Inexplicable certbot-auto renew error

alainalemany · November 27, 2017, 2:45pm

Good day.

I have a certificate (example.com) which expired a couple days ago. I’m trying to renew it with ./letsencrypt/certbot-auto renew but I’m getting errors regarding not getting access to my /.well-known directory, which is present and should be accessible.

This is the complete output when I use the command:

Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Failed authorization procedure. example.comu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/06TXVpJMgS_JL_8E5RhYLXAjesHdZL_fR8uKRnPplvQ: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://example.com/.well-known/acme-challenge/06TXVpJMgS_JL_8E5RhYLXAjesHdZL_fR8uKRnPplvQ:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I’ve checked and it really pass through my DNS properly, then it goes through a Squid reverse proxy which ends in a 404 error:

z1511792411.640 4 13.58.30.69 TCP_MISS/404 367 GET http://example.com/.well-known/acme-challenge/06TXVpJMgS_JL_8E5RhYLXAjesHdZL_fR8uKRnPplvQ - HIER_DIRECT/192.168.20.11 text/html

Also I have /.well-known properly declared in website’s .conf:

location ^~ /.well-known/ {
allow all;
default_type "text/plain";
}

What could be happening there?

My webserver is Nginx 1.10.3, and my OS is Ubuntu 16.04.3 LTS.

Thanks in advance.

Warm regards.

bytecamp · November 27, 2017, 2:47pm

What it the root of that domain in the nginx configuration?
This seems to be a filesystem mapping issue.

system · December 27, 2017, 2:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.