Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): secondarycities.geonode.state.gov
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for secondarycities.geonode.state.gov
Using default address 80 for authentication.
Waiting for verification...
Challenge failed for domain secondarycities.geonode.state.gov
http-01 challenge for secondarycities.geonode.state.gov
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): NGINX 1.14
The operating system my web server runs on is (include version): Ubuntu 18.04
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.8.0
I was able to retrieve new certs for this site a few months ago, but I am not sure why I cannot now. I have updated Certbot to the latest version, but it is still not working. I can still access my site using http, and also https://letsdebug.net/ says my site is OK.
when I run this command: sudo nginx -T | grep -Ri 'server_name|root|virtual|listen' /etc/nginx
This is the output:
grep: /etc/nginx/sites-enabled/default: No such file or directory
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
I don't know how to debug this, thanks in advance.
Thank you for taking a look Griffin. I might have been debugging at the same time you were. What I ended up doing to fix my problem was shutting down NGINX temporarily and then retrieving the certificates using the standalone command (https://certbot.eff.org/docs/using.html#standalone):
sudo certbot certonly --standalone
This was able to successfully retrieve my certificates for me, and then I copied them over to where my NGINX docker container looks for them. Then I started NGINX again and everything works fine!
I'm still not sure why I got the error using the nginx plug-in: sudo certbot certonly --nginx
I think when I have more time I can look at the certbot renew command with adding a pre-hook to stop NGINX and a post-hook to start NGINX, so I can renew the certs automatically in the future.
I think the problem may have a conflict in how the webserver is installed on ubuntu.
The server response was "openresty/1.15.8", but you listed nginx as "1.14".
How did you install openresty? The first three numbers of openresty releases are pegged to nginx releases(i.e. openresty 1.15.8 is built on top of the nginx 1.15.8 release )
Not knowing anything about your setup, the likely causes:
you have both OpenResty and Nginx installed
your OpenResty install is not using the standard nginx configuration file structure
An option without downtime:
have nginx/resty proxy the ./well-known directories to a higher port -- like 8080
invoke certbot in standalone, and specify the higher http port
add a post-hook script to kill -HUP the nginx/resty service; that will cause it to reload with the new certs
Thanks griffin and jvanasco. Yes, I have OpenResty installed. It was originally installed by someone else who set-up the application, and it is installed in its own docker container. In the past there were problems renewing the certificates, and I did not know how to use OpenResty.
This was a while ago, and forgot exactly what I did to circumvent the issue. I think I installed NGINX outside of docker in the Ubuntu OS so I could to retrieve new certificates and I manually copied them to the directory where the OpenResty/NGINX container looks for the certs.
