LetsEncrypt Renewal Issue


#1

Having an issue renewing free cert. I have listed concise information below but getting errors when trying to run letsencrypt commands and its been awhile since I have set this up.

OS: Ubuntu 16
Sever:Guacamole w/ NGINX Settings

*******************Letsencrypt error message

guacadmin@GuacSecondary:~$ sudo letsencrypt renew
Processing /etc/letsencrypt/renewal/addmoreroutes.com.conf
2018-05-21 23:34:30,044:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/addmoreroutes.com.conf produced an unexpected error: Failed authorization procedure. addmoreroutes.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://addmoreroutes.com/.well-known/acme-challenge/xxxxxxxI: Error getting validation data. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/addmoreroutes.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: addmoreroutes.com
    Type: connection
    Detail: Fetching http://addmoreroutes.com/.xxxxxx Error
    getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided

*******************LetsEncrypt Debug Errors

ANotWorking
ERROR
addmoreroutes.com has an A (IPv4) record (x.x.x.x) but a request to this address over port 80 did not succeed.
Get http://addmoreroutes.com/.well-known/acme-challenge/letsdebug-test: failed to parse Location header “https://\addmoreroutes.com\/.well-known/acme-challenge/letsdebug-test”: parse https://\addmoreroutes.com/.well-known/acme-challenge/letsdebug-test: invalid character “\” in host name

Trace:

Making a request to http://addmoreroutes.com/.well-known/acme-challenge/letsdebug-test (using initial IP 50.89.182.245)
Dialing 50.89.182.245

*********************Nginx Settings

guacadmin@GuacSecondary:~$ sudo nano /etc/nginx/nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events
{
worker_connections 768;
}

http
{
# My Certificates
ssl_certificate /etc/nginx/ssl/addmoreroutes.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/addmoreroutes.com/privkey.pem;

    # SSL Performance Related
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # SSL Protocols and Ciphers
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:!AES128:!aNULL:!MD5:!eNULL:!EXPORT:!DES:!PSK:!RC4";
    # DHE Key-Exchange
    ssl_dhparam /etc/nginx/ssl/addmoreroutes.com/dhparam.pem;

    # Random Security Stuff
    server_tokens off;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security max-age=63072000;

    # Common Proxy Settings
    proxy_set_header Host      \$host;
    proxy_set_header X-Real-IP  \$remote_addr;
    proxy_set_header    X-Forwarded-For \$proxy_add_x_forwarded_for;

    ########################
    # Default Config Stuff #                                                                    
    ########################
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096; #Default:2048
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    gzip on;
    gzip_disable "msie6";
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    # REDIRECTS ALL PORT 80/HTTP to 443/HTTPS
    server
    {
            listen 80;
            listen [::]:80;
            server_name addmoreroutes.com;

            location ~ /.well-known/acme-challenge
            {
                root /var/www/html/;
            }

            return 301 https://$host/$request_uri; 
    }

    # GUACAMOLE SERVER SETTINGS
    server
    {
            listen 443 ssl;
            listen [::]:443 ssl;
            server_name addmoreroutes.com;

            proxy_buffering off;
            proxy_redirect  off;
proxy_cookie_path /guacamole/ /;
            proxy_http_version 1.1;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection "upgrade";

            location ~ /.well-known/acme-challenge
            {
                root /var/www/html/;
            }

            location /
            {
                    proxy_pass http://x.x.x.x:8080/guacamole/;
            }
    }

}


#2

The server is sending a malformed redirect: https://letsdebug.net/addmoreroutes.com/787

$ curl -X GET -I addmoreroutes.com/.well-known/acme-challenge/xxx
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 22 May 2018 03:47:00 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://\addmoreroutes.com\/.well-known/acme-challenge/xxx
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000

I think this is it:

What is this backslash? That is not necessary in nginx configs and explains why the proxied application might think the Host header begins with a backslash.


#4

This location may need a “try” in it.


