Hi,
I do experience some trouble renewing my certificate and now is the time come to ask for some help. I managed to create the original certificat but now the renewal process won’t run. In my Fritzbox 7490 portforwarding on ports 80 and 443 to the internal ip adress is set up.
Please see below the error message running certbot -renew and my ngingx config. I am not sure whether the problem is the fritzbox or the raspberry pi with the nginx.
My domain is:
I ran this command:
certbot renew
It produced this output:
Processing /etc/letsencrypt/renewal/jcbcloud.spdns.de.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jcbcloud.spdns.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (jcbcloud.spdns.de) from /etc/letsencrypt/renewal/jcbcloud.spdns.de.conf produced an unexpected error: Failed authorization procedure. jcbcloud.spdns.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://jcbcloud.spdns.de/.well-known/acme-challenge/K6b-ueWs1rlddik2jnHXvAdLt3zbmGOBbtsTAAgBG1U [93.236.208.234]: “\r\n403 Forbidden\r\n<body bgcolor=“white”>\r\n
403 Forbidden
\r\n”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jcbcloud.spdns.de/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jcbcloud.spdns.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: jcbcloud.spdns.de
Type: unauthorized
Detail: Invalid response from
https://jcbcloud.spdns.de/.well-known/acme-challenge/K6b-ueWs1rlddik2jnHXvAdLt3zbmGOBbtsTAAgBG1U
[93.236.208.234]: “\r\n403
Forbidden\r\n<body
bgcolor=“white”>\r\n403
\r\n
Forbidden
”To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): nginx/1.10.3
The operating system my web server runs on is (include version):
PRETTY_NAME=“Raspbian GNU/Linux 9 (stretch)”
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0
nginx config:
upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php/php7.0-fpm.sock;
}
server {
listen 80;
listen [::]:80;
server_name jcbcloud.spdns.de;
enforce https
return 301 https://$server_name$request_uri;
#root /var/www/html/;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jcbcloud.spdns.de;
ssl_certificate /etc/letsencrypt/live/jcbcloud.spdns.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jcbcloud.spdns.de/privkey.pem;
Add headers to serve security related headers
Before enabling Strict-Transport-Security headers please read into this
topic first.
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;
WARNING: Only add the preload option once you read about
the consequences in https://hstspreload.org/. This option
will add the domain to a hardcoded list that is shipped
in all major browsers and getting removed from this list
could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy “no-referrer” always;
Path to the root of your installation
root /var/www/html/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
The following 2 rules are only needed for the user_webfinger app.
Uncomment it if you’re planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
Uncomment if your server is build with the ngx_pagespeed module
This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:|/) {
fastcgi_split_path_info ^(.+\.php)(/.*);
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
Adding the cache control header for js and css files
Make sure it is BELOW the PHP block
location ~ .(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control “public, max-age=15778463”;
Add headers to serve security related headers (It is intended to
have those duplicated to the ones above)
Before enabling Strict-Transport-Security headers please read into
this topic first.
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;
WARNING: Only add the preload option once you read about
the consequences in https://hstspreload.org/. This option
will add the domain to a hardcoded list that is shipped
in all major browsers and getting removed from this list
could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
Optional: Don’t log access to assets
access_log off;
}
location ~ .(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
Optional: Don’t log access to other assets
access_log off;
}
}
Thank you for your help