My certificate has expired I can't renew it, I tried several things

nwneves · January 27, 2021, 11:31pm

My domain is:
emplacaweb.com.br
www.emplacaweb.com.br

I ran this command:
certbot new --dry-run

certbot new --force-renewal

sudo certbot --nginx -d emplacaweb.com.br -d www.emplacaweb.com.br

certbot certonly --webroot -w /var/emp_web/build -d emplacaweb.com.br -d www.emplacaweb.com.br

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/emplacaweb.com.br.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for emplacaweb.com.br
http-01 challenge for www.emplacaweb.com.br
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (emplacaweb.com.br) from /etc/letsencrypt/renewal/emplacaweb.com.br.conf produced an unexpected error: Failed authorization procedure. emplacaweb.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://emplacaweb.com.br/.well-known/acme-challenge/teDlcU4ih2mhiMFOg0Il2Eay72LIH9o-X35Ir5jAYBk [2a02:4780:1:277:0:2fe1:d9b9:6]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n

openresty</cente", www.emplacaweb.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.emplacaweb.com.br/.well-known/acme-challenge/eGBGf7wYRCYUfm8F6ARotyJiM8pqXZFn-H9xH1sUHK0 [2a02:4780:1:277:0:2fe1:d9b9:6]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n

openresty</cente". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/emplacaweb.com.br/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/emplacaweb.com.br/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: emplacaweb.com.br
Type: unauthorized
Detail: Invalid response from
http://emplacaweb.com.br/.well-known/acme-challenge/teDlcU4ih2mhiMFOg0Il2Eay72LIH9o-X35Ir5jAYBk
[2a02:4780:1:277:0:2fe1:d9b9:6]: "\r\n404 Not
Found\r\n\r\n

404 Not
Found
\r\n
openresty</cente"

Domain: www.emplacaweb.com.br
Type: unauthorized
Detail: Invalid response from
http://www.emplacaweb.com.br/.well-known/acme-challenge/eGBGf7wYRCYUfm8F6ARotyJiM8pqXZFn-H9xH1sUHK0
[2a02:4780:1:277:0:2fe1:d9b9:6]: "\r\n404 Not
Found\r\n\r\n

404 Not
Found
\r\n
openresty</cente"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):
Ngnix

The operating system my web server runs on is (include version):
Ubuntu 18

My hosting provider, if applicable, is:
hostinger

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot

_az · January 28, 2021, 12:24am

Are you sure you are using nginx?

Based on the response from your server, it looks like you have a Litespeed server sitting in front of an OpenResty server.

What type of hosting product do you have with Hostinger? A VPS?

nwneves · January 28, 2021, 12:26am

Are you sure you are using nginx?
Yes, using nginx.
Nginx server was stopped I just started
Where did you check this?

What type of hosting product do you have with Hostinger? A VPS?
Yes VPS.

_az · January 28, 2021, 12:32am

Oh, that makes much more sense now. Thank you for clarifying.

You have a different server responding on IPv6:

$ curl -X GET -I -6 emplacaweb.com.br
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 706
Date: Thu, 28 Jan 2021 00:31:10 GMT
Server: LiteSpeed
Location: http://45.15.24.138:3001/

compared to IPv4:

$ curl -X GET -I -4 emplacaweb.com.br
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 28 Jan 2021 00:31:27 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://emplacaweb.com.br/

Perhaps what you need to do is remove the incorrect IPv6/AAAA record from your DNS, and things will start working.

nwneves · January 28, 2021, 12:35am

Thanks for answering...

Could you tell me how can I remove the incorrect IPv6 / AAAA record from the DNS as it is a VPS I don't have a panel to manage this I think it would have to be done by the correct linux command?

_az · January 28, 2021, 12:37am

The two curl commands I linked above.

I think you would need to login to your Hostinger control panel where you registered the domain, and find the DNS editor. Probably this: https://www.hostinger.com/tutorials/how-to-use-hostinger-dns-zone-editor

There you will find that your domain has some "AAAA" records. I think you should remove them there.

Osiris · January 28, 2021, 7:06am

Or better even: fix your IPv6 connectivity, if your current VPS has IPv6

IPv6 is the future!

nwneves · January 28, 2021, 1:29pm

I understand, in this case I would have to make a note to Location: https://emplacaweb.com.br/ equal ipv4 right? wouldn't there be a problem with both records pointing to the same location?

nwneves · January 28, 2021, 2:36pm

1 - I was able to renew the certificate by changing the AAAA record like the image below

teste1

At least that part I managed to solve, thank you all for your help and attention.

2 - I did a test on letsdebug and a very strange return appears for me ... does anyone have any ideas how to solve?
Link test: Let's Debug

Osiris · January 28, 2021, 6:01pm

What's strange about it?

nwneves · January 28, 2021, 6:08pm

these errors pointed out by letsdebug, should I worry about correcting this?

For example connection error refused, it seems to me that this test cannot connect to port 80 through the AAAA / IPV6 register, there is some action you can do to make this register pointing to the same address as the A / IPV4 register, this could correct this problem it will be?

Osiris · January 28, 2021, 6:14pm

Yes, I can see them when I click the Let's Debug-link

Of course.

Well, it also says your IPv4 isn't working, which would have been a bigger problem, if it wasn't incorrect. From my point of view, IPv4 is working fine.

However, your IPv6 doesn't work indeed. I'm getting a connection refused. However, you're the system administrator, not me. So I have absolutely NO idea if the IPv6 address 2a02:4780:1:1::1:9b66 is actually correct at all. Might be as simple as incorrectly configured nginx, might be a system configuration error, I don't know. And in my opinion, this Community is not for generic IPv6 issue troubleshooting I'm afraid.

system · February 27, 2021, 6:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.