Nginx proxy manager iternal error when update ssl sertificate

Help
1

My domain is: it' doesn't matter in this matter

I ran this command: i want renew ssl sertificate from nginx proxy manager

It produced this output: logs in nginx proxy

[2/22/2024] [10:27:29 PM] [SSL ] › :information_source: info Renewing Let'sEncrypt certificates for Cert #1: mydomain.com
2024-02-23 01:27:29 [2/22/2024] [10:27:29 PM] [SSL ] › :information_source: info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2024-02-23 01:27:29 [2/22/2024] [10:27:29 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-1" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
2024-02-23 01:27:32 [2/22/2024] [10:27:32 PM] [Express ] › :warning: warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
2024-02-23 01:27:32 Failed to renew certificate npm-1 with error: Some challenges have failed.
2024-02-23 01:27:32 All renewals failed. The following certificates could not be renewed:
2024-02-23 01:27:32 /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
2024-02-23 01:27:32 1 renew failure(s), 0 parse failure(s)
2024-02-23 01:27:32 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

The operating system my web server runs on is (include version): ubuntu 22

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
nginx proxy manager latest

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.8.0

help pls

2

Need certbot side log. NPM masks it

2 Likes
3

The pastebin is too hard to work with. Can you post the text in this forum?

But, I see the "404" error which is caused by a mis-match between what your server thinks is the right folder to find the acme challenge token and the folder you told Certbot (via NPM) where to place it.

This is largely config problem with NPM. You would probably be better off asking on the NPM forum about this.

2 Likes
4

Yes, you can view log below) I'ts great idea to look on the npm forum. but i also don't waste any help here. :pray:

logs 
2024-02-22 22:22:47,003:DEBUG:certbot._internal.main:certbot version: 2.8.0
2024-02-22 22:22:47,003:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2024-02-22 22:22:47,003:DEBUG:certbot._internal.main:Arguments: ['--force-renewal', '--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-1', '--preferred-challenges', 'dns,http', '--no-random-sleep-on-renew', '--disable-hook-validation']
2024-02-22 22:22:47,003:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-02-22 22:22:47,020:DEBUG:certbot._internal.log:Root logging level set at 30
2024-02-22 22:22:47,060:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-1.conf
2024-02-22 22:22:47,063:DEBUG:certbot.configuration:Var pref_challs=['dns-01', 'http-01'] (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var logs_dir=/tmp/letsencrypt-log (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var work_dir=/tmp/letsencrypt-lib (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var preferred_chain=ISRG Root X1 (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var key_type=ecdsa (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var elliptic_curve=secp384r1 (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var webroot_map={'webroot_path'} (set by user).
2024-02-22 22:22:47,064:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user).
2024-02-22 22:22:47,104:DEBUG:certbot._internal.renewal:Auto-renewal forced with --force-renewal...
2024-02-22 22:22:47,105:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2024-02-22 22:22:47,105:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f29ef72c990>
Prep: True
2024-02-22 22:22:47,105:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f29ef72c990> and installer None
2024-02-22 22:22:47,105:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2024-02-22 22:22:47,210:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1460950506', new_authzr_uri=None, terms_of_service=None), 1a4ea2de92f926f4cfb3f351b913b378, Meta(creation_dt=datetime.datetime(2023, 12, 12, 12, 31, 1, tzinfo=<UTC>), creation_host='d4a252e14d21', register_to_eff=None))>
2024-02-22 22:22:47,212:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-02-22 22:22:47,214:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-02-22 22:22:47,749:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2024-02-22 22:22:47,750:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 22 Feb 2024 22:22:47 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
 
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "pGrfFfH5ak0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-02-22 22:22:47,752:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for MYDOMAIN.COM
2024-02-22 22:22:47,758:DEBUG:acme.client:Requesting fresh nonce
2024-02-22 22:22:47,758:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-02-22 22:22:47,929:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2024-02-22 22:22:47,929:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 22 Feb 2024 22:22:47 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 3iiYN4u4kyx8aVSdV2NueUnSkS9pxy7vI4EaT2l-jwgnqhSZxjA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
 
