Nginx - certbot - chain not updating

mohammad.atif · October 4, 2021, 11:01am

Hi team,
I just generated a new SSL on nginx webserver on the test environment using
certbot certonly --nginx -d letshelp.capuchin.co --preferred-chain "ISRG Root X1" --no-bootstrap -n --expand

but it does not refect the new chain of certificates rather shows the old one

Nginx conf
server {

listen 80;

server_name letshelp.capuchin.co;

rewrite ^ https://$http_host$request_uri? permanent;

}

server{

listen 443 ssl http2;

server_name letshelp.capuchin.co;

root /var/www/html/;

ssl on;

ssl_certificate /etc/letsencrypt/live/letshelp.capuchin.co/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/letshelp.capuchin.co/privkey.pem;

}

Please look into this .
Thanks

rg305 · October 4, 2021, 11:15am

Hi @mohammad.atif welcome to the LE community forum
[I'm moving your post to a new topic shortly; as it is a different problem]

It seems that your command may not have updated the cert
OR
You haven't restarted/reloaded the web server

mohammad.atif · October 4, 2021, 11:29am

Hi,

Thanks for your reply.
I have generated a new cert and have restarted the nginx again to be sure.

but on checking with above command it shows
Certificate chain
0 s:/CN=letshelp.capuchin.co
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Is there any other parameter we need to pass in order we don't face the above error in new certs?

Any help would be appreciated

rg305 · October 4, 2021, 11:33am

@mohammad.atif
I still see the long chain.
What version of certbot are you using?
[--preferred-chain was introduce in version 1.12]

mohammad.atif · October 4, 2021, 11:55am

Hi,

Ohh , that's the catch.
On my test environment we have certbot "1.11.0. "
While on production we use certbot-auto having version "1.10.1"

We have a large no of urls on production. Any alternative for generating SSL for older versions .

Thanks

rg305 · October 4, 2021, 12:11pm

Manually editing all the fullchain.pem files.
[and re-editing them after each renewal - ouch!]

That has been deprecated - please update it.

mohammad.atif · October 4, 2021, 12:43pm

If we update the certbot to a newer version ,the SSL already generated will remain intact ? as we have thousands of url's currently working in production.
Thanks

rg305 · October 4, 2021, 1:05pm

Yes, compatibility has always been maintained between versions.

mohammad.atif · October 6, 2021, 2:34pm

Hi @rg305
I have installed the certbot and it shows the current version as "1.20.0".
Now when i am trying to generate the certificate using
certbot certonly --nginx -d atif.hippochat.io --preferred-chain "ISRG Root X1" --no-bootstrap -n --expand

It shows

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: atif.hippochat.io
Type: unauthorized
Detail: Invalid response from http://atif.hippochat.io/.well-known/acme-challenge/nihw9qC1uYE0ODGBfgufEaCU0WshaZxzD6Al9Prb_Mc [54.213.183.207]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n

nginx\r\n"

Note : domain is pointed correctly to the IP.

Thanks

rg305 · October 6, 2021, 4:12pm

Progress!

Now we need to see why --nginx did not put the challenge file in the correct location.

Please upload the LE log file.
/var/log/letsencrypt/letsencrypt.log

And also the full nginx config.
sudo nginx -T

mohammad.atif · October 6, 2021, 8:07pm

@rg305 Here it is :
HTTP 200
Server: nginx
Date: Wed, 06 Oct 2021 19:56:13 GMT
Content-Type: application/json
Content-Length: 1642
Connection: keep-alive
Boulder-Requester: 78527387
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002EwwkK9y5KyVa5GjVC3oFQxRzMRIuPy9-6Yt-g9BoD8w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "atif.hippochat.io"
},
"status": "invalid",
"expires": "2021-10-13T19:54:47Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from https://atif.hippochat.io/.well-known/acme-challenge/HI5tAsdr6Wpl1XfmppAjD2c7cAfC9EWVtjTMH7fLPK8 [54.213.183.207]: "\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\r\n"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/37622120110/GyFPkA",
"token": "HI5tAsdr6Wpl1XfmppAjD2c7cAfC9EWVtjTMH7fLPK8",
"validationRecord": [
{
"url": "http://atif.hippochat.io/.well-known/acme-challenge/HI5tAsdr6Wpl1XfmppAjD2c7cAfC9EWVtjTMH7fLPK8",
"hostname": "atif.hippochat.io",
"port": "80",
"addressesResolved": [
"54.213.183.207"
],
"addressUsed": "54.213.183.207"
},
{
"url": "https://atif.hippochat.io/.well-known/acme-challenge/HI5tAsdr6Wpl1XfmppAjD2c7cAfC9EWVtjTMH7fLPK8",
"hostname": "atif.hippochat.io",
"port": "443",
"addressesResolved": [
"54.213.183.207"
],
"addressUsed": "54.213.183.207"
}
],
"validated": "2021-10-06T19:56:12Z"
}
]
}

rg305 · October 6, 2021, 8:15pm

Is that the correct IP?
Please show:

mohammad.atif · October 6, 2021, 8:21pm

yes the ip is correct

Following is the simple conf used ,sudo nginx -T gives thousands of lines
server {

listen 80;

server_name atif.hippochat.io;

rewrite ^ https://$http_host$request_uri? permanent;

