How do I renew my certificate?

Yeah I know, it obviously gets trumped at the Hitron router

Ok so I need to turn off dhcp on the hitron external router and then hardcode the linksys router ip to 192.168.0.12, right?

I cant find where to code the IP onto the linksys router though…oh ok I found this when I change it to Static IP:

But is this correct? I will turn off DHCP on the hitron external, and therefore tell the internal linksys router to use that fixed local ip.

can i make a small suggestion that you take this to a linksys forum

it seems that your challenge is a network configuration and most of the last posts have been about network setup rather than certificate issuance

@rg305 has pointed you in what you need to configure and test from a network point of view to obtain certificates - once this is done and working then if things are still not going as expected and it’s not a linksys router rather a client issue then add a new post

Andrei

1 Like

Hi guys,

I was able to get the public ip thing sorted out. Here is what I get now:

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for butler.santiapps.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/butler.santiapps.com.conf produced an unexpected error: Failed authorization procedure. butler.santiapps.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://butler.santiapps.com/.well-known/acme-challenge/f8p4AFomcssg7mk-gs-qn-vwX9q8AxFr_-uglpfJ_BE: "<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><cen". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/butler.santiapps.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: butler.santiapps.com
   Type:   unauthorized
   Detail: Invalid response from
   http://butler.santiapps.com/.well-known/acme-challenge/f8p4AFomcssg7mk-gs-qn-vwX9q8AxFr_-uglpfJ_BE:
   "<html>
   <head><title>502 Bad Gateway</title></head>
   <body bgcolor="white">
   <center><h1>502 Bad Gateway</h1></center>
   <hr><cen"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Do you know which device is returning the 502 error?

No, how do I identify that?

I’m not sure—maybe look at error log files on each device?

ok I just ran a test now and I got this in the www/butler.santiapps.com/logs/error.log:

2017/05/11 16:24:09 [error] 536#0: *5 connect() failed (113: No route to host) while connecting to upstream, client: 54.159.203.187, server: butler.santiapps.com, request: $
2017/05/11 16:24:09 [error] 536#0: *5 open() "/www/butler.santiapps.com/aism/50x.html" failed (2: No such file or directory), client: 54.159.203.187, server: butler.santiap$
2017/05/11 16:37:40 [error] 536#0: *7 connect() failed (113: No route to host) while connecting to upstream, client: 54.224.155.160, server: butler.santiapps.com, request: $
2017/05/11 16:37:40 [error] 536#0: *7 open() "/www/butler.santiapps.com/aism/50x.html" failed (2: No such file or directory), client: 54.224.155.160, server: butler.santiap$
2017/07/24 21:08:37 [error] 537#0: *3 connect() failed (111: Connection refused) while connecting to upstream, client: 139.162.113.204, server: butler.santiapps.com, reques$
2017/07/24 21:08:37 [error] 537#0: *3 open() "/www/butler.santiapps.com/50x.html" failed (2: No such file or directory), client: 139.162.113.204, server: butler.santiapps.c$
2017/07/25 04:50:49 [error] 537#0: *56 connect() failed (111: Connection refused) while connecting to upstream, client: 74.82.47.2, server: butler.santiapps.com, request: "$
2017/07/25 04:50:49 [error] 537#0: *56 open() "/www/butler.santiapps.com/50x.html" failed (2: No such file or directory), client: 74.82.47.2, server: butler.santiapps.com, $
2017/07/25 07:38:20 [error] 537#0: *68 connect() failed (111: Connection refused) while connecting to upstream, client: 185.35.63.147, server: butler.santiapps.com, request$
2017/07/25 07:38:20 [error] 537#0: *68 open() "/www/butler.santiapps.com/50x.html" failed (2: No such file or directory), client: 185.35.63.147, server: butler.santiapps.co$

I don’t think that’s the right device (or else that log isn’t very detailed).

Edit: Well, it does seem potentially related to a 502 error but it’s still not very detailed.

thats the raspberry pi device. Its on an nginx server…Im checking 192.168.1.53 (pi) from the browser and I get http 500 internal server error

Yup, was about to say, that’s definitely an nginx log complaining about the fact that it’s got some proxy_pass or upstream directive, often seen with UWSGI setups. (e.g. Django) You need to fix your nginx config. A common problem with this if you’re using named pipes in for your upstream is for selinux to be blocking access to the pipe. However I think that usually comes up as permission denied. I’d need to see the rest of the truncated log lines to be sure, but I’m guessing you’re connecting over some network address to a service that doesn’t want to talk to nginx’s requests as passed along from Let’s Encrypt.

At the very least, you should be able to set up a server block for location /.well-known/acme-challenge pointing to a directory instead of upstream.

Ok:

  1. I followed a tutorial for setting up nginx of a hosting provider (digitalocean i think) so that’s probably you mentioned django.
  2. I dont know what named pipes are

ok here is my config file:

   server {
            listen 80;
            listen [::]:80;
            server_name butler.santiapps.com;

            root /www/butler.santiapps.com;
            index index.php index.html index.htm;
            error_page 404 /404.html;
            error_page 500 502 503 504 /50x.html;

            # Error & Access logs
            error_log /www/butler.santiapps.com/logs/error1.log error;
            access_log /www/butler.santiapps.com/logs/access1.log;

            location / {
                    index index.html index.php default.html;
                    proxy_pass http://192.168.1.53:80;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
            }
    }

    server {
            listen 443 ssl;
            listen [::]:443 ssl;
            server_name butler.santiapps.com;

            ssl_certificate          /etc/letsencrypt/live/butler.santiapps.com/fullchain.pem;
            ssl_certificate_key      /etc/letsencrypt/live/butler.santiapps.com/privkey.pem;

            root /www/butler.santiapps.com;
            index index.php index.html index.htm;
            error_page 404 /404.html;
            error_page 500 502 503 504 /50x.html;

            # Error & Access logs
            error_log /www/butler.santiapps.com/logs/error.log error;
            access_log /www/butler.santiapps.com/logs/access.log;

            location / {
                    index index.html index.php;
                    proxy_pass http://192.168.1.53:443;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;
            }

Uhh, did you pull that configuration from the Raspberry Pi running on 192.168.1.53? It looks like you’re trying to reverse proxy this connection in a circle. That proxy_pass line tells nginx to forward all requests along to 192.168.1.53, which it seems from what I’ve read so far (correct me if I’m wrong) is the same IP that this instance of nginx is running from. Do you know why you’re trying to forward these connections to itself? It seems nginx may be calling shenanigans on this loop and refusing the connection.

Well I actually just added the port 80 lines, i removed them and now port 80 works:

I re-ran certbot command and it worked:

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/butler.santiapps.com/fullchain.pem (success)

thanks!

1 Like

Glad we got this fixed up for you!

Thanks for writing us.
We will respond to you as soon as possible!

Gracias, responderemos lo antes posible!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.