Issue Renewing on Digital Ocean "Invalid response from..."

My domain is: www.alulearn.com

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/alulearn.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for alulearn.com
http-01 challenge for www.alulearn.com
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:443, ignored
Waiting for verification...
Challenge failed for domain alulearn.com
Challenge failed for domain www.alulearn.com
http-01 challenge for alulearn.com
http-01 challenge for www.alulearn.com
Cleaning up challenges
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:443, ignored
Attempting to renew cert (alulearn.com) from /etc/letsencrypt/renewal/alulearn.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.alulearn.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.alulearn.com
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:443, ignored
Waiting for verification...
Challenge failed for domain www.alulearn.com
http-01 challenge for www.alulearn.com
Cleaning up challenges
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:443, ignored
Attempting to renew cert (www.alulearn.com) from /etc/letsencrypt/renewal/www.alulearn.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/alulearn.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.alulearn.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/alulearn.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.alulearn.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: alulearn.com
   Type:   unauthorized
   Detail: Invalid response from
   https://alulearn.com/.well-known/acme-challenge/I8W36S1wLRiDdrkEr8ULVI20mLidR6f0tOy-8t774eY
   [68.183.98.223]: "<!doctype html>\n<html lang=\"en\">\n  <head>\n
   <!-- Required meta tags -->\n    <meta charset=\"utf-8\">\n
   <meta name=\"viewport\" c"

   Domain: www.alulearn.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.alulearn.com/.well-known/acme-challenge/wcWTS88Czbl8dJgSIplo0KV9fA5kG07sdGpCbiFuD4o
   [68.183.98.223]: "<!doctype html>\n<html lang=\"en\">\n  <head>\n
   <!-- Required meta tags -->\n    <meta charset=\"utf-8\">\n
   <meta name=\"viewport\" c"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.alulearn.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.alulearn.com/.well-known/acme-challenge/ZqG1AhMVsDSVdt3E6IVM0V4MojNB_EG0TpwEN14gsq4
   [68.183.98.223]: "<!doctype html>\n<html lang=\"en\">\n  <head>\n
   <!-- Required meta tags -->\n    <meta charset=\"utf-8\">\n
   <meta name=\"viewport\" c"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.1

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I have a DO control panel, but I mostly work through the terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0


Sorry if this is a beginner question or if it's been answered before, but I'm still new to Nginx and servers in general, so any help is much appreciated.

I know the domain name was entered correctly since I've been able to get certification for the past ~70 days, but I'm not sure how to check if the IP is correct.

1 Like

Hi @evolvedsquid

that's

a buggy configuration you have to fix.

Every combination of port and domain name must be unique, you have duplicated entries.

Merge all duplicated entries, remove the not longer used entries.

nginx -T

must not show that error.

2 Likes

Thank you @JuergenAuer!

I'm a complete noob with Nginx, so I need a bit of help fixing the conflicting server names. Here's the part I believe is relevant when I run nginx -T (if you want the full output, please let me know, but it is very long)

# configuration file /etc/nginx/sites-enabled/alu:
server {
    server_name 68.183.98.223 alulearn.com www.alulearn.com;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/aluadmin/aludir;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}
server {
    if ($host = www.alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name 68.183.98.223 alulearn.com www.alulearn.com;
    return 404; # managed by Certbot




}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

# configuration file /etc/nginx/sites-enabled/alulearn.com:
server {
    if ($host = www.alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  
    server_name www.alulearn.com alulearn.com;

    return 301 https://alulearn.com$request_uri;

}

server {  
    listen 443 ssl http2;

    proxy_set_header Host $host;

    server_name www.alulearn.com;
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/www.alulearn.com/fullchain.pem;
    include snippets/ssl-params.conf;

    return 301 https://alulearn.com$request_uri;

}

server {  
    listen 443 ssl http2;

    proxy_set_header Host $host;

    server_name alulearn.com;
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem;
    include snippets/ssl-params.conf;

    root /var/www/alulearn.com;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

}

# configuration file /etc/nginx/snippets/ssl-params.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  
ssl_prefer_server_ciphers on;  
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";  
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0  
ssl_session_cache shared:SSL:10m;  
ssl_session_tickets off; # Requires nginx >= 1.5.9  
ssl_stapling on; # Requires nginx >= 1.3.7  
ssl_stapling_verify on; # Requires nginx => 1.3.7  
resolver 8.8.8.8 8.8.4.4 valid=300s;  
resolver_timeout 5s;  
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";  
add_header X-Frame-Options DENY;  
add_header X-Content-Type-Options nosniff;ssl_dhparam /etc/ssl/certs/dhparam.pem;

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}


It looks like the stuff certbot automatically added is conflicting with the stuff I had, but I don't know enough to be certain.

