I'm still not able to renew certificate

beehaw · April 15, 2022, 4:32pm

Someone tried to help me here yesterday but I'm still having trouble with this.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.beehaw.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for beehaw.org and www.beehaw.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.beehaw.org
  Type:   unauthorized
  Detail: Invalid response from https://beehaw.org [137.184.145.108]: "\n           <!DOCTYPE html>\n           <html  lang=\"en\">\n           <head>\n           <script>window.isoData = {\"path\":\"\\u002F\","

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate www.beehaw.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.beehaw.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

9peppe · April 15, 2022, 4:50pm

$ curl -IL www.beehaw.org/.well-known/acme-challenge/test
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 15 Apr 2022 16:48:06 GMT
Connection: keep-alive
Location: https://beehaw.org
X-Served-By: Namecheap URL Forward

HTTP/2 200 
server: nginx
date: Fri, 15 Apr 2022 16:48:07 GMT
content-type: text/html; charset=utf-8
content-length: 294057
vary: Accept-Encoding
x-powered-by: Express
etag: W/"47ca9-2VSchF/+CqicOAUj5Gg1cvQN5CU"
strict-transport-security: max-age=63072000
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block

You should probably point your domain directly to your server instead of using the namecheap thingy.

beehaw · April 15, 2022, 5:09pm

Why? Would this somehow let me renew the certificate?

9peppe · April 15, 2022, 5:23pm

No, but it will let certbot answer directly instead of relying on a half-broken redirect.

It will probably work.

beehaw · April 15, 2022, 5:30pm

I guess I could try it. I believe it may take an hour or so to propagate. I'll come back later and let you know if it worked or not. Thanks for the help.

rg305 · April 15, 2022, 6:03pm

I'm confused about this post:

beehaw · April 15, 2022, 6:23pm

So am I.

beehaw · April 15, 2022, 6:35pm

It didn't work. Have any other recommendations?

9peppe · April 15, 2022, 6:36pm

show me what certbot tells you.

$ curl -IL www.beehaw.org/.well-known/acme-challenge/test
curl: (6) Could not resolve host: www.beehaw.org

did you actually point that domain to your server?

beehaw · April 15, 2022, 6:45pm

It shows the exact same thing as what I showed at the top of this thread.

did you actually point that domain to your server?

I'm not sure what you mean. Please, explain.

9peppe · April 15, 2022, 6:48pm

please tell me what are you trying to achieve. what domains, servers and IP addresses explicitly.

beehaw · April 15, 2022, 6:50pm

I just want a certificate for https://beehaw.org AND NOT the subdomain (www).

9peppe · April 15, 2022, 6:52pm

ok, show me certbot certificates

beehaw · April 15, 2022, 6:59pm

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.beehaw.org
    Serial Number: 3473f076c39ab3189b3affb9068462a7263
    Key Type: RSA
    Domains: beehaw.org www.beehaw.org
    Expiry Date: 2022-04-29 21:51:47+00:00 (VALID: 14 days)
    Certificate Path: /etc/letsencrypt/live/www.beehaw.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.beehaw.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9peppe · April 15, 2022, 7:06pm

certbot renew --cert-name www.beehaw.org -d beehaw.org --renew-with-new-domains

please know that this isn't really advisable unless you really know what you're doing.

beehaw · April 15, 2022, 7:09pm

Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

9peppe · April 15, 2022, 7:13pm

ok, then:

certbot run --nginx --cert-name www.beehaw.org -d beehaw.org --renew-with-new-domains

beehaw · April 15, 2022, 7:14pm

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name www.beehaw.org

Problem in /etc/nginx/sites-enabled/lemmy.conf: tried to insert directive "[['if', '($host', '=', 'beehaw.org)'], [['return', '301', 'https://$host$request_uri']]]" but found conflicting "[['if', '($host', '=', 'beehaw.org)'], [['#', '\tbeehaw.org www.beehaw.org;'], ['return', '301', 'https://beehaw.org$request_uri']]]".

9peppe · April 15, 2022, 7:17pm

You can ignore that.

beehaw · April 15, 2022, 7:18pm

So, it should be renewed now?