After having received a message that my website certificate was almost expiring, I noticed that the renewal process was failing. The log for the cron job indicates this has been occuring since March 15th. I vaguely recall updating the nginx config at the time (for SSL labs) but I have no idea exactly what I changed.
I noticed that the challenge files are still being created (and automatically removed). I tested creating a file /.well-known/acme-challenge/test.txt
which I can access normally from my browser (Firefox).
Here is /etc/nginx/conf.d/zeroknowledge.me.conf
# use compression
# TODO: handles only text/plain by default
gzip on;
# redirect http to https
server {
listen 80;
server_name www.zeroknowledge.me;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.zeroknowledge.me;
root /var/www/www.zeroknowledge.me/public;
server_tokens off;
# headers
charset utf-8;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# TODO report-uri
add_header Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; frame-ancestors 'none'";
add_header Referrer-Policy "no-referrer";
add_header X-Content-Type-Options: "nosniff";
add_header X-Clacks-Overhead "GNU Terry Pratchett";
# custom error pages
error_page 403 /403.html;
location = /403.html {
internal;
}
error_page 404 /404.html;
location = /404.html {
internal;
}
error_page 418 /418.html;
location = /418.html {
internal;
}
location ~* /(coffee|koffie|teapot|theepot) {
default_type text/plain;
return 418;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
internal;
}
# ssl
ssl_protocols TLSv1.2;
ssl_certificate /etc/letsencrypt/live/www.zeroknowledge.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.zeroknowledge.me/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 60m;
# clean up error logs
location = /favicon.ico {
access_log off;
log_not_found off;
}
}
# redirect the bare domain to the www subdomain
server {
listen 80;
listen 443 ssl http2;
server_name zeroknowledge.me;
return 301 https://www.zeroknowledge.me$request_uri;
}
and I see four of these lines in /var/log/nginx/access.log
for every command I run:
34.213.106.112 - - [29/Mar/2019:00:23:30 +0100] "GET /.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
My domain is: https://www.zeroknowledge.me/
I ran this command: certbot renew --dryrun
It produced this output:
Attempting to renew cert (www.zeroknowledge.me) from /etc/letsencrypt/renewal/www.zeroknowledge.me.conf produced an unexpected error: Failed authorization procedure. www.zeroknowledge.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.zeroknowledge.me/.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.zeroknowledge.me/fullchain.pem (failure)
...
- The following errors were reported by the server:
Domain: www.zeroknowledge.me
Type: connection
Detail: Fetching
https://www.zeroknowledge.me/.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw:
Connection refused
My web server is (include version): nginx/1.12.2
The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)
My hosting provider, if applicable, is: digitalocean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.31.0