Invalid response while renewing domains Letsencrypt Certificate

muhammadusman · July 18, 2023, 3:49pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Issue Details: I am running compiled version of Nginx 1.22.0 on RHEL8.8. It is working fine. But facing issues with some domain renewal. One of them is staging.ezchat.ai.

My domain is: staging.ezchat.ai

I ran this command: certbot renew --cert-name staging.ezchat.ai -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/staging.ezchat.ai.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for staging.ezchat.ai
Performing the following challenges:
http-01 challenge for staging.ezchat.ai
Waiting for verification...
Challenge failed for domain staging.ezchat.ai
http-01 challenge for staging.ezchat.ai

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: staging.ezchat.ai
Type: unauthorized
Detail: 117.20.23.229: Invalid response from https://staging.ezchat.ai/.well-known/acme-challenge/AXkBSxrgLo_HkCneMqLMevCBZfU_k1dxqvPrpXei0P4: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate staging.ezchat.ai with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/staging.ezchat.ai/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Nginx version 1.22.0. Compiled from source.

The operating system my web server runs on is (include version): Red Hat Enterprise Linux release 8.8 (Ootpa)

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Please looking for urgent help. Thanks in advance.

Best Regards,
Usman

muhammadusman · July 18, 2023, 4:10pm

My domain config is as below:

server {
   server_name  staging.ezchat.ai;

   access_log    /var/log/nginx/staging.ezchat.ai.access.log  main;
   include include/error.conf;

location /.well-known/acme-challenge {
    alias /var/www/html/.well-known/acme-challenge;
    try_files $uri =404;
}

 location / {
        proxy_pass    http://192.168.0.244:9000/;
        include include/proxy.conf;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/staging.ezchat.ai/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/staging.ezchat.ai/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = staging.ezchat.ai) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

   listen 80;
   server_name  staging.ezchat.ai;
    return 404; # managed by Certbot
}

Even i added below config in domain config file in it. but still getting same error. My other successfully renewed domain did not have this configuration.

location /.well-known/acme-challenge {
    alias /var/www/html/.well-known/acme-challenge;
    try_files $uri =404;
}

Bruce5051 · July 18, 2023, 6:42pm

Looks like you may have solved your issue. The presently being served certificate https://decoder.link/sslchecker/staging.ezchat.ai/443 has

Serial Number: 	35b2047a99da8b805f87a7aa7cbbc15e37d
Not Before: 	Jul 18, 2023 17:18:55 GMT
Not After: 		Oct 16, 2023 17:18:54 GMT

muhammadusman · July 19, 2023, 11:09am

Yes, Issue is resolved.

system · August 18, 2023, 11:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.