LetsEncrypt renew cert


#1

Good afternoon. My website had letsencrypt installed, but it expired on October 4th and was not updated automatically. Now when trying to update manually with certbot renew, the update gives an error :
Attempting to renew cert (crange.ru) from /etc/letsencrypt/renewal/crange.ru.conf produced an unexpected error: Failed authorization procedure. crange.ru (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://crange.ru/.well-known/acme-challenge/QHS_bqwmudNMjKxihc_cHwzbHqqremoYrzWgVbBzYmY:

Nginx conf:
location /.well-known {
allow all;
root /var/www/html;
}
certbot conf:
renew_before_expiry = 30 days
version = 0.23.0
archive_dir = /etc/letsencrypt/archive/crange.ru
cert = /etc/letsencrypt/live/crange.ru/cert.pem
privkey = /etc/letsencrypt/live/crange.ru/privkey.pem
chain = /etc/letsencrypt/live/crange.ru/chain.pem
fullchain = /etc/letsencrypt/live/crange.ru/fullchain.pem

Options used in the renewal process
[renewalparams]
post_hook = service nginx reload
authenticator = webroot
installer = None
webroot_path = /var/www/html,
[[webroot_map]]
crange.ru = /var/www/html
www.crange.ru = /var/www/html

I created a test file in the /var/www/html/.well-known/acme-challenge folder and I manage to open it at https://domain.ru/.well-known/acme-challenge/test.html, but the same file is not available if you change the protocol to http, nginx redirects to https://domain.ru.
Apparently the problem is that certbot gets the same redirect when trying to open its file. Tell me, what needs to be changed in the nginx settings to renew the certificate?


#2

Can you provide the http virtual host that contains the redirect?

If it’s “return 301 https://crange.ru;”, you can change it to “return 301 https://crange.ru$request_uri;”.

You can also change the configuration to exclude /.well-known/acme-challenge/ from the redirect.


#3

Here is the complete nginx config.

server {
    server_name crange.ru www.crange.ru default_server;
    listen 80;
    return 301 https://crange.ru;
}

server {

    server_name www.crange.ru;
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/crange.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/crange.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/crange.ru/chain.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000";
    return 301 https://crange.ru$request_uri;
}

server {

    server_name crange.ru; 
    listen 443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/crange.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/crange.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/crange.ru/chain.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security "max-age=31536000";

    add_header X-Frame-Options "SAMEORIGIN";

    location /.well-known {
                allow all;
                root /var/www/html;
    }
    static settings and etc

Help me, please, how do I exclude .well-known from https redirect? I tried it like this, but it didn’t work.

server {
    server_name crange.ru www.crange.ru default_server;
    listen 80;
    return 301 https://crange.ru;
    location .well-known {
       return 301 http://$server_name$request_uri;
    }
}

#4

Yeah, that’s not gonna work. The first line is an indiscriminate redirect that overrides any location block.

To have the effect you wanted it needs to be:

location / {
  return 301 https://crange.ru; 
}
location /.well-known/acme-challenge/ {
}

But what you really want is probably just:

location / {
  return 301 http://$server_name$request_uri;
}

#5

@_az, did you mean return 301 https://$server_name$request_uri; here?


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.