Issue renewing and issuing some domains


#1

Hello, I’ve been running into some issues when I run the certbot commands to renew and issue some certificates. The weird thing is that this just happens in some domains and not in others.

Server info

  • Debian 9
  • nginx 1.14.0
  • certbot 0.25.0

Domains that renew with any issue

  • margots.tech
  • margots.legal

Domain that is not renewing

  • margots.life

Domain I cannot issue a new certificate for

  • margots.biz

I’m running all the commands as root

  • Issue certificate: certbot --authenticator webroot --installer nginx
  • Renew certificate: certbot renew --dry-run

Issue certificate log

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. margots.biz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://margots.biz/.well-known/acme-challenge/INRvTgRg_OWpmJs89YcOs5oF-d5Bg8AIS5CGHl0VNpc: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", www.margots.biz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.margots.biz/.well-known/acme-challenge/a5GlZ_L3biFAL6WguhOempBDtJAQEJfSXjJcNvQh24I: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: margots.biz
   Type:   unauthorized
   Detail: Invalid response from
   http://margots.biz/.well-known/acme-challenge/INRvTgRg_OWpmJs89YcOs5oF-d5Bg8AIS5CGHl0VNpc:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   Domain: www.margots.biz
   Type:   unauthorized
   Detail: Invalid response from
   http://www.margots.biz/.well-known/acme-challenge/a5GlZ_L3biFAL6WguhOempBDtJAQEJfSXjJcNvQh24I:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Renew certificate log

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/margots.tech.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for margots.tech
http-01 challenge for www.margots.tech
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/margots.tech/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/margots.legal.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: nginx -s stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for margots.legal
http-01 challenge for www.margots.legal
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/margots.legal/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/margots.life.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for margots.life
http-01 challenge for www.margots.life
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (margots.life) from /etc/letsencrypt/renewal/margots.life.conf produced an unexpected error: Failed authorization procedure. www.margots.life (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.margots.life/.well-known/acme-challenge/_PYaKN9xClhdwaxplaeUY79CmqzZYX6poA8ARZsPOJQ: Connection refused, margots.life (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://margots.life/.well-known/acme-challenge/B0grIz_PYRRns9JE9danHW8Nfs3OfH4inTYP179ULPQ: Connection refused. Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/margots.life/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/margots.tech/fullchain.pem (success)
  /etc/letsencrypt/live/margots.legal/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/margots.life/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
Running post-hook command: nginx
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.margots.life
   Type:   connection
   Detail: Fetching
   http://www.margots.life/.well-known/acme-challenge/_PYaKN9xClhdwaxplaeUY79CmqzZYX6poA8ARZsPOJQ:
   Connection refused

   Domain: margots.life
   Type:   connection
   Detail: Fetching
   http://margots.life/.well-known/acme-challenge/B0grIz_PYRRns9JE9danHW8Nfs3OfH4inTYP179ULPQ:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Configuration files

All the configuration files are the same, will show output of diff command

margots.life

6c6
<     server_name .margots.legal www.margots.legal;
---
>     server_name .margots.life www.margots.life;
17,18c17,18
<     set $domain margots.legal;
<     set $base /var/www/margots.legal;
---
>     set $domain margots.life;
>     set $base /var/www/margots.life;
23c23
<     server_name  .margots.legal www.margots.legal;
---
>     server_name  .margots.life www.margots.life;
29,31c29,31
<     ssl_certificate /etc/letsencrypt/live/margots.legal/fullchain.pem;
<     ssl_certificate_key /etc/letsencrypt/live/margots.legal/privkey.pem;
<     ssl_trusted_certificate /etc/letsencrypt/live/margots.legal/fullchain.pem;
---
>     ssl_certificate /etc/letsencrypt/live/margots.life/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/margots.life/privkey.pem;
>     ssl_trusted_certificate /etc/letsencrypt/live/margots.life/fullchain.pem;
34,35c34,35
<     access_log /var/log/nginx/margots.legal.access.log;
<     error_log /var/log/nginx/margots.legal.error.log warn;
---
>     access_log /var/log/nginx/margots.life.access.log;
>     error_log /var/log/nginx/margots.life.error.log warn;

margots.biz

6c6
<     server_name .margots.legal www.margots.legal;
---
>     server_name margots.biz www.margots.biz;
7a8
>     # Include
17,18c18,19
<     set $domain margots.legal;
<     set $base /var/www/margots.legal;
---
>     set $domain margots.biz;
>     set $base /var/www/margots.biz;
23c24
<     server_name  .margots.legal www.margots.legal;
---
>     server_name  margots.biz www.margots.biz;
29,31c30,32
<     ssl_certificate /etc/letsencrypt/live/margots.legal/fullchain.pem;
<     ssl_certificate_key /etc/letsencrypt/live/margots.legal/privkey.pem;
<     ssl_trusted_certificate /etc/letsencrypt/live/margots.legal/fullchain.pem;
---
>     #ssl_certificate /etc/letsencrypt/live/margots.biz/fullchain.pem;
>     #ssl_certificate_key /etc/letsencrypt/live/margots.biz/privkey.pem;
>     #ssl_trusted_certificate /etc/letsencrypt/live/margots.biz/fullchain.pem;
34,35c35,36
<     access_log /var/log/nginx/margots.legal.access.log;
<     error_log /var/log/nginx/margots.legal.error.log warn;
---
>     access_log /var/log/nginx/margots.biz.access.log;
>     error_log /var/log/nginx/margots.biz.error.log warn;

I’ve a location rule for the acme-challenge that’s the following:

# ACME-challenge
location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www/$domain/.well-known/acme-challenge;
}

#2

Hi,

All domains you mentioned above returns a Connection_Reset error when i visit in browser.

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 08 Oct 2018 19:05:06 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://www.margots.life/

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.margots.life:443

Why do you choose to use this type of root instead of defining the root at virtual host level? (It is working correctly though)

Can you please elaborate on why do you choose to use webroot authenticator instead of the Nginx one?

Thank you


#3

I’m actually not sure what’s the solution in here…

Since this Nginx virtual host file differences dramatically from my version…

(Hope others could recogize this type of vhost…)

Thank you


#4

Hi @marianord

there is an inconsistent configuration. margots.tech uses http-01 - validation:

Authenticator webroot, Installer nginx
http-01 challenge for margots.tech
http-01 challenge for www.margots.tech

But margots.legal uses a standalone

Authenticator standalone, Installer None

So first nginx -s stop

But then margots.life uses

Authenticator webroot, Installer nginx

There is no nginx restart, so

The server could not connect to the client to verify the domain

Connection refused.

So first cleanup your conf files in

/etc/letsencrypt/renewal

and change them all to

Authenticator webroot, Installer nginx


#5

Or possibly to
Authenticator nginx, Installer nginx


#6

PS: A little bit more info:

Standalone starts an own webserver and needs port 80, so the running nginx is stopped.

But after that the nginx isn’t restartet, so the following domain doesn’t allow a connect.

So it’s a problem of the order of your renews.

PS:

it’s a diff result, not the original file.


#7

Thanks, I went all the way to redo the nginx configuration and delete all the certificates. And they are now working.

Really thankful for everyone that helped :hugs:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.