 
2024-02-22 22:22:47,929:DEBUG:acme.client:Storing nonce: 3iiYN4u4kyx8aVSdV2NueUnSkS9pxy7vI4EaT2l-jwgnqhSZxjA
2024-02-22 22:22:47,930:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "MYDOMAIN.COM"\n    }\n  ]\n}'
2024-02-22 22:22:47,934:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ2MDk1MDUwNiIsICJub25jZSI6ICIzaWlZTjR1NGt5eDhhVlNkVjJOdWVVblNrUzlweHk3dkk0RWFUMmwtandnbnFoU1p4akEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "qrzL7ytAVGZCSSrmdSKKTvKjnVc7XKPTRjIFMk7BF-MR8QBrmKIOk15Ti-V2i1oFoC7EpVhW6jzD2eWCs-MEzaGY3DDbMCKZsA0jDQUI09RHzpxI_Ph8RW2j9IKNN80fMImIFSdEwzYEk7yFX9l_0tzygEOy1pmA3O-bFleP8UaxhvThznB8M6TMZIVRFLzdiHtM3iTOchhDE2tDRkHgFFFQRTSYoHtIqPo5PXnvMNfxOWBx8jwMTssrFC5wwz0iOLxPMfykHq_2gbLh6BbGCL3MAsDfo7Gdjp2iylAvRvB_mIBz-q0YCiBm9LD2Pzupy-mwa6Hkfod6pPjbu5UrVA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndvcmsubWVkaWFuYS13ZWIucnUiCiAgICB9CiAgXQp9"
}
2024-02-22 22:22:48,237:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 345
2024-02-22 22:22:48,238:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 22 Feb 2024 22:22:48 GMT
Content-Type: application/json
Content-Length: 345
Connection: keep-alive
Boulder-Requester: 1460950506
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1460950506/246664969477
Replay-Nonce: 3iiYN4u4oobfE2NiXTl_DbYVs4TpUkMnnmSG_QG_97B5EFc1nPs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
 
{
  "status": "pending",
  "expires": "2024-02-29T22:22:48Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "MYDOMAIN.COM"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/318335833837"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1460950506/246664969477"
}
2024-02-22 22:22:48,238:DEBUG:acme.client:Storing nonce: 3iiYN4u4oobfE2NiXTl_DbYVs4TpUkMnnmSG_QG_97B5EFc1nPs
2024-02-22 22:22:48,238:DEBUG:acme.client:JWS payload:
b''
2024-02-22 22:22:48,240:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/318335833837:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ2MDk1MDUwNiIsICJub25jZSI6ICIzaWlZTjR1NG9vYmZFMk5pWFRsX0RiWVZzNFRwVWtNbm5tU0dfUUdfOTdCNUVGYzFuUHMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzMxODMzNTgzMzgzNyJ9",
  "signature": "CoM2giR5xoegCXkq8i9FYvyqT364gpz_UOVdViGkBmSuGfbFKJsjF6hpbRA0aEswhzMTwpg4-g8UpdGdO6tkCbA47zZB_jI1l8CJAKDQy_OLHt9tCON1tZEFZE1beZJ8oNoX4pQR9daTA0NF7c92x2F5bFCbikOAdx_iZMAgsZbKafWXuX40lKGF7KjYg7tpuLjy99xn-DmBxjwqpR1eq6xlQ538PFq1IXTHVKQpFrpB5gcsJHCHnzOmOe5cWI8TFGWqg1FemqfrsCBAG8f5rnHEq_cR47cjpqSKRWJQmmBn9a-cKBPXRzgNIf8UHn_ElDBfkRDss6p-jpff31Dmdg",
  "payload": ""
}
2024-02-22 22:22:48,440:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/318335833837 HTTP/1.1" 200 803
2024-02-22 22:22:48,441:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 22 Feb 2024 22:22:48 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 1460950506
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 3iiYN4u4FFnzOdex5eoBdRbdl33Ny4oikJk2HtwHFdHh3MROg08
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
 
