My certificate is expired, I need to extend it

My website is stixex.io.
It is the main domain, it works fine.
But we have also subdomain: admin.stixex.io, it doesn't work
I think certificate is expired.

So I need to extend the valid date, please help me
Best regards

Our server is running on nginx (ubuntu),

certbot 1.7.0

root@ubuntu-2gb-hel1-3:/etc# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

When I try certbot renew, the results are following:

root@ubuntu-2gb-hel1-3:/etc# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/admin.stixex.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.stixex.io
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.stixex.io
http-01 challenge for admin.stixex.io
Cleaning up challenges
Attempting to renew cert (admin.stixex.io) from /etc/letsencrypt/renewal/admin.stixex.io.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/api.stixex.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.stixex.io
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain api.stixex.io
http-01 challenge for api.stixex.io
Cleaning up challenges
Attempting to renew cert (api.stixex.io) from /etc/letsencrypt/renewal/api.stixex.io.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stixex.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/admin.stixex.io/fullchain.pem (failure)
  /etc/letsencrypt/live/api.stixex.io/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/stixex.io/fullchain.pem expires on 2021-08-05 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/admin.stixex.io/fullchain.pem (failure)
  /etc/letsencrypt/live/api.stixex.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.stixex.io
   Type:   unauthorized
   Detail: Invalid response from
   http://admin.stixex.io/.well-known/acme-challenge/WvtUg6Hnq8n69T_Y5zImH91Nnpb1rZMO1I0ATIhoS40
   [135.181.144.36]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: api.stixex.io
   Type:   unauthorized
   Detail: Invalid response from
   http://api.stixex.io/.well-known/acme-challenge/IHhuGtW9rAyACue3YwRA1_6zCJV05MpbsSHr7WzPx4Y
   [135.181.144.36]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

Indeed it is. So renew it. You've given us pretty much no information to go on, so whatever you did to get the cert in the first place, do it again.

1 Like

Hello Danb35!

I just edited the description again, could you check it?

1 Like

Hi @greatl-lancer,

I don't know how your webroot path got set to /var/www/letsencrypt but this is probably wrong—this is supposed to be set to the top-level content directory for each individual web site, so that Certbot can place files in it that appear directly at the top level of each web site. Do you have such a directory for each of these sites? If so, can you change the webroot path to the correct location for each domain?

1 Like

I am the first for the letsencrypt.
Previous developer made this all, and it worked 2~3days ago.
I am not sure where I can change the webroot path.
Thanks
:frowning:

1 Like

You can edit the individual text files in /etc/letsencrypt/renewal — there should be one for each certificate and they should have a webroot_path setting in them. If you edit that value, certbot renew will try to use the new value that you provide.

2 Likes

Yes I can find the "webroot_path" in the files, but I am not sure how I can find the top-level content directory for each individual web site.
Actually the directory : www/var/letsencrypto is empty

1 Like

The webroot_path should be the directory of the website content(index.html)?

1 Like

Yes, that's right. (There are still things that could make it not work, but that is normally what you should use.)

1 Like

I've changed the webroot_path, but I still have the issues:

root@ubuntu-2gb-hel1-3:/etc# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/admin.stixex.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.stixex.io
Using the webroot path /home/ubuntu/admin_panel/dist for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.stixex.io
http-01 challenge for admin.stixex.io
Cleaning up challenges
Attempting to renew cert (admin.stixex.io) from /etc/letsencrypt/renewal/admin.stixex.io.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/api.stixex.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.stixex.io
Using the webroot path /home/ubuntu/stixex_backend/app for all unmatched domains.
Waiting for verification...
Challenge failed for domain api.stixex.io
http-01 challenge for api.stixex.io
Cleaning up challenges
Attempting to renew cert (api.stixex.io) from /etc/letsencrypt/renewal/api.stixex.io.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stixex.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/admin.stixex.io/fullchain.pem (failure)
  /etc/letsencrypt/live/api.stixex.io/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/stixex.io/fullchain.pem expires on 2021-08-05 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/admin.stixex.io/fullchain.pem (failure)
  /etc/letsencrypt/live/api.stixex.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.stixex.io
   Type:   unauthorized
   Detail: Invalid response from
   http://admin.stixex.io/.well-known/acme-challenge/LrPd1wFG32xUHd3YxSZ1KIG7ZWwwPMmixIsBQIFNeLk
   [135.181.144.36]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: api.stixex.io
   Type:   unauthorized
   Detail: Invalid response from
   http://api.stixex.io/.well-known/acme-challenge/ZScE8oajFPaPS09zC3fS_21S7L8mbbGf85uqWCt1LL4
   [135.181.144.36]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

A further thing to try would be creating a file called test.txt in each of those directories, and seeing if you can then access it with http://api.stixex.io/test.txt (and the other one).

1 Like

I just added the test.txt in the admin_panel.

but I can't access it
http://admin.stixex.io/test.txt

1 Like

So, this makes me think that the directory that you specified is not the correct one for Certbot's purposes here.

(1) Can you find some other directory where the test.txt could be placed that would work?

(2) If not, would you be interested in trying other methods for Certbot to prove your control over the domain names that don't involve finding an existing directory from which static files are being served?

1 Like

I've moved the file in the media folder, and I can see the file

http://admin.stixex.io/media/test.txt

1 Like

Cool, what happens if you specify the media subdirectory in the webroot_path instead?

2 Likes

Yes I just specified the media subdirectory, but I have still same issue

Domain: admin.stixex.io
Type: unauthorized
Detail: Invalid response from
http://admin.stixex.io/.well-known/acme-challenge/jU4Xe84F76ppY_JY7UYrDiRnlIh1g9IHkUIMeEG-33o

just to make sure you:

I just checked the static directory, but I can't see the ".well-known" directory

1 Like

I'm concerned that there might be some rule defined in your nginx configuration to specifically serve this from a different location (distinct from the rest of your files). Could you try this?

fgrep -A 5 .well-known /etc/nginx

I just tried :

root@ubuntu-2gb-hel1-3:/etc/nginx/test# fgrep -A 5 .well-known /etc/nginx
grep: /etc/nginx: Is a directory

I'm sorry, I meant to add a -r, like

fgrep -r -A 5 .well-known /etc/nginx

1 Like