Thanks for the response, I really appreciate it.
That command did work last time I tried it, which would have been ~75 days ago. The main change since then is that I upgraded from Sierra to High Sierra. If there were any new releases of Certbot during that time, I would also have installed those. I can’t think of any other changes, though it’s certainly possible I’m forgetting something.
ngrok.com is a local proxy, so the site won’t be serving my current cert unless my laptop is open. Furthermore, to renew the certificate I’ve previously had to temporarily disable SSL on the local server, in order for the http challenge to be successful.
Below is the full log, as well as the results of the SSL test when running with the current cert:
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator manual and installer None
Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at REDACTED>
Prep: True
Selected authenticator <certbot.plugins.manual.Authenticator object at REDACTED> and installer None
Plugins selected: Authenticator manual, Installer None
Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:nick@storyworth.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x10fd817d0>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/8596961', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), REDACTED, Meta(creation_host=u'nicks-mbp.t-mobile.com', creation_dt=datetime.datetime(2017, 1, 22, 1, 11, 19, tzinfo=<UTC>)))>
Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 561
Replay-Nonce: REDACTED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 04:02:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 04:02:43 GMT
Connection: keep-alive
{
"REDACTED": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/REDACTED",
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
Should renew, less than 30 days before certificate expiry 2017-10-18 19:17:00 UTC.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: REDACTED
Expires: Wed, 04 Oct 2017 04:02:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 04:02:43 GMT
Connection: keep-alive
Storing nonce: REDACTED
JWS payload:
{
"identifier": {
"type": "dns",
"value": "dev.storyworth.com"
},
"resource": "new-authz"
}
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"protected": "REDACTED",
"payload": "REDACTED",
"signature": "REDACTED"
}
https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 996
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 996
Boulder-Requester: REDACTED
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/REDACTED
Replay-Nonce: REDACTED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 04:02:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 04:02:43 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "dev.storyworth.com"
},
"status": "pending",
"expires": "2017-10-09T20:51:53Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/REDACTED",
"token": "REDACTED"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/REDACTED",
"token": "REDACTED"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/REDACTED",
"token": "REDACTED"
}
],
"combinations": [
[
1
],
[
0
],
[
2
]
]
}
Storing nonce: REDACTED
Performing the following challenges:
http-01 challenge for dev.storyworth.com
Results of SSL Test:
- Subject dev.storyworth.com
- Fingerprint SHA256: ee24d26cfa5bbc90aa6eba187345ba2e18e1928ffb1d20f288ff3c194da4a624
- Pin SHA256: BboV/5pywZainB2FejVEXasD7Zt5tv9gic6JfX/S4Q4=
- Common names dev.storyworth.com
- Alternative names dev.storyworth.com
- Serial Number 03ca890499697ab4c1ba0a832d27e593dcfe
- Valid from Thu, 20 Jul 2017 19:17:00 UTC
- Valid until Wed, 18 Oct 2017 19:17:00 UTC (expires in 14 days, 15 hours)
- Key RSA 2048 bits (e 65537)
- Weak key (Debian) No
- Issuer Let’s Encrypt Authority X3
- AIA: http://cert.int-x3.letsencrypt.org/
- Signature algorithm SHA256withRSA