#5

which one I have it listed for both http and https


#6

in both, but the challenge is going to HTTP:
The challenge requests are being redirected and garbled.

 wget http://addmoreroutes.com/.well-known/acme-challenge/test.txt
--2018-05-21 23:50:41--  http://addmoreroutes.com/.well-known/acme-challenge/test.txt
Resolving addmoreroutes.com (addmoreroutes.com)... 50.89.182.245
Connecting to addmoreroutes.com (addmoreroutes.com)|50.89.182.245|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://\addmoreroutes.com\/.well-known/acme-challenge/test.txt [following]
--2018-05-21 23:50:41--  https://%5Caddmoreroutes.com%5C/.well-known/acme-challenge/test.txt
Resolving \\addmoreroutes.com\\ (\\addmoreroutes.com\\)... 50.89.182.245
Connecting to \addmoreroutes.com\ (\addmoreroutes.com\)|50.89.182.245|:443... connected.
ERROR: cannot verify \\addmoreroutes.com\\'s certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
  Issued certificate has expired.
ERROR: no certificate subject alternative name matches
        requested host name ‘\\addmoreroutes.com\\’.
To connect to \\addmoreroutes.com\\ insecurely, use `--no-check-certificate'.

#7

what would be the syntax to add the try statement ?


#8

If you want to avoid the HTTPS redirect, you’ll need to put the return 301 into a location / { } block, otherwise it will override the acme-challenge location block.

Still, you should instead fix the weird backslash, as it will affect all of your visitors.


#9

location ~ /.well-known/acme-challenge
{
root /var/www/html/;
}

how would I add the try statement in here


#10

something like:
try_files $uri 404;


#11

like this
location ~ /.well-known/acme-challenge
{
try_files $uri 404;
root /var/www/html/;
}
}


#12

Sorry:
try_files $uri =404;

But basically yes.


#13

And that black slash seems problematic.

Actually all of these too:


#14

Corrected the proxy set header statements by removing the backslash and added the try statements and retested and still same error

***********New Output

guacadmin@GuacSecondary:~$ sudo nano /etc/nginx/nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events
{
worker_connections 768;
}

http
{
# My Certificates
ssl_certificate /etc/nginx/ssl/addmoreroutes.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/addmoreroutes.com/privkey.pem;

    # SSL Performance Related
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # SSL Protocols and Ciphers
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:!AES128:!aNULL:!MD5:!eNULL:!EXPORT:!DES:!PSK:!RC4";
    # DHE Key-Exchange
    ssl_dhparam /etc/nginx/ssl/addmoreroutes.com/dhparam.pem;

    # Random Security Stuff
    server_tokens off;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security max-age=63072000;

    # Common Proxy Settings
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;

    ########################
    # Default Config Stuff #
    ########################
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 4096; #Default:2048
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    gzip on;
    gzip_disable "msie6";
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    # REDIRECTS ALL PORT 80/HTTP to 443/HTTPS
    server
    {
            listen 80;
            listen [::]:80;                                                                         

            server_name addmoreroutes.com;

            location ~ /.well-known/acme-challenge
            {
                try_files $uri =404;
                root /var/www/html/;
            }

            return 301 https://$host/$request_uri;
    }

    # GUACAMOLE SERVER SETTINGS
    server
    {
            listen 443 ssl;
            listen [::]:443 ssl;
            server_name addmoreroutes.com;

            proxy_buffering off;
            proxy_redirect  off;
            proxy_cookie_path /guacamole/ /;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            location ~ /.well-known/acme-challenge
            {
               try_files $uri =404;
               root /var/www/html/;
            }

            location /
            {
                    proxy_pass http://x.x.x.x/guacamole/;
            }
    }

}


#15

restart web service
service nginx restart


#16

Your the Man
Effing Props


#17

Not sure, but as @_az pointed out, that redirect may need to be inside a location; like:

location /
            {
                    return 301 https://$host/$request_uri;
            }

#18

From This

         location ~ /.well-known/acme-challenge
            {
                try_files $uri =404;
                root /var/www/html/;
            }

            return 301 https://$host/$request_uri;
    }

to This

         location ~ /.well-known/acme-challenge
            {
                try_files $uri =404;
                root /var/www/html/;
                return 301 https://$host/$request_uri;
            }
    }

???


#19

two separate locations:

location ~ /.well-known/acme-challenge
            {
                try_files $uri =404;
                root /var/www/html/;
            }

location /
            {
                return 301 https://$host/$request_uri;
            }

So that it is more like:
When location A, do this.
When location B, do this.


#20

Ok made the changes

    # GUACAMOLE SERVER SETTINGS
    server
    {
            listen 443 ssl;
            listen [::]:443 ssl;                                                                           
            server_name addmoreroutes.com;

            location ~ /.well-known/acme-challenge
            {
                try_files $uri =404;
                root /var/www/html/;
            }

            location /
                     {
                            return 301 https://$host/request_uri;
                     }
    }

#21

Only in the port 80 block; not the 443 block.
((You don’t need to redirect to https within the https block - LOL))

Leave 443 as before: