I could not renew my certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.truememorytechnology.com

I ran this command:
/opt/eff.org/certbot/venv/bin/cetrtbot --nginx --http-01-port 8088 -d mail.truememorytechnology.com
It produced this output:
/opt/eff.org/certbot/venv/bin/certbot --nginx --http-01-port 8088 -d mail.truememorytechnology.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for mail.truememorytechnology.com
Performing the following challenges:
http-01 challenge for mail.truememorytechnology.com
Waiting for verification...
Challenge failed for domain mail.truememorytechnology.com
http-01 challenge for mail.truememorytechnology.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
nginx/1.14.1
The operating system my web server runs on is (include version):
NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="AWS | Amazon Linux AMI"

My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.10.1

I would like to add additional information.
My nginx configuration is following:

nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

user nginx;

worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
worker_connections 768;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;



# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

index   index.html index.htm

server {

    server_name  mail.truememorytechnology.com;
    access_log   /var/log/nginx/mail.truememorytechnology.com.access.log;
    error_log    /var/log/nginx/mail.truememorytechnology.com.error.log debug;

    root /usr/local/vimbadmin/public;
    index index.php;
    location / {
       try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        try_files $uri =404;

        include fastcgi.conf;

        fastcgi_pass 127.0.0.1:9000;

     }
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mail.truememorytechnology.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.truememorytechnology.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
listen 8088;
server_name mail.truememorytechnology.com; # _;

 location /.well-know/acme-challenge {
       default_type "text/plain";
       root /var/www/letsencrypt;
  }
  location / {
      return 301 https://$host$request_uri;
  }

}

HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;

}

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

application/font-woff                            woff;
application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

upstream php-fpm {
server unix:/var/run/php-fpm/www.sock;
}

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

fastcgi_param REDIRECT_STATUS 200;

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

[root@mail ec2-user]#

Some extra information:
my server passed LetsDebug
I looked letsecrypt.log file and the latest record has following information:
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "34.217.227.124: Invalid response from http://mail.truememorytechnology.com/.well-known/acme-challenge/wY4kzC\
aetpklo7dxOf2HiTU_vGMK-f65naEgFMZVzi8: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/359420037467/krwWnw",
"token": "wY4kzCaetpklo7dxOf2HiTU_vGMK-f65naEgFMZVzi8",
"validationRecord": [
{
"url": "http://mail.truememorytechnology.com/.well-known/acme-challenge/wY4kzCaetpklo7dxOf2HiTU_vGMK-f65naEgFMZVzi8",
"hostname": "mail.truememorytechnology.com",
"port": "80",
"addressesResolved": [
"34.217.227.124"
],
"addressUsed": "34.217.227.124"
}
],
"validated": "2024-06-04T04:59:58Z"
}
I run command that use a connection challenge on port 8088 but the log shows the port 80 in the "Validation Record" above. The port 80 is used by another service.

Please note that this is a LOCAL option only. Mostly for situations where external port 80 is mapped to a different port internally.

Mandated by the Baseline Requirements, the http-01 challenge will ALWAYS connect to TCP port 80.

I used port 8088 for http-01 challenge until today. Is there any new requirements? What do I need to do to solve the issue? Do I need reassign port 80 exclusively for certbot?

Your option for port 8088 should still work as long as you route the incoming HTTP request arriving on port 80 to your nginx on port 8088.

Have you changed anything in your port forwarding or network handling of such incoming requests?

3 Likes

Thanks, it was the problem. I forgot to save iptables after changes. After rebooting VM I got the problem. Fixed already with your help. Very appreciate.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.