Issue with certbot renew and mail


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gossiptrendspot.com

I ran this command: certbot renew --renew-hook “service nginx reload” --renew-hook “service postfix reload” --renew-hook “service dovecot restart”

It produced this output:


Processing /etc/letsencrypt/renewal/gossiptrendspot.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for autodiscover.gossiptrendspot.com
http-01 challenge for gossiptrendspot.com
http-01 challenge for imap.gossiptrendspot.com
http-01 challenge for smtp.gossiptrendspot.com
http-01 challenge for www.gossiptrendspot.com
http-01 challenge for mail.gossiptrendspot.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (gossiptrendspot.com) from /etc/letsencrypt/renewal/gossiptrendspot.com.conf produced an unexpected error: Failed authorization procedure. mail.gossiptrendspot.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.gossiptrendspot.com/.well-known/acme-challenge/u2P9e1uH8loqWgVOzQNjxstox7kh58-4IzbmG622jBc: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gossiptrendspot.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx/1.14.0

The operating system my web server runs on is (include version): Ununto 18.04

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi,

I believe you used the wrong hook…
If you want to reload all services after successful renewal, you should use post-hook for renewal…

Thank you


#3

Firstly, I applaud you for even trying --renew-hook multiple times (had never thought of doing that).
Has this worked in the past?


#4

@rg305 Yea, you can add as many renew-hook’s as you need:


#5

@stevenzhu --renew-hook only runs on a successful renewal. If I used post-hook it would reboot nginx every time the command is run, whether it attempts a renewal or not:


#6

Please show:
cerbot --version
certbot certificates
then each of the corresponding certificate renewal conf files:
[start with the one that covers “mail.gossip…”]
/etc/letsencrypt/renewal/{cert-name}.conf


#7

I also double checked the DNS just to be sure, it does have an A-record configured, and nothing has changed with the config since the initial application.

Version: certbot 0.26.1
Renewal:


Found the following certs:
Certificate Name: gossiptrendspot.com
Domains: gossiptrendspot.com autodiscover.gossiptrendspot.com imap.gossiptrendspot.com mail.gossiptrendspot.com smtp.gossiptrendspot.com www.gossiptrendspot.com
Expiry Date: 2018-12-05 15:50:41+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/gossiptrendspot.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gossiptrendspot.com/privkey.pem



#8

It’s weird this alone worked:

certbot --nginx certonly -n -d mail.gossiptrendspot.com

but the multi-domain is still throwing a 404 \ can’t auth with

certbot renew

certbot --nginx certonly -n -d mail.gossiptrendspot.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mail.gossiptrendspot.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mail.gossiptrendspot.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/mail.gossiptrendspot.com/privkey.pem
    Your cert will expire on 2019-03-10. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#9

Can you also show the renewal configs?:

List them:
ls -l /etc/letsencrypt/renewal/*.conf
Then show them:
less /etc/letsencrypt/renewal/{whatever-your-files-are-named}.conf


#10

Here is the list (there’s 2 additional now from testing the mail, and having to get the site back up while trying to debug)

-rw-r--r-- 1 root root  577 Dec 10 19:42 /etc/letsencrypt/renewal/gossiptrendspot.com-0001.conf 
-rw-r--r-- 1 root root 1004 Sep  6 16:50 /etc/letsencrypt/renewal/gossiptrendspot.com.conf
-rw-r--r-- 1 root root  577 Dec 10 23:54 /etc/letsencrypt/renewal/mail.gossiptrendspot.com.conf

And here’s the config of the one having renewal issues (gossiptrendspot.com.conf). I can post the config of the ones I just created to get the site back up as well if it will help:

# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/gossiptrendspot.com
cert = /etc/letsencrypt/live/gossiptrendspot.com/cert.pem
privkey = /etc/letsencrypt/live/gossiptrendspot.com/privkey.pem
chain = /etc/letsencrypt/live/gossiptrendspot.com/chain.pem
fullchain = /etc/letsencrypt/live/gossiptrendspot.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = b24b626a560b41212e7d8c38cd9d63a0
rsa_key_size = 2048
authenticator = webroot
webroot_path = /var/www/gossiptrendspot.com/htdocs,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
autodiscover.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
imap.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
mail.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
smtp.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
www.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs

#11

As you can see, they all used the same webroot when they were issued:

But do they all still use that same (document)root?
Please show:
grep -Eri 'root|server_name|server_alias|listen' /etc/nginx/


#12

Ahh I think that found it for me TY very much, I didn’t re-list the names in the nginx config for the mail subdomains when I re-wrote the server configuration after the cert was applied for, since I wasn’t running a reverse proxy on the mail server.

/etc/nginx/fastcgi.conf:fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
/etc/nginx/fastcgi.conf:fastcgi_param  DOCUMENT_ROOT      $document_root;
/etc/nginx/fastcgi.conf:fastcgi_param  SERVER_NAME        $server_name;
/etc/nginx/scgi_params:scgi_param  DOCUMENT_ROOT      $document_root;
/etc/nginx/scgi_params:scgi_param  SERVER_NAME        $server_name;
/etc/nginx/fastcgi_params:fastcgi_param  DOCUMENT_ROOT      $document_root;
/etc/nginx/fastcgi_params:fastcgi_param  SERVER_NAME        $server_name;
/etc/nginx/nginx.conf:  # server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf:  # server_name_in_redirect off;
/etc/nginx/nginx.conf:#         listen     localhost:110;
/etc/nginx/nginx.conf:#         listen     localhost:143;
/etc/nginx/uwsgi_params:uwsgi_param  DOCUMENT_ROOT      $document_root;
/etc/nginx/uwsgi_params:uwsgi_param  SERVER_NAME        $server_name;
/etc/nginx/sites-available/default:     listen 80 default_server;
/etc/nginx/sites-available/default:     listen [::]:80 default_server;
/etc/nginx/sites-available/default:     # listen 443 ssl default_server;
/etc/nginx/sites-available/default:     # listen [::]:443 ssl default_server;
/etc/nginx/sites-available/default:     root /var/www/html;
/etc/nginx/sites-available/default:     server_name _;
/etc/nginx/sites-available/default:     # deny access to .htaccess files, if Apache's document root
/etc/nginx/sites-available/gossiptrendspot.com: server_name gossiptrendspot.com www.gossiptrendspot.com;
/etc/nginx/sites-available/gossiptrendspot.com: root /var/www/gossiptrendspot.com/htdocs;
/etc/nginx/sites-available/gossiptrendspot.com: listen 80;
/etc/nginx/sites-available/gossiptrendspot.com: listen 443 ssl;

Gunna test out a fresh build that I think will fix the issue.


#13

From that I see:

/etc/nginx/sites-available/gossiptrendspot.com: 
     server_name gossiptrendspot.com www.gossiptrendspot.com;
     root /var/www/gossiptrendspot.com/htdocs;

/etc/nginx/sites-available/default:
     server_name _;
     root /var/www/html;

So, the only names that are using the document root that matches the webroot are:
gossiptrendspot.com
www.gossiptrendspot.com

All other names are grabbed by the default to /var/www/html

I think this can be fixed in the /etc/letsencrypt/renewal/*.conf files, in the [[webroot_map]] section.

Try changing:
[[webroot_map]]
autodiscover.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
imap.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
mail.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
smtp.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
www.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs

To:
[[webroot_map]]
autodiscover.gossiptrendspot.com = /var/www/html
gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs
imap.gossiptrendspot.com = /var/www/html
mail.gossiptrendspot.com = /var/www/html
smtp.gossiptrendspot.com = /var/www/html
www.gossiptrendspot.com = /var/www/gossiptrendspot.com/htdocs


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.