Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: api.claudiaotger.com and claudiaotger.com

I ran this command: sudo certbot certonly -n --noninteractive -d api.claudiaotger.com -d claudiaotger.com

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line. Run with ‘–help plugins’ to see a list of options, and see https://eff.org/letsencrypt-plugins for more detail on what the plugins do and how to use them.

My web server is (include version): Ubuntu 16.1

The operating system my web server runs on is (include version): ngnix

My hosting provider, if applicable, is: amazon

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @otgerpeidro,

Right now you have two separate certificates—one covering www.claudiaotger.com and claudiaotger.com, and the other covering api.claudiaotger.com. When you run certbot certonly, it tries to create a single certificate covering all (and only) the names that you specify with -d. Therefore, Certbot thinks that you want a new certificate covering these names (but not www.claudiaotger.com), rather than to renew your 2 previous certificates. It’s then complaining that your use of --noninteractive prevents it from asking questions that it needs to know about how to obtain the new certificate.

Is this the same server where you previously obtained these certificates? If so, you should just be able to run certbot renew, which is the intended way to renew certificates. If the renewal fails for some reason, it will give a more specific explanation of why they couldn’t be renewed.

Hi @schoen

I got this error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/api.claudiaotger.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.claudiaotger.com
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /home/node/formclaudiaotger/.well-known/acme-challenge
Attempting to renew cert (api.claudiaotger.com) from /etc/letsencrypt/renewal/api.claudiaotger.com.conf produced an unexpected error: Failed authorization procedure. api.claudiaotger.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.claudiaotger.com/.well-known/acme-challenge/J3CM7LOL4482wPagxSN50dkraBx8Mk8Hb3ocl7vQWbM: "

404 Not Found

Processing /etc/letsencrypt/renewal/claudiaotger.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.claudiaotger.com.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/api.claudiaotger.com/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/claudiaotger.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.claudiaotger.com/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/api.claudiaotger.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: api.claudiaotger.com
  Type: unauthorized
  Detail: Invalid response from
  http://api.claudiaotger.com/.well-known/acme-challenge/J3CM7LOL4482wPagxSN50dkraBx8Mk8Hb3ocl7vQWbM:
  "

  404 Not Found

  404 Not Found

  ---

  "

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

Great, that’s a more useful error message. (If the certificates were set up to auto-renew, this is probably also what’s been happening and preventing the renewal from working.)

Could you take a look at the contents of the files /etc/letsencrypt/renewal/api.claudiaotger.com.conf and /etc/letsencrypt/renewal/www.claudiaotger.com.conf? They should specify a webroot directory somewhere. Can you see if that directory still corresponds to where website content for each of these sites would be placed?

Hi @schoen,

If I try the same command when I create the certificate. For www.claudiaotger.com is renewed but for api.claudiaotger.com
I ran this command:
sudo certbot certonly --webroot --webroot-path=/home/node/formclaudiaotger -d api.claudiaotger.com
Was the same when I create it.
I got this error message:
aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.claudiaotger.com
Using the webroot path /home/node/formclaudiaotger for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /home/node/formclaudiaotger/.well-known/acme-challenge
Failed authorization procedure. api.claudiaotger.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.claudiaotger.com/.well-known/acme-challenge/lzZ4ZbiWJqDfjfjuDgemu74yc_LGLaAF5boL-SDBOv8: "

404 Not Found

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: api.claudiaotger.com
  Type: unauthorized
  Detail: Invalid response from
  http://api.claudiaotger.com/.well-known/acme-challenge/lzZ4ZbiWJqDfjfjuDgemu74yc_LGLaAF5boL-SDBOv8:
  "

  404 Not Found

  404 Not Found

  ---

  "

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

If you create a file /home/node/formclaudiaotger/test.txt, can you see it at http://api.claudiaotger.com/test.txt?

Hi @schoen,

In the /etc/letsencrypt/renewal/api.claudiaotger.com.conf file I have this:

renew_before_expiry = 30 days

version = 0.19.0
archive_dir = /etc/letsencrypt/archive/api.claudiaotger.com
cert = /etc/letsencrypt/live/api.claudiaotger.com/cert.pem
privkey = /etc/letsencrypt/live/api.claudiaotger.com/privkey.pem
chain = /etc/letsencrypt/live/api.claudiaotger.com/chain.pem
fullchain = /etc/letsencrypt/live/api.claudiaotger.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = c5e85c08c6bc34d53494f13f044c0be7
webroot_path = /home/node/formclaudiaotger,
[[webroot_map]]
api.claudiaotger.com = /home/node/formclaudiaotger

If I go to https://api.claudiaotger.com/test.txt

I got 404

Not Found

This is also progress in understanding the problem.

How did you choose /home/node/formclaudiaotger as the webroot directory originally? Was it ever possible to put files in there and have them show up on the site? Did the site configuration change to redirect the content to some kind of web application after the site was originally set up? Is there still some place where you could put files in order to have their content appear on the site?

In the nginx config file I have this:

server{
listen 80;
listen [::]:80;
server_name api.claudiaotger.com;
return 301 https://api.claudiaotger.com$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.claudiaotger.com;

     # ruta a los certificados
     ssl_certificate /etc/letsencrypt/live/api.claudiaotger.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/api.claudiaotger.com/privkey.pem;

    # carpeta donde debe buscar los ficheros
    root /home/node/formclaudiaotger;


    # archivo a cargar por defecto
     index index.ejs;

    # location para comprobacion de letsencrypt
    location ~ /.well-know {
           allow all;
    }

si solicitan una url /, enviamos a la app de nodeform la peticion

    location / {
            proxy_set_header Host $http_host;
            proxy_pass http://127.0.0.1:3000/;
            proxy_redirect off;
    }

}

I think everything is correct and it was working until today

Yes, the nodeform proxy_pass is part of the reason that this isn’t working. But you do have an exception to that for Let’s Encrypt:

This should be /.well-known instead of /.well-know — can you try changing that?

I have to wait… I got this error message lol

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

Oops! That will reset in one hour.

“location ~ /.well-know” is a regular expression, so it will match /.well-known/ (and other things).

I’m not sure what’s wrong.

What’s in Nginx’s error.log?

Hi @schoen

I renewed my certificates yesterday. But the domain is still throwing a certificate error message. How long it takes to renew them? Or maybe is something wrong.

The one that throws the error is api.claudiaotger.com

Thanks in advance.

Did you reload/restart nginx?

Hi @sahsanu,

I haven´t. I did and it works! lol

Thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.