My certificate has expired I can't renew it, I tried several things

My domain is:
emplacaweb.com.br
www.emplacaweb.com.br

I ran this command:
certbot new --dry-run

certbot new --force-renewal

sudo certbot --nginx -d emplacaweb.com.br -d www.emplacaweb.com.br

certbot certonly --webroot -w /var/emp_web/build -d emplacaweb.com.br -d www.emplacaweb.com.br

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/emplacaweb.com.br.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for emplacaweb.com.br
http-01 challenge for www.emplacaweb.com.br
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (emplacaweb.com.br) from /etc/letsencrypt/renewal/emplacaweb.com.br.conf produced an unexpected error: Failed authorization procedure. emplacaweb.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://emplacaweb.com.br/.well-known/acme-challenge/teDlcU4ih2mhiMFOg0Il2Eay72LIH9o-X35Ir5jAYBk [2a02:4780:1:277:0:2fe1:d9b9:6]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
openresty</cente", www.emplacaweb.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.emplacaweb.com.br/.well-known/acme-challenge/eGBGf7wYRCYUfm8F6ARotyJiM8pqXZFn-H9xH1sUHK0 [2a02:4780:1:277:0:2fe1:d9b9:6]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
openresty</cente". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/emplacaweb.com.br/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/emplacaweb.com.br/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Ngnix

The operating system my web server runs on is (include version):
Ubuntu 18

My hosting provider, if applicable, is:
hostinger

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot

Are you sure you are using nginx?

Based on the response from your server, it looks like you have a Litespeed server sitting in front of an OpenResty server.

What type of hosting product do you have with Hostinger? A VPS?

Are you sure you are using nginx?
Yes, using nginx.
Nginx server was stopped I just started
Where did you check this?

What type of hosting product do you have with Hostinger? A VPS?
Yes VPS.

Oh, that makes much more sense now. Thank you for clarifying.

You have a different server responding on IPv6:

$ curl -X GET -I -6 emplacaweb.com.br
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 706
Date: Thu, 28 Jan 2021 00:31:10 GMT
Server: LiteSpeed
Location: http://45.15.24.138:3001/

compared to IPv4:

$ curl -X GET -I -4 emplacaweb.com.br
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 28 Jan 2021 00:31:27 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://emplacaweb.com.br/

Perhaps what you need to do is remove the incorrect IPv6/AAAA record from your DNS, and things will start working.

Thanks for answering...

Could you tell me how can I remove the incorrect IPv6 / AAAA record from the DNS as it is a VPS I don't have a panel to manage this I think it would have to be done by the correct linux command?

The two curl commands I linked above.

I think you would need to login to your Hostinger control panel where you registered the domain, and find the DNS editor. Probably this: Hostinger DNS Zone Editor: A Complete Beginner's Guide

There you will find that your domain has some "AAAA" records. I think you should remove them there.

Or better even: fix your IPv6 connectivity, if your current VPS has IPv6 :wink:

IPv6 is the future!

2 Likes

I understand, in this case I would have to make a note to Location: https://emplacaweb.com.br/ equal ipv4 right? wouldn't there be a problem with both records pointing to the same location?

1 - I was able to renew the certificate by changing the AAAA record like the image below

teste1

At least that part I managed to solve, thank you all for your help and attention.

2 - I did a test on letsdebug and a very strange return appears for me ... does anyone have any ideas how to solve?
Link test: Let's Debug

What's strange about it?

these errors pointed out by letsdebug, should I worry about correcting this?

For example connection error refused, it seems to me that this test cannot connect to port 80 through the AAAA / IPV6 register, there is some action you can do to make this register pointing to the same address as the A / IPV4 register, this could correct this problem it will be?

Yes, I can see them when I click the Let's Debug-link :wink:

Of course.

Well, it also says your IPv4 isn't working, which would have been a bigger problem, if it wasn't incorrect. From my point of view, IPv4 is working fine.

However, your IPv6 doesn't work indeed. I'm getting a connection refused. However, you're the system administrator, not me. So I have absolutely NO idea if the IPv6 address 2a02:4780:1:1::1:9b66 is actually correct at all. Might be as simple as incorrectly configured nginx, might be a system configuration error, I don't know. And in my opinion, this Community is not for generic IPv6 issue troubleshooting I'm afraid.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.