Moved to new VPS - Certbot failed to authenticate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: anahatatantra.com

I ran this command: certbot renew

It produced this output:

sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/anahatatantra.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for anahatatantra.com and www.anahatatantra.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: anahatatantra.com
  Type:   unauthorized
  Detail: 2606:4700:3035::ac43:8df3: Invalid response from http://anahatatantra.com/.well-known/acme-challenge/A22UwgGhL1NtwAeyysojHBPJM5jfXE936u7W1MO6BKA: 522

  Domain: www.anahatatantra.com
  Type:   unauthorized
  Detail: 2606:4700:3035::ac43:8df3: Invalid response from http://www.anahatatantra.com/.well-known/acme-challenge/sO9CsrS6j5Ur3XidKD8k8uEW7nv0RlqgCLQ4o3G8LxI: 522

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate anahatatantra.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/anahatatantra.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): Ubuntu 22.04.4

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.10.0

I moved the site from a VPS to a new one. The transferred cert was working. But it is not renewing.

I tried https://letsdebug.net/

And I see:

anahatatantra.com has an AAAA (IPv6) record (2606:4700:3032::6815:3930) but a test request to this address over port 80 did not succeed.

anahatatantra.com has an A (IPv4) record (172.67.141.243) but a request to this address over port 80 did not succeed.

Here is the nginx config:

server {
        listen 80;
        server_name www.anahatatantra.com anahatatantra.com;
        root /var/www/anahatatantra.com;
        return 301 https://www.anahatatantra.com$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name anahatatantra.com;
        ssl_dhparam /etc/nginx/dhparam.pem;
#        ssl_session_cache shared:SSL:10m;
#        ssl_session_timeout 10m;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;
        ssl_certificate_key "/etc/letsencrypt/live/anahatatantra.com/privkey.pem";
        ssl_certificate "/etc/letsencrypt/live/anahatatantra.com/fullchain.pem";
        ssl_protocols TLSv1.2 TLSv1.3;
#        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRS>
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38>
        ssl_prefer_server_ciphers off;

#       add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#        add_header Strict-Transport-Security "max-age=31536000;";

        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
        add_header Strict-Transport-Security "max-age=63072000" always;

#        rewrite  ^/(.*)$  https://www.anahatatantra.com/$1 permanent;
        return 301 https://www.anahatatantra.com$request_uri;
}


# Main HTTPS server block for www
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name www.anahatatantra.com;

        root /var/www/anahatatantra.com;

        # ******** Jeśli coś nie działa, wyłącz to **********
        include /etc/nginx/global.d/*.conf;
#       include /etc/nginx/conf.d/*.conf;

        index index.php;

        access_log /var/log/nginx/access.log main;
        error_log /var/log/nginx/error.log;

        ssl_dhparam /etc/nginx/dhparam.pem;
#        ssl_session_cache shared:SSL:10m;
        ssl_certificate_key "/etc/letsencrypt/live/anahatatantra.com/privkey.pem";
        ssl_certificate "/etc/letsencrypt/live/anahatatantra.com/fullchain.pem";
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;
        ssl_protocols TLSv1.2 TLSv1.3;
#        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRS>
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38>
        ssl_prefer_server_ciphers off;
        add_header Strict-Transport-Security "max-age=63072000" always;

        ### Konfiguracja pod WP Super Cache plugin
        set $cache_uri $request_uri;
        client_max_body_size 15M;

        # POST requests and URLs with a query string should always go to PHP
        if ($request_method = POST) {
           set $cache_uri 'null cache';
        }
        if ($query_string != "") {
           set $cache_uri 'null cache';
        }
        ###

        #REDIRECT OLD NON-EXISTING PAGES
        rewrite ^/pl/jak-osiagnac-orgazm-problemy-z-osiagnieciem-orgazmu-dla-kobiet https://www.anahatatan>
        rewrite ^/faq$ https://www.anahatatantra.com/faqs/ permanent;
        rewrite ^/pl/t/masaz-tantryczny/ https://www.anahatatantra.com/pl/c/masaz-tantryczny/ permanent;

        location ~* \.(xml|xsl)$ { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=>
        location /robots.txt { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; >
        location /wp-cron.php { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0";>


        location ~* wp-config.php {
                deny all;
                }

        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/run/php/php-fpm.sock;
#               fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_param SERVER_NAME $host;
                include fastcgi_params;
                fastcgi_buffer_size 16k;
                fastcgi_buffers 16 4k;
        }

        location ~ ^/\.user\.ini {
        deny all;
        }
}

Is there anything wrong here?

We need to see this file:

to ensure this part is a match:

with the current settings:

On second look, it seems that CloudFlare is unable to reach your site [via HTTP request].
There may be some misconfiguration within your CF settings.

Here is the content of the file:

cat /etc/letsencrypt/renewal/anahatatantra.com.conf

renew_before_expiry = 50 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/anahatatantra.com
cert = /etc/letsencrypt/live/anahatatantra.com/cert.pem
privkey = /etc/letsencrypt/live/anahatatantra.com/privkey.pem
chain = /etc/letsencrypt/live/anahatatantra.com/chain.pem
fullchain = /etc/letsencrypt/live/anahatatantra.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 73a22d21a632fa94b7ec430f1ae2e45d
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]
anahatatantra.com = /var/www/anahatatantra.com
www.anahatatantra.com = /var/www/anahatatantra.com

Also I see that when I enter the site, the cert is issued by Google?! Is it something that Cloudflare does? I have the free package there... nothing special.

Here is a curl from my local machine:

curl -i http://anahatatantra.com

HTTP/1.1 522
Date: Wed, 01 May 2024 13:49:58 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 15
Connection: keep-alive
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQPbi9LOouiypbHCt%2Ffu%2B6NkpTEIUvtAlbUmTWos64Mv7vs8k4WdG4e4VWwd%2BeyjRUQllfAjfhbcPcVLbPWJVcZVlSZqn%2FFPZfSc4T71PCE1g0w1fFNahcyiUEVHOVwpwH7Vsw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 87d03bf37860bfee-WAW
alt-svc: h3=":443"; ma=86400

Yes.

Review: Moved to new VPS - Certbot failed to authenticate - #4 by linkp

Show also:
curl -i https://anahatatantra.com

curl with https replies immediately:

curl -i https://anahatatantra.com
HTTP/2 301 
date: Wed, 01 May 2024 14:16:16 GMT
content-type: text/html
location: https://www.anahatatantra.com/
strict-transport-security: max-age=63072000
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VdTf4b5%2FsxO%2BNJZgwSjnX6y7ulkFIxPMOVO6Q0Uo1gRbX5RU3J2B3m3tbOPpzk9wxt%2FUULqemn4R%2FFL6uWYHp4HWkEmgQwzR9mFksXKV8f2G%2BNeWJ%2BXy%2F1I5on%2Fn%2B%2FVADkxe%2FQ%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 87d0636cf86b35ca-WAW
alt-svc: h3=":443"; ma=86400

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
m,,,,k;'pb n

I've reviewed all the points of that link, but none one the applies in this situation.

I've also opened a thread on Cloudflare forum: https://community.cloudflare.com/t/522-error-on-new-vps/650277/2

Problem solved!
It turned out it was UFW turned on.

Still can't understand why when I entered the .acme folder (on port 80 via http) from the browser the requests were accepted.
And when I make a curl on http the firewall blocked it on SYN

Any idea?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.