This works well the first time around when Nginx only listens to port 80. But when renewing the certificate after it has been set up only to listen to port 443 and all requests for http are redirected to https, it fails:
- The following errors were reported by the server:
Domain: www.example.com
Type: urn:acme:error:connection
Detail: Could not connect to http://www.example.com/.well-known
/acme-challenge/fpzLz-y3_ei42E7b1tDnszZj5NUoXXChh3uVqQbVicc
Domain: example.com
Type: urn:acme:error:connection
Detail: Could not connect to http://example.com/.well-known/acme-
challenge/RW-4jLj_vMILKb8Eahh3oHs8tMY3fYjrezlv7baAhjE
Of course you must not redirect HTTP to HTTPS for the path /.well-known/acme-challenge/* if you’re using the http-01 verification. Make sure it’s exempt.
Let’s Encrypt will follow redirects from HTTP to HTTPS. You just have to make sure that you’re redirecting to a URL serving the challenge token. The issue is not with your client invocation, but with your redirect or rather what you’re serving at the target URL.
Please provide the output of @blfr’s curl command. If the challenge file has since been deleted, create a new one to test this (e.g. http://www.example.com/.well-known/acme-challenge/test with random content).
Failed authorization procedure. moonloupe.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://moonloupe.com/.well-known/acme-challenge/KY8MgM4ZMuxtBAaDOzHaq8BtKOIGv9wnhigftY12Jnk, www.moonloupe.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://www.moonloupe.com/.well-known/acme-challenge/FyAkeXfOYkuBeTHVpeuLrfGI2Q0um0harnl2PR_OOGY
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: moonloupe.com
Type: urn:acme:error:connection
Detail: Could not connect to http://moonloupe.com/.well-known/acme-
challenge/KY8MgM4ZMuxtBAaDOzHaq8BtKOIGv9wnhigftY12Jnk
Domain: www.moonloupe.com
Type: urn:acme:error:connection
Detail: Could not connect to http://www.moonloupe.com/.well-known
/acme-challenge/FyAkeXfOYkuBeTHVpeuLrfGI2Q0um0harnl2PR_OOGY
I’m not sure if this is due to your test server being down or something like that, but connecting to https://www.moonloupe.com/.well-known/acme-challenge/fpzLz-y3_ei42E7b1tDnszZj5NUoXXChh3uVqQbVicc doesn’t work for me.
If that’s just a temporary problem, I would suggest running the curl command again and then browsing to the URL mentioned in the last line (Location: ...). This should serve the challenge token.
This is the funny thing. We first set moonloupe.com up to listen to port 80 only and were able to set up a certificate for it. We then changed the configuration to the one I shared above. All was good and we had the green pad lock. Then, when we ran the script again, LE failed, and – it took the site down. That is, there is an LE certificate in place (the one we generated the first time), but for some reason after we attempted to replace it, it’s no longer available to the site, and so the site is unavailable too. We actually had LE set up also on our main site – https://www.fashion.net, but when the automated update failed, we promptly reverted it back to COMODO. So right now, moonloupe.com actually is live, it’s just that LE prevents it from opening up.
I just had a look to see if the certificates had been corrupted, but they all look good. So the fact that a failed update makes the current certificates unavailable to the site seems to indicate that the path changed or the symlinks are broken. It must be a bug; a failed update surely shouldn’t bring down a site – it was a very scary experience. We set up a cron job for seven test sites and when the automated updates kicked in, they went offline in sequence. When that first happened, we had no idea what was going on. But after running the updates manually, we got the error messages that I posted when opening this thread.
Nginx generally refuses to start if certificates aren’t where they should be. There should at the very least be some kind of message in your error log indicating as much. The client also tries to avoid modifying any files unless renewal was successful.
Generally speaking, you might want to utilize --renew-by-default for renewal.
Thank you! Well, that confirms that Let's Encrypt breaks the path if it fails to update; really scary and it means we can't use Let's Encrypt on a production site.
We added that flag, but as you see here, it still failed to connect to https:
# /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --config /opt/letsencrypt/webroot.moonloupe.com.ini
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --renew-by-default --config /opt/letsencrypt/webroot.moonloupe.com.ini
Failed authorization procedure. www.moonloupe.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://www.moonloupe.com/.well-known/acme-challenge/uy0J8fnDurVcv1WfVPJ_G8d-KK0KBbg1y-cCOtgF-fQ, moonloupe.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://moonloupe.com/.well-known/acme-challenge/AWnz2PIftUe-qMW90JXAaoDMEbEEyCnoWp8dMT8TA_I
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.moonloupe.com
Type: urn:acme:error:connection
Detail: Could not connect to http://www.moonloupe.com/.well-known
/acme-challenge/uy0J8fnDurVcv1WfVPJ_G8d-KK0KBbg1y-cCOtgF-fQ
Domain: moonloupe.com
Type: urn:acme:error:connection
Detail: Could not connect to http://moonloupe.com/.well-known/acme-
challenge/AWnz2PIftUe-qMW90JXAaoDMEbEEyCnoWp8dMT8TA_I