Hi all,
I am having a problem renewing my certificate using letsencrypt.
I am using nginx as a reverse proxy web server. I previously managed to create a certificate but after 90 days the certificate did not renew automatically.
I ran this command:
sudo certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/portal.test.feenix.co.nz.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for portal.test.feenix.co.nz
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/portal.test.feenix.co.nz.conf produced an unexpected error: Failed authorization procedure. portal.test.feenix.co.nz (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://portal.test.feenix.co.nz/.well-known/acme-challenge/1pBpu2o7Vld_hXIk7qbQHwTmHISyKdpgCMrtUGVBXh0: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.test.feenix.co.nz/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: portal.test.feenix.co.nz
Type: unauthorized
Detail: Invalid response from
http://portal.test.feenix.co.nz/.well-known/acme-challenge/1pBpu2o7Vld_hXIk7qbQHwTmHISyKdpgCMrtUGVBXh0:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
nginx/1.6.2
The operating system my web server runs on is (include version):
Debian Jessie 8
Any help would be greatly appreciated
Thanks
Ahmad
Could you take a look in the file /etc/letsencrypt/renewal/portal.test.feenix.co.nz.conf? It should define a webroot directory. Can you see whether that is still the correct directory that files for your website’s content are being served from? If your website configuration has changed to serve files from a different directory since you obtained the certificate, that directory would need to be updated in the configuration.
Thanks for your reply, I have opened that file and it does have the webroot correctly. However, that webroot directory exists on a different server than the one where the certificate is generated from. I am using nginx as the proxy web server so I am not sure if that is a problem when renewing the certificate?
Yes, certbot --webroot (including a renewal of a certificate generated this way) needs to be able to write files into the webroot so that they appear on the site. There are ways to use proxies and/or HTTP redirection to work around this if it's not possible to run Certbot directly on the web server, but the validator ultimately needs to be able to find the challenge file when making an inbound connection to the web server.
That is, if you want to renew your certificate for portal.test.feenix.co.nz, the certificate authority is going to effectively say "you need to put this specific data in a file called /.well-known/acme-challenge/PMond0zCInJLX0Zrie" (or whatever—the exact filename will be random and different each time). Then it's going to connect to http://portal.test.feenix.co.nz/.well-known/acme-challenge/PMond0zCInJLX0Zrie, and it expects what it gets back to ultimately be or lead it to the specific data. You can achieve this by running Certbot on the web server and letting it write into the web content directory, or by proxying requests so that they get forwarded to another machine, or by manually copying this file into the right place every time you renew the certificate, or by returning a 301 redirect to an equivalent file on a different web server... but one way or another, the certificate authority needs to find the specified data in response to a request to that URL.
Hi Schoen, thanks for your help. I have fixed it by configuring my nginx file.
I had to change the location of the webroot to point to the local web server rather than proxy it to the upstream servers.
If anyone is reading this just add this to your site nginx file :
location ~ /.well-known/acme-challenge {
root /pathToYourlLocalWebrootDirectory;
allow all;
}