Help renewing with certbot

mtw145 · June 24, 2019, 2:05pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wayne.host

I ran this command: /opt/certbot/certbot-auto renew

It produced this output:

https://mywebsite/.well-known/acme-challenge/RkUGHYZ-**********************
[my ip]: “\r\n401 Authorization
Required\r\n<body
bgcolor=“white”>\r\n

401 Authorization Required</”

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

I’m not sure what nginx settings to modify to allow the renewal past my authentication. I already have the following in my config file:

location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;

mnordhoff · June 24, 2019, 2:20pm

Can you paste Certbot’s complete output, without editing it?

mtw145 · June 24, 2019, 2:21pm

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wayne.host/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: wayne.host
Type: unauthorized
Detail: Invalid response from
https://wayne.host/.well-known/acme-challenge/iJbVo3o8qXg0h_Xyj7eFJd6pHb-hRM6P-PsBXrMS6Es
[76.240.241.86]: “\r\n401 Authorization
Required\r\n<body
bgcolor=“white”>\r\n<h 1>401 Authorization Required</”

JuergenAuer · June 24, 2019, 2:49pm

Hi @mtw145

checking your domain you see the problem ( https://check-your-website.server-daten.de/?q=wayne.host ):

Domainname	Http-Status	redirect	Sec.	G
• http://wayne.host/
76.240.241.86	301	https://wayne.host/	0.304	A

• https://wayne.host/
76.240.241.86	401		1.750	M
Unauthorized

• http://wayne.host/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
76.240.241.86	301	https://wayne.host/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.310	A
Visible Content: 301 Moved Permanently nginx

• https://wayne.host/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	401		1.257	M
Unauthorized
Visible Content: 401 Authorization Required nginx

You have redirects http -> https.

But your https is blocked - 401.

So

remove that 401, "/" should work, /.well-known/acme-challenge/unknown-file should answer with a http status 404 - Not Found (or)
remove the redirect http -> https, so only http is used to check the validation file.

mtw145 · June 24, 2019, 3:31pm

Really aprecaite the help. I’m very uninformed on this whole topic. Probably why I have this issue in the first place.

" * remove that 401, “/” should work, /.well-known/acme-challenge/unknown-file should answer with a http status 404 - Not Found (or)

remove the redirect http -> https, so only http is used to check the validation file."

I’m not exactly how to implement this. Can you be a little more specific?

JuergenAuer · June 24, 2019, 4:21pm

Check your port 80 vHost. There is a redirect http -> https defined. Remove that redirect to create a new certificate.

mnordhoff · June 24, 2019, 4:29pm

Can you also paste the first part of Certbot’s output?

mtw145 · June 24, 2019, 4:58pm

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/wayne.host.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wayne.host
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain wayne.host
http-01 challenge for wayne.host
Cleaning up challenges
Attempting to renew cert (wayne.host) from /etc/letsencrypt/renewal/wayne.host.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wayne.host/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wayne.host/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: wayne.host
Type: unauthorized
Detail: Invalid response from
https://wayne.host/.well-known/acme-challenge/VD9RLjJUEogqvt_jvXPm9c74WHEd84oq9qvk4qSNnbo
[76.240.241.86]: “\r\n401 Authorization
Required\r\n<body
bgcolor=“white”>\r\n<h 1>401 Authorization Required</”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

mtw145 · June 24, 2019, 5:02pm

Is there no way to only accept certbot renewing on http? I don’t really want to remove the redirect for other traffic.

JuergenAuer · June 24, 2019, 5:04pm

Then remove the 401 blocking of your https port.

https://wayne.host/ -> same problem 401, so you block the complete traffic.

Currently, you don't have https - traffic, all is blocked.

mtw145 · June 24, 2019, 5:08pm

location ~ /.ht {
deny all;
}

this? I understand what you are saying but don’t know how I am blocking https otherwise.

JuergenAuer · June 24, 2019, 5:17pm

That blocks fetching the .htaccess -> deny all.

Perhaps you have a blocking command in your .htaccess file if you don't find something in your vHost configuration.

mtw145 · June 24, 2019, 5:24pm

I followed the following example:

server {

listen 80 default_server;
listen [::]:80 default_server;

server_name your_dynamic_DNS_address your_server_IP_address;
return 301 https://$server_name$request_uri;

}

server {

# SSL configuration

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/your_dynamic_DNS_address/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_dynamic_DNS_address/privkey.pem;

# Root location
root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

# Basic Auth to protect the site
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;

# Change the client side error pages (4xx) to prevent some information disclosure
error_page 401 403 404 /404.html;

# First attempt to serve request as file, then as directory,
# then fall back to displaying a 404.

location / {
try_files $uri $uri/ =404;
}

# Deny access to .htaccess files, if Apache's document
# root concurs with nginx's one

location ~ /\.ht {
deny all;
}

# Let's Encrypt Webroot plugin location -- allow access

location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;

JuergenAuer · June 24, 2019, 6:18pm

There

is your blocking rule.

The end looks there is a missing }

And you should create vHosts with explicit server_name values, not default_server.

So one domain (with non-www and www) has one vHost.

mtw145 · June 24, 2019, 8:35pm

will adding the vHosts sole the renewing issue?

JuergenAuer · June 24, 2019, 8:42pm

I don't know. That depends on your configuration.

There

http://wayne.host/.well-known/acme-challenge/1234

is a 401 - Forbidden, so http-01 validation may not work.

system · July 24, 2019, 8:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.