{
  "identifier": {
    "type": "dns",
    "value": "MYDOMAIN.COM"
  },
  "status": "pending",
  "expires": "2024-02-29T22:22:48Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/318335833837/kRJGLA",
      "token": "IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/318335833837/QtJ5Ww",
      "token": "IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/318335833837/2n6-Hg",
      "token": "IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw"
    }
  ]
}
2024-02-22 22:22:48,441:DEBUG:acme.client:Storing nonce: 3iiYN4u4FFnzOdex5eoBdRbdl33Ny4oikJk2HtwHFdHh3MROg08
2024-02-22 22:22:48,442:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-02-22 22:22:48,442:INFO:certbot._internal.auth_handler:http-01 challenge for MYDOMAIN.COM
2024-02-22 22:22:48,442:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2024-02-22 22:22:48,442:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2024-02-22 22:22:48,467:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw
2024-02-22 22:22:48,467:DEBUG:acme.client:JWS payload:
b'{}'
2024-02-22 22:22:48,469:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/318335833837/kRJGLA:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ2MDk1MDUwNiIsICJub25jZSI6ICIzaWlZTjR1NEZGbnpPZGV4NWVvQmRSYmRsMzNOeTRvaWtKazJIdHdIRmRIaDNNUk9nMDgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzMxODMzNTgzMzgzNy9rUkpHTEEifQ",
  "signature": "m5k7D7uVOVMW0lqRpuqIeFL_pLC1JhKD0qF0GzSJ_qvmZ4kp5RkPufMRWBMxJiy-9RcdGFdx9YmgPIE85MkIvwYFP2rgrnnm-V0oDq0CwgA0sl7BmxEo6ZD920KNjgW-VzROMwmffVgPzrG1GYpbFMSPFYU8orAZKmAk0MEQpC_t6ZgM8AIaYuy1J5HzJngfQC__8PDR-rWz41dcQyYTWRPlX4aZwbfd5ZO_etHmzJlxhAuklJeUhxNDQmMAVvfBIxBgmXys31PNlDHuwRCzhxGn--9iYyArkuH1tMV3s9v68p_zysUWpgVlysl3uVkaa2sgz6VKNe2l2m7lThuyzA",
  "payload": "e30"
}
2024-02-22 22:22:48,637:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/318335833837/kRJGLA HTTP/1.1" 200 187
2024-02-22 22:22:48,637:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 22 Feb 2024 22:22:48 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 1460950506
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/318335833837>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/318335833837/kRJGLA
Replay-Nonce: 3iiYN4u4tx8LmlDOHm_9VPGTHaVPnYl_HaFJ_Nb7Pya-AB-GUEo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
 
{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/318335833837/kRJGLA",
  "token": "IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw"
}
2024-02-22 22:22:48,637:DEBUG:acme.client:Storing nonce: 3iiYN4u4tx8LmlDOHm_9VPGTHaVPnYl_HaFJ_Nb7Pya-AB-GUEo
2024-02-22 22:22:48,638:INFO:certbot._internal.auth_handler:Waiting for verification...
2024-02-22 22:22:49,638:DEBUG:acme.client:JWS payload:
b''
2024-02-22 22:22:49,640:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/318335833837:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTQ2MDk1MDUwNiIsICJub25jZSI6ICIzaWlZTjR1NHR4OExtbERPSG1fOVZQR1RIYVZQbllsX0hhRkpfTmI3UHlhLUFCLUdVRW8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzMxODMzNTgzMzgzNyJ9",
  "signature": "inp4TNqZ9Bf39axkr5a8s-FjRMmBrDnULQYW_h2kleVI0ycQAA4HNVULpzl_ujuS4NE5JQhe6Pz0uEx7keebARpVFwUJkiZWeNnSTnvioCwbVRYT2oa0n2bvUcA7XAdjbm3w2Z5SQTi7rq8DoIR8EDNtscYvxVBItHKBrCBEz46gLCHvPV9MDQaXbAZeXY4rqwOEMhzm6K8YQJSCQ6XPXBKMo0af6RURvZ8aaPhe-OpGNLxDoxlsowVJe32N86MYoQIeGDxH9CejkLOz0C81qHBrgvkNIpsNrj7E8h4x-JoDXVwDdNhr_llOFFdh33_tIJkZF6krQ33ov5R9D9p9CQ",
  "payload": ""
}
2024-02-22 22:22:49,869:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/318335833837 HTTP/1.1" 200 1150
2024-02-22 22:22:49,869:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 22 Feb 2024 22:22:49 GMT
Content-Type: application/json
Content-Length: 1150
Connection: keep-alive
Boulder-Requester: 1460950506
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 3iiYN4u4xLgocYVi9uC0TsL_BIZCTcGQ9eFHKLixps7X2J4QglM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
 
