Letsencrypt not renewing


#1

I have a server which the certificate is going to expire on the 17th of march. But the renew command is saying no certificates were renewed.

letsencrypt renew

No renewals were attempted.

However it states when looking it up

Validity
Not Before: Dec 17 02:54:00 2016 GMT
Not After : Mar 17 02:54:00 2017 GMT

domain for the company I am working on is beinglibertarian.com it is the first time this server since migration has come up for renewal. It’s also behind a cloudflare


#2

Does it give some more information if you add -v to the commands? Or perhaps -vv if -v doesn’t show enough extra info.


#3

letsencrypt -vv renew
2017-03-10 08:34:20,743:DEBUG:letsencrypt.cli:Root logging level set at 10
2017-03-10 08:34:20,744:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-03-10 08:34:20,745:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2017-03-10 08:34:20,745:DEBUG:letsencrypt.cli:Arguments: [’-vv’]
2017-03-10 08:34:20,746:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)

No renewals were attempted.
2017-03-10 08:34:20,747:DEBUG:letsencrypt.cli:no renewal failures


#4

Looks like it doesn’t even find any renewal configurations to renew.

With the migration, did you migrate the whole directory /etc/letsencrypt, including /etc/letsencrypt/renewal?


#5

No the letsencrypt on this server was brand new. We went from a managed host to using Digital Ocean for a self hosted solution. We built most of it using this guide http://www.morphatic.com/2016/05/21/super-fast-secure-wordpress-install-on-digitalocean-with-nginx-php7-and-ubuntu-16-04-lts/

So it was only a migration of the Wordpress stuff, but not the underlying system.


#6

The renewal folder is empty though


#7

So you also used “Step 7” in that how-to to set up Let’s Encrypt?


#8

yes I did. I followed every step there


#9

Including the part with:

$ sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d yourdomain.com -d www.yourdomain.com

on the new server?

Because if that step was succesful, it would have generated at least one renewal configuration file in /etc/letsencrypt/renewal/.


#10

I think I know what happened. I accidentally messed up the first version of the server where I had originally provisioned the certificate. Then recreated it and only moved the certificates. So If I rerun the command after temporarily disabling cloudflare. Would it reprovision it properly with the command above?


#11

Yes, and when you use the webroot authenticator, it should even work with CloudFlare enabled.


#12

Just tried that and received this error

  • The following errors were reported by the server:

Domain: www.beinglibertarian.com
Type: unauthorized
Detail: Invalid response from http://www.beinglibertarian.com
/.well-known/acme-challenge/DtRdvI2U-nnz8cJveHAO-
hA2diHxLVJkBVz8gd556MI: "

403 Forbidden

403 Forbidden


ngin"

Domain: beinglibertarian.com
Type: unauthorized
Detail: Invalid response from http://beinglibertarian.com/.well-
known/acme-challenge/_ce4I6qy91h5TpKlegrSy1TnV7F0s8Y8tyX_wpWIyyw:
"

403 Forbidden

403 Forbidden


ngin"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.


#13

Did you add

location ~ /.well-known {
                allow all;
        }

To your server block in /etc/nginx/sites-available/defaultas Step 7 said? Also, is there a symlink to that file called /etc/nginx/sites-enabled/default?


#14

the block is there in the /etc/nginx/sites-available/default.
How do I make the symlink file and where does it need to point?


#15

Well, I don’t use nginx myself, but in /sites-available/ are all configuration files which can be used, but aren’t used by nginx directly (because they’re not included in some other conf file). By making a symlink in /sites-enabled/ to the file in /sites-available/, the config file is enabled.

Therefore, you should see a symlink /etc/nginx/sites-enabled/default pointing to /etc/nginx/sites-available/default. If not, it doesn’t matter what you put in /etc/nginx/sites-available/default, because that file isn’t enabled directly.

You can check with:

ls -l /etc/nginx/sites-enabled/default

#16

yes there is a symlink there it seems


#17

Hm… Don’t know why you’re getting a 403 then…

Try putting a test file in to your acme-challenge directory:

echo "Test file" > /var/www/html/.well-known/acme-challenge/test

And try to reach it through: http://beinglibertarian.com/.well-known/acme-challenge/test

You’ll probably get an error again, but dive in to your nginx error log file and look what nginx says when you try to reach that file.

Could you perhaps also post your /etc/nginx/sites-available/default?


#18

Here is my nginx conf

fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
fastcgi_cache_key “$scheme$request_method$host$request_uri”;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name beinglibertarian.com www.beinglibertarian.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-params.conf;

    client_max_body_size 256M;
    root /var/www/html;
    index index.php index.html;
    server_name beinglibertarian.com www.beinglibertarian.com;
    set $skip_cache 0;
    if ($request_method = POST) {
            set $skip_cache 1;
    }
    if ($query_string != "") {
            set $skip_cache 1;
    }
    if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
            set $skip_cache 1;
    }
    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
            set $skip_cache 1;
    }
    autoindex off;
    location ~ /purge(/.*) {
            fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
    }
    location ~* ^.+\.(flv|pdf|avi|mov|mp3|wmv|m4v|webm|aac|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
            expires max;
            log_not_found off;
            access_log off;
    }
    location / {
            try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
            fastcgi_cache_bypass $skip_cache;
            fastcgi_no_cache $skip_cache;
            fastcgi_cache WORDPRESS;
            fastcgi_cache_valid 60m;
            include fastcgi_params;
    }
    location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
            internal;
    }
    location = /favicon.ico {
            log_not_found off;
            access_log off;
    }
    location = /robots.txt {
            access_log off;
            log_not_found off;
    }
    location = /wp-config.php {
            deny all;
    }
    location ~* /(?:uploads|files)/.*\.php$ {
            deny all;
    }
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
            deny all;
    }
    location ~ /\.(ht|svn)? {
            deny all;
    }
    location ~ /.well-known {
            allow all;
    }

Block file injections

set $block_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
    set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
    set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
    set $block_file_injections 1;
}
if ($block_file_injections = 1) {
    return 403;
}

Block SQL injections

set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
    set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
    set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
    set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
    return 403;
}

Block common exploits

set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
    set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
    set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
    set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
    set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
    set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
    set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
    return 403;
}

}


#19

I got a error 403 on the test file


#20

If I take a look at the “final” /site-available/default in the how-to you followed, I see this:

    # this must be near the top to ensure auto-renewals work
    location ~ /.well-known {
            allow all;
    }

In your configuration however, it’s almost at the bottom.

You could try bringing that part all the way up like they show here:

http://www.morphatic.com/2016/05/21/super-fast-secure-wordpress-install-on-digitalocean-with-nginx-php7-and-ubuntu-16-04-lts/#crayon-58c2ecdec0cb2092395266

Edit: uch, they are generating those ID’s randomly for every visit:confused: Anyway, I mean the code block in the section “Setup Caching and Purging”.