My domain is: audio.crpchalifax.ca
I ran this command: sudo certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/audio.crpchalifax.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for audio.crpchalifax.ca
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: audio.crpchalifax.ca
Type: unauthorized
Detail: 168.138.79.231: Invalid response from http://audio.crpchalifax.ca/.well-known/acme-challenge/n2HQJt1sPPdXe13suq2oUctjYeX9yk8lcmUZfG7kWgc: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Failed to renew certificate audio.crpchalifax.ca with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/audio.crpchalifax.ca/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS
My hosting provider, if applicable, is: Oracle Cloud
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 1.32.2
I received an email warning me of renewal (which I normally don't receive because auto-renewal is set up and used to work), so I checked things out and ran the dry run command and it failed. I looked at the log file while shows:
2023-01-12 16:32:35,023:INFO:certbot.compat.misc:Running post-hook command: cat /etc/letsencrypt/live/audio.crpchalifax.ca/fullchain.pem /etc/letsencrypt/live/audio.crpchalifax.ca/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart
2023-01-12 16:32:35,856:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2618/bin/certbot", line 8, in <module>
sys.exit(main())
File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
return config.func(config, plugins)
File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/main.py", line 1630, in renew
renewal.handle_renewal_request(config)
File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2023-01-12 16:32:35,857:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
Port 80 is open on my IP tables (as I know Letsencrypt still requires port 80 for renewals), but I did make changes a couple of months ago to force redirection from http to https. That included running icecast on port 8000. Here is what is in /etc/nginx/sites-enabled/default:
server
{
listen 80;
server_name audio.crpchalifax.ca;
location ~ /.well-known
{
allow all;
}
location /
{
if ($ssl_protocol = "")
{
rewrite ^ https://$server_name$request_uri? permanent;
}
}
}
#### SSL ######################################################
server
{
#ssl on;
ssl_certificate_key /etc/letsencrypt/live/audio.crpchalifax.ca/privkey.pem;
ssl_certificate /etc/letsencrypt/live/audio.crpchalifax.ca/fullchain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Recommended security settings from https://wiki.mozilla.org/Security /Server_Side_TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Enable this if you want HSTS (recommended)
# With or without preload (without very secure but not recommended)
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
#add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
listen 443 ssl;
root /var/www/html;
server_name audio.crpchalifax.ca;
location ~ /.well-known
{
allow all;
}
location /
{
# access_log /var/log/icecast/access_https.log icecast_combined;
proxy_pass http://127.0.0.1:8000/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#user www;
worker_processes 4;
#pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
##
# Virtual Host Configs
##
#include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
rtmp {
server {
listen 1935;
chunk_size 4096;
application 83654211 {
live on;
record off;
exec /usr/bin/ffmpeg -i rtmp://audio.crpchalifax.ca/redacted/redacted -vn -c:a libmp3lame -f mp3 icecast://source:redacted@localhost:8000/live.mp3;
}
}
}
I suspect it has to do with my configuration changes maybe, but I can't figure out what went wrong.