}

server{

listen 443 ssl http2;

server_name atif.hippochat.io;

root /var/www/html/index.html;

#ssl on;

#ssl_certificate /etc/letsencrypt/live/url.capuchin.co/fullchain.pem;

#ssl_client_certificate /etc/letsencrypt/live/url.capuchin.co/chain.pem;

#ssl_certificate_key /etc/letsencrypt/live/url.capuchin.co/privkey.pem;

}

rg305 · October 6, 2021, 8:27pm

Then please show:
sudo nginx -T | grep -i atif.hippochat.io

But first, please show:
ls -l /var/www/html/index.html

mohammad.atif · October 6, 2021, 8:43pm

I found a mistake in config , following is the correct one :
server {

listen 80;

server_name atif.hippochat.io;

rewrite ^ https://$http_host$request_uri? permanent;

}

server{

listen 443 ssl http2;

server_name atif.hippochat.io;

root /apps/www/html/index.html;

ssl on;

#ssl_certificate /etc/letsencrypt/live/url.capuchin.co/fullchain.pem;

#ssl_client_certificate /etc/letsencrypt/live/url.capuchin.co/chain.pem;

#ssl_certificate_key /etc/letsencrypt/live/url.capuchin.co/privkey.pem;

}

sudo nginx -T | grep -i atif.hippochat.io gives :

nginx: [warn] conflicting server name "kfgapp.yelo.red" on 0.0.0.0:80, ignored

nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size

nginx: [warn] conflicting server name "kfgapp.yelo.red" on 0.0.0.0:443, ignored

nginx: [warn] conflicting server name "pizza123.yelo.red" on 0.0.0.0:443, ignored

nginx: [warn] could not build optimal server_names_hash, you should increase either server_names_hash_max_size: 512 or server_names_hash_bucket_size: 64; ignoring server_names_hash_bucket_size

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

server_name atif.hippochat.io ;
server_name atif.hippochat.io ;

while ls -l /apps/www/html/index.html gives :

-rwxr-xr-x 1 root root 10 Oct 6 20:30 /apps/www/html/index.html

rg305 · October 6, 2021, 8:45pm

That is an HTML index file.

root requires a path - not a file.

mohammad.atif · October 6, 2021, 8:46pm

i have tried with path too

rg305 · October 6, 2021, 8:47pm

Which path?
Why would you point root to a file?

mohammad.atif · October 6, 2021, 8:49pm

tried like this too :
server {

listen 80;

server_name atif.hippochat.io;

rewrite ^ https://$http_host$request_uri? permanent;

}

server{

listen 443 ssl http2;

server_name atif.hippochat.io;

root /apps/www/html/;

#ssl on;

#ssl_certificate /etc/letsencrypt/live/url.capuchin.co/fullchain.pem;

#ssl_client_certificate /etc/letsencrypt/live/url.capuchin.co/chain.pem;

#ssl_certificate_key /etc/letsencrypt/live/url.capuchin.co/privkey.pem;

}

rg305 · October 6, 2021, 9:01pm

Better.
But now you have this problem:
LE needs to find the challenge file.
It requests http://your.domain/.well-known/acme-challenge/challenge-file
HTTP vhost config says: redirect everything to HTTPS
LE says OK, give me:
httpS://your.domain/.well-known/acme-challenge/challenge-file
HTTPS vhost can't figure out how to serve the "index.html" fail as the challenge-file requested.
So it fails.

Let's try two things:
#1
Place a test challenge test file and see is we can retrieve it from the Internet, with:
sudo mkdir /apps/www/html/.well-known
sudo mkdir /apps/www/html/.well-known/acme-challenge
echo "YAY!" > /apps/www/html/.well-known/acme-challenge/Test-File-1234

Then we try:
http://your.domain/.well-known/acme-challenge/Test-File-1234

#2
Use the staging system until the testing is completed.

and add:
--dry-run

Topic		Replies	Views
Nginx with preferred-chain "ISRG Root X1" - still showing "DST Root CA X3" Help	32	5877	November 8, 2021
Crobjob certbot renew does not work Help	6	305	March 2, 2024
Check if "--preferred-chain "ISRG Root X1"" is active? Help	6	5645	February 21, 2022
Certbot certificates does not list all certs Help	6	1247	August 26, 2023
HTTPS:// is not working on Nginx Help	3	674	October 30, 2019

Nginx - certbot - chain not updating

ssl on;

404 Not Found

ssl on;

Related topics