Help renewing with certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wayne.host

I ran this command: /opt/certbot/certbot-auto renew

It produced this output:

https://mywebsite/.well-known/acme-challenge/RkUGHYZ-**********************
[my ip]: “\r\n401 Authorization
Required\r\n<body
bgcolor=“white”>\r\n

401 Authorization Required</”

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

I’m not sure what nginx settings to modify to allow the renewal past my authentication. I already have the following in my config file:

location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;

Can you paste Certbot’s complete output, without editing it?

1 Like

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wayne.host/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Hi @mtw145

checking your domain you see the problem ( https://check-your-website.server-daten.de/?q=wayne.host ):

Domainname Http-Status redirect Sec. G
http://wayne.host/
76.240.241.86 301 https://wayne.host/ 0.304 A
https://wayne.host/
76.240.241.86 401 1.750 M
Unauthorized
http://wayne.host/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
76.240.241.86 301 https://wayne.host/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.310 A
Visible Content: 301 Moved Permanently nginx
https://wayne.host/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 401 1.257 M
Unauthorized
Visible Content: 401 Authorization Required nginx

You have redirects http -> https.

But your https is blocked - 401.

So

  • remove that 401, "/" should work, /.well-known/acme-challenge/unknown-file should answer with a http status 404 - Not Found (or)
  • remove the redirect http -> https, so only http is used to check the validation file.
1 Like

Really aprecaite the help. I’m very uninformed on this whole topic. Probably why I have this issue in the first place.

" * remove that 401, “/” should work, /.well-known/acme-challenge/unknown-file should answer with a http status 404 - Not Found (or)

  • remove the redirect http -> https, so only http is used to check the validation file."

I’m not exactly how to implement this. Can you be a little more specific?

1 Like

Check your port 80 vHost. There is a redirect http -> https defined. Remove that redirect to create a new certificate.

Can you also paste the first part of Certbot’s output?

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/wayne.host.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wayne.host
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain wayne.host
http-01 challenge for wayne.host
Cleaning up challenges
Attempting to renew cert (wayne.host) from /etc/letsencrypt/renewal/wayne.host.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wayne.host/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wayne.host/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: wayne.host
    Type: unauthorized
    Detail: Invalid response from
    https://wayne.host/.well-known/acme-challenge/VD9RLjJUEogqvt_jvXPm9c74WHEd84oq9qvk4qSNnbo
    [76.240.241.86]: “\r\n401 Authorization
    Required\r\n<body
    bgcolor=“white”>\r\n<h 1>401 Authorization Required</”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Is there no way to only accept certbot renewing on http? I don’t really want to remove the redirect for other traffic.

Then remove the 401 blocking of your https port.

https://wayne.host/ -> same problem 401, so you block the complete traffic.

Currently, you don't have https - traffic, all is blocked.

location ~ /.ht {
deny all;
}

this? I understand what you are saying but don’t know how I am blocking https otherwise.

That blocks fetching the .htaccess -> deny all.

Perhaps you have a blocking command in your .htaccess file if you don't find something in your vHost configuration.

1 Like

I followed the following example:

server {

listen 80 default_server;
listen [::]:80 default_server;

server_name your_dynamic_DNS_address your_server_IP_address;
return 301 https://$server_name$request_uri;

}

server {

# SSL configuration

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/your_dynamic_DNS_address/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_dynamic_DNS_address/privkey.pem;

# Root location
root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

# Basic Auth to protect the site
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;

# Change the client side error pages (4xx) to prevent some information disclosure
error_page 401 403 404 /404.html;

# First attempt to serve request as file, then as directory,
# then fall back to displaying a 404.

location / {
try_files $uri $uri/ =404;
}

# Deny access to .htaccess files, if Apache's document
# root concurs with nginx's one

location ~ /\.ht {
deny all;
}

# Let's Encrypt Webroot plugin location -- allow access

location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;

There

is your blocking rule.

The end looks there is a missing }

And you should create vHosts with explicit server_name values, not default_server.

So one domain (with non-www and www) has one vHost.

1 Like

will adding the vHosts sole the renewing issue?

I don't know. That depends on your configuration.

There

http://wayne.host/.well-known/acme-challenge/1234

is a 401 - Forbidden, so http-01 validation may not work.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.