{
  "identifier": {
    "type": "dns",
    "value": "MYDOMAIN.COM"
  },
  "status": "invalid",
  "expires": "2024-02-29T22:22:48Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "MY IP adress: Invalid response from http://MYDOMAIN.COM/.well-known/acme-challenge/IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/318335833837/kRJGLA",
      "token": "IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw",
      "validationRecord": [
        {
          "url": "http://MYDOMAIN.COM/.well-known/acme-challenge/IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw",
          "hostname": "MYDOMAIN.COM",
          "port": "80",
          "addressesResolved": [
            "MY IP adress"
          ],
          "addressUsed": "MY IP adress",
          "resolverAddrs": [
            "A:10.1.12.81:27532",
            "AAAA:10.1.12.81:27532"
          ]
        }
      ],
      "validated": "2024-02-22T22:22:48Z"
    }
  ]
}
2024-02-22 22:22:49,870:DEBUG:acme.client:Storing nonce: 3iiYN4u4xLgocYVi9uC0TsL_BIZCTcGQ9eFHKLixps7X2J4QglM
2024-02-22 22:22:49,870:INFO:certbot._internal.auth_handler:Challenge failed for domain MYDOMAIN.COM
2024-02-22 22:22:49,870:INFO:certbot._internal.auth_handler:http-01 challenge for MYDOMAIN.COM
2024-02-22 22:22:49,870:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: MYDOMAIN.COM
  Type:   unauthorized
  Detail: MY IP adress: Invalid response from http://MYDOMAIN.COM/.well-known/acme-challenge/IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw: 404
 
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
 
2024-02-22 22:22:49,871:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
 
2024-02-22 22:22:49,871:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-02-22 22:22:49,871:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-02-22 22:22:49,871:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/IIZrmOmwTRVAgPxJJ1k75iule0fRzx83410F7FXB9tw
2024-02-22 22:22:49,872:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-02-22 22:22:49,873:ERROR:certbot._internal.renewal:Failed to renew certificate npm-1 with error: Some challenges have failed.
2024-02-22 22:22:49,876:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1550, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
 
2024-02-22 22:22:49,878:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-02-22 22:22:49,879:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2024-02-22 22:22:49,879:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
2024-02-22 22:22:49,879:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-02-22 22:22:49,879:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1869, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-02-22 22:22:49,880:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
5

how can i find him?

isn't that him?
/var/log/letsencrypt/letsencrypt.log

6

Please do not use --force-renewal. It does not ignore problems and often causes you to become Rate Limited by Let's Encrypt.

I don't know details of NPM config which is why I suggested their forum. But, above is the cause of the mis-match I described that causes the 404. One of those paths is not what your nginx is using.

NPM is very difficult to debug. If the problem is not obvious their forum is the best.

By hiding your domain name we can't check DNS issues. It might be your DNS is wrong too such as pointing to the wrong IP, having IPv6 AAAA but nginx wrongly configured and similar problems. You said it doesn't matter but you can't really know that.

3 Likes
7

npm set log dir to there: not sure if that dir is still there though

1 Like
8

anyhow your site answers Apache 404 on acme request not Nginx so I think NPM failed to catch acme request properly and blindly passed to backend. no idea why but NPM doesn't really know to working well on this forum

1 Like
10

2024-02-22 22:22:47,105:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2024-02-22 22:22:47,105:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported). Interfaces: Authenticator, Plugin Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins') Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f29ef72c990>

That reads like NPM isn't handling the HTTP request and expects there to be something else doing that - which would route the HTTP challenge requests to that specified folder.

TL;DR:
A seperate HTTP server must be running and serving files from the webroot path.

11

my domain: work.mediana-web.ru
if this helps, but I'm not sure

12

maybe because the server also runs applications like nextcloud and they have their own built-in web servers..

but if I turn them off the my problem does not disappear..

13

but i don't understand, how fix it :neutral_face:

14

Your domain is handled by Apache right now not nginx. You should see the NPM forum for proper way to configure your system

Request to: work.mediana-web.ru/89.109.8.66, Result: [Address=89.109.8.66,Address Type=IPv4,Server=Apache/2.4.52 (Ubuntu),

From this test site

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.