Hello

My certificate expires in 10 days and I can't renew it despite hours spent on internet to find the answer... I really need your help.

My domain is: candydates.be

I ran this command: sudo certbot renew --cert-name candydates.be -a webroot -w /var/www/letsencrypt --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/candydates.be.conf

Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.candydates.be
http-01 challenge for candydates.be
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.candydates.be
http-01 challenge for www.candydates.be
Cleaning up challenges
Attempting to renew cert (candydates.be) from /etc/letsencrypt/renewal/candydates.be.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/candydates.be/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/candydates.be/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.candydates.be
  Type: unauthorized
  Detail: Invalid response from
  http://www.candydates.be/.well-known/acme-challenge/VBwrWsRT1C_UzzNaHU_WZzxpKR2S7twz5hLEIH2USWc
  [51.210.102.80]: "\r\n404 Not
  Found\r\n\r\n

  404 Not
  Found

  \r\n

  ---

  nginx/1.18.0 (Ub"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is: ovh for vps + infomaniak for domain name

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Here is my /etc/nginx/site-available/candydates.conf file:

server {
        listen [::]:80;
        listen 80;

        server_name candydates.be wwww.candydates.be;
        location / {
                return 301 https://$server_name$request_uri;
        }
        location /.well-known/acme-challenge/ {
                try_files $uri =404;
                root /var/www/letsencrypt;
        }
}
server{
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        root /var/www/candydates/html;
        index index.html index.htm index.nginx-debian.html;

        server_name candydates.be www.candydates.be;

        expires $expires;

        include snippets/ssl-candydates.be.conf;
        include snippets/ssl-params.conf;

        location / {
                try_files $uri $uri/ /index.html;
                client_max_body_size 2050m;
                proxy_request_buffering off;

        }

        location ~ /.well-known {
                allow all;
        }
}

I don't have a lot of experience but I will do my best to give you as much information as I can to make it works.

Elodie

Hi @elo-bau, and welcome to the LE community forum

This path:

does seem to match this path:

and this HTTP failure:

implies HTTPS redirection wasn't applied.

Which leaves me right where you are...

Let's confirm that path by creating a test text file in that expected challenge location and see if it can be accessed from the Internet.
Like:
echo "test file" > /var/www/letsencrypt/test-file-1234
then try:
http://candydates.be/.well-known/acme-challenge/test-file-1234

Also, please show this file:
/etc/letsencrypt/renewal/candydates.be.conf
and maybe also the output of this:
nginx -T | grep -Ei 'server_name|listen|well-known|root'

Hi @rg305,

Thanks you for your answer !

Here is my file /etc/letsencrypt/renewal/candydates.be.conf:

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/candydates.be
cert = /etc/letsencrypt/live/candydates.be/cert.pem
privkey = /etc/letsencrypt/live/candydates.be/privkey.pem
chain = /etc/letsencrypt/live/candydates.be/chain.pem
fullchain = /etc/letsencrypt/live/candydates.be/fullchain.pem

Options used in the renewal process

[renewalparams]
account = fe8cfce83fca4646b394003f35aea8c0
authenticator = webroot
webroot_path = /var/www/candydates/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
candydates.be = /var/www/candydates/html
www.candydates.be = /var/www/candydates/html

Here is the output of nginx -T | grep -Ei 'server_name|listen|well-known|root':

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
        server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
#               listen     localhost:110;
#               listen     localhost:143;
  #listen       80;
  #listen       443 ssl;
  #server_name  localhost;
    listen [::]:80;
    listen 80;
    server_name api.candydates.be;
    #listen 443 ssl http2 default_server;
    listen 443 ssl http2;
    #listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
    listen [::]:443 ssl http2;
    location /.well-known/{
        listen [::]:80;
        listen 80;
       #root /var/www/candydates/html;
        server_name candydates.be wwww.candydates.be;
                return 301 https://$server_name$request_uri;
        location /.well-known/acme-challenge/ {
                root /var/www/letsencrypt;
        #       return 301 https://$server_name$request_uri;
        #listen 443 ssl http2 default_server;
        listen 443 ssl http2 default_server;
        #listen [::]:443 ssl http2 default_server; # does not work properly with Angular, TODO research about this
        listen [::]:443 ssl http2 default_server;
        root /var/www/candydates/html;
        server_name candydates.be www.candydates.be;
        location ~ /.well-known {
        listen 80 default_server;
        listen [::]:80 default_server;
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        root /var/www/html;
        server_name _;
        # deny access to .htaccess files, if Apache's document root
#       listen 80;
#       listen [::]:80;
#       server_name example.com;
#       root /var/www/example.com;

I made the file and tried to reach http://candydates.be/.well-known/acme-challenge/test-file-1234 but I was redirected to https://candydates.be/.well-known/acme-challenge/test-file-1234. On the screen, I could see this:

AHA!!!!

[find the TYPO and win a prize!]
[I too overlooked it the first time it was presented]

Four w's?  

We have a winner!

HTTP request was to 3 w's:

HTTP server listening to 4 w's:

Thank you so much @rg305 and @Osiris !!! It is always good to have a new vision on our code when we can't find a solution.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.