Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: kingsy.co.uk
I ran this command: doas -u root certbot renew
It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.kingsy.co.uk
Waiting for verification...
Challenge failed for domain www.kingsy.co.uk
http-01 challenge for www.kingsy.co.uk
Cleaning up challenges
Attempting to renew cert (www.kingsy.co.uk) from /etc/letsencrypt/renewal/www.kingsy.co.uk.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.kingsy.co.uk/fullchain.pem (failure)
The following certs are not due for renewal yet:
/etc/letsencrypt/live/budget-waste.co.uk/fullchain.pem expires on 2020-12-29 (skipped)
/etc/letsencrypt/live/budgetaggregates.co.uk/fullchain.pem expires on 2021-02-13 (skipped)
/etc/letsencrypt/live/budgettopsoil.co.uk/fullchain.pem expires on 2021-02-13 (skipped)
/etc/letsencrypt/live/mail.kingsy.co.uk/fullchain.pem expires on 2021-02-13 (skipped)
/etc/letsencrypt/live/rubbishremovalgateshead.co.uk/fullchain.pem expires on 2020-12-29 (skipped)
/etc/letsencrypt/live/skip-hire-gateshead.co.uk/fullchain.pem expires on 2020-12-29 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.kingsy.co.uk/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: www.kingsy.co.uk
Type: unauthorized
Detail: Invalid response from
https://www.kingsy.co.uk/.well-known/acme-challenge/DemreKHfSbBACcwaYZJQF8AE7xtVpwH3SZhWekby3gc
[209.250.224.131]: "<meta
name="viewport" content="width=device-width"/><meta
charSet="utf-8"/><link rel="apple-touch-ico"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): nginx/1.16.1
The operating system my web server runs on is (include version): OpenBSD 6.7
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.3.0
As you can see my problem is that the webserver is not allowing access to the challenge. I have added a Location block specifically for letsencrypt in my nginx config as so.
location /.well_known/ {
root /var/www/sites/kingsy.co.uk/public;
try_files $uri $uri/ $uri.html =404;
}
And I have changed the renew config to also use the above directory.
[[webroot_map]]
www.kingsy.co.uk = /var/www/sites/kingsy.co.uk/public
If I navigate to /var/www/sites/kingsy.co.uk/public and create a .well_known directory there and put something in it, say touch hello then hit
www.kingsy.co.uk/.well_known/hello it serves me the file. So I am lost as to why nginx isnt serving the challenge.
Is it possible to have certbot create the challenge for the renewal but stop? So I can see the file structure / permissions and where its creating what?
Thanks
Chris