1 Like

Please show the output of this:
nginx -T | grep -i 'config|alulearn.com|listen'

1 Like

Running: nginx -T | grep -i 'config|alulearn.com|listen' returns:

nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
1 Like

Sorry TYPO
Try:
nginx -T | grep -Ei 'config|alulearn.com|listen'

2 Likes

nginx -T | grep -Ei 'config|alulearn.com|listen'


nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.alulearn.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "alulearn.com" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
	# Virtual Host Configs
#		listen     localhost:110;
#		listen     localhost:143;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
# configuration file /etc/nginx/proxy_params:
# configuration file /etc/nginx/mime.types:
# configuration file /etc/nginx/sites-enabled/alu:
    server_name 68.183.98.223 alulearn.com www.alulearn.com;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    if ($host = www.alulearn.com) {
    if ($host = alulearn.com) {
    listen 80;
    server_name 68.183.98.223 alulearn.com www.alulearn.com;
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# configuration file /etc/nginx/sites-enabled/alulearn.com:
    if ($host = www.alulearn.com) {
    if ($host = alulearn.com) {
    server_name www.alulearn.com alulearn.com;
    return 301 https://alulearn.com$request_uri;
    listen 443 ssl http2;
    server_name www.alulearn.com;
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/www.alulearn.com/fullchain.pem;
    return 301 https://alulearn.com$request_uri;
    listen 443 ssl http2;
    server_name alulearn.com;
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem;
    root /var/www/alulearn.com;
# configuration file /etc/nginx/snippets/ssl-params.conf:
# configuration file /etc/nginx/sites-enabled/default:
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# This file will automatically load configuration files provided by other
# Default server configuration
	listen 80 default_server;
	listen [::]:80 default_server;
	# SSL configuration
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	# Read up on ssl_ciphers to ensure a secure configuration.
# Virtual Host configuration for example.com
#	listen 80;
#	listen [::]:80;

Please show these filee:
[they seems very buggy]

cat /etc/nginx/sites-enabled/alulearn.com
cat /etc/nginx/sites-enabled/alu

I think the "alu" file may be some sort of "backup" and is being included unintentionally.

1 Like

/etc/nginx/sites-enabled/alulearn.com

server {
    if ($host = www.alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  
    server_name www.alulearn.com alulearn.com;

    return 301 https://alulearn.com$request_uri;

}

server {  
    listen 443 ssl http2;

    proxy_set_header Host $host;

    server_name www.alulearn.com;
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/www.alulearn.com/fullchain.pem;
    include snippets/ssl-params.conf;

    return 301 https://alulearn.com$request_uri;

}

server {  
    listen 443 ssl http2;

    proxy_set_header Host $host;

    server_name alulearn.com;
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem;
    include snippets/ssl-params.conf;

    root /var/www/alulearn.com;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

}

cat /etc/nginx/sites-enabled/alu

server {
    server_name 68.183.98.223 alulearn.com www.alulearn.com;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/aluadmin/aludir;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/alulearn.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/alulearn.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}
server {
    if ($host = www.alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = alulearn.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name 68.183.98.223 alulearn.com www.alulearn.com;
    return 404; # managed by Certbot




}

P.S. Thank you so much for helping me with this, you're awesome.

1 Like

OK they seem to be doing pretty much the same thing - thus the duplication problem:

You need to delete (or move elsewhere) one of them.
Then restart the web service.

1 Like

So I should just be able to completely delete / comment-out one of the files and nothing will break?

I don't know how you would comment out a single file that is included by path.
But you could delete the "alu" file.
It doesn't seem to serve any purpose.

To illustrate the inclusions, try:
nginx -T | grep -i include

You should find something like:
include /etc/nginx/sites-enabled/*;
[which inlcudes all files within that "folder"]

1 Like

I deleted it and now nginx -t isn't reporting any warnings/issues, but my site says 404 Not Found.

I made a backup, so I can revert if needed.

Which one did you delete?

/etc/nginx/sites-enabled/alu

Ok, they weren't doing the same thing:

versus:

I'll restore the backup then.

Then remove the longer file name.
And go from there.

1 Like

Wow! All Nginx tests passed, site still works, and Certbot succeeded in renewing the certs.

I honestly can't thank you enough, you're a life-saver.

Any last things I should be aware of?

1 Like

All files in that folder will be included in the config.
So be very careful when you try to edit a file and save a backup.
If you leave it in the same folder it will get included (despite the name being used).

/etc/nginx/sites-enabled/working.conf
/etc/nginx/sites-enabled/working.conf.backup-2021.0105
Both will be used - this will create havoc!

1 Like