaLTRwtTsMWpWtQREDE [174.3.126.96]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: ackis.duckdns.org
Type: unauthorized
Detail: Invalid response from
https://ackis.duckdns.org/.well-known/acme-challenge/7bO_DNxtDDyO_hPdRJcpGWEJHaLTRwtTsMWpWtQREDE
[174.3.126.96]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
```
## Certbot's behavior differed from what I expected because:
Certbot should have renewed the certificate.
## Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:
```
# HTTP server - redirect to HTTPS
server {
listen 80;
listen [::]:80;
server_name www.ackis.duckdns.org ackis.duckdns.org;
location / {
return 301 https://ackis.duckdns.org$request_uri;
}
# Workaround LE and certbot not working with nginx
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
access_log syslog:server=localhost,tag=nginx_access_internet,severity=info;
error_log syslog:server=localhost,tag=nginx_error_internet;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
}
# www domain - redirect to domain without www
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.ackis.duckdns.org;
location / {
return 301 https://ackis.duckdns.org$request_uri;
}
access_log syslog:server=localhost,tag=nginx_access_internet,severity=info;
error_log syslog:server=localhost,tag=nginx_error_internet;
ssl_certificate /etc/letsencrypt/live/www.ackis.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.ackis.duckdns.org/privkey.pem;
server_tokens off;
etag off;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl;
server_name ackis.duckdns.org;
access_log syslog:server=localhost,tag=nginx_access_internet,severity=info;
error_log syslog:server=localhost,tag=nginx_error_internet;
ssl_certificate /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ackis.duckdns.org/privkey.pem; # managed by Certbot
server_tokens off;
etag off;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location ~* /\.\./ {
deny all;
return 404;
}
location ~* "^(?:.+\.(?:htaccess|make|txt|test|markdown|md|engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Re$
return 404;
}
location = /favicon.ico {
try_files /favicon.ico =204;
}
location / {
root /var/www/internet;
index index.html;
}
location /nginx_status {
access_log syslog:server=localhost,tag=nginx_access_admin,severity=info;
error_log syslog:server=localhost,tag=nginx_error_admin;
allow 192.168.0.0/24;
deny all;
auth_basic "Restricted access";
auth_basic_user_file /etc/nginx/auth/admin.htpasswd;
stub_status on;
}
}
```
I'm willing to get rid of it, if you think it'll help. I did for the ackis.duckdns.org domain (which is why I had the configuration error, I had to manually edit the config file) and it didn't seem to make a difference.
1 Like