Nginx restart failed - Can't renew certificate

Hi I just got an email that my certificate is expiring and hence tried to renew it myself (even though auto renewal is set up). However, I am unable to do so and receive the below error log. I tried Googling it and none of the soltuions made sense to me.

Thank you!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: melius.live

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/meet.melius.live.conf


Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for meet.melius.live

Using the webroot path /usr/share/jitsi-meet for all unmatched domains.

Waiting for verification...

Cleaning up challenges


new certificate deployed without reload, fullchain is

/etc/letsencrypt/live/meet.melius.live/fullchain.pem



Processing /etc/letsencrypt/renewal/melius.live.conf


Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator nginx, Installer nginx

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for melius.live

http-01 challenge for www.melius.live

nginx: [emerg] "server_names_hash_bucket_size" directive is duplicate in /etc/nginx/sites-enabled/meet.melius.live.conf:1

Cleaning up challenges

Attempting to renew cert (melius.live) from /etc/letsencrypt/renewal/melius.live.conf produced an unexpected error: nginx restart failed:

b''

b''. Skipping.

The following certs could not be renewed:

/etc/letsencrypt/live/melius.live/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates below have not been saved.)

The following certs were successfully renewed:

/etc/letsencrypt/live/meet.melius.live/fullchain.pem (success)

The following certs could not be renewed:

/etc/letsencrypt/live/melius.live/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

My web server is (include version): Ubuntu 20.04

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Your nginx configuration is broken. Please fix your nginx first and then try renewing again.

3 Likes

...and then fix your IPv6 problem:

curl -I6 http://melius.live/
curl: (56) Recv failure: Connection reset by peer
3 Likes

Thanks, this helped. The issue was with Jitsi: NGINX server_names_hash_bucket_size parameter make troubles with CertBot - #4 by SushantGautam - Install & Config - Jitsi Community Forum - developers & users

2 Likes

Crap, thanks... The hash buckets setting fixed my bug, but I still gotta fix this... No clue tho..

1 Like

Here's one:

Name:      melius.live
Addresses: 2a01:4f8:c2c:ccb7::
           157.90.29.120

Is that the IPv6 address (of that server)?

Here's another clue:
curl -6 ifconfig.co
curl -4 ifconfig.co

3 Likes

Thanks again. Yes those are the correct IP addresses and the also show up when typing the curl commands except that the IPv6 address have a 1 at the very end). However, yes something seems odd because I cannot reach the website using IPv6. The IP is set up correctly using my Domain Registrar.

1 Like

Hi @totom,

I only see the wrong ip in your DNS:

$ dig @dns1.registrar-servers.com melius.live aaaa +short
2a01:4f8:c2c:ccb7::
$ dig @dns2.registrar-servers.com melius.live aaaa +short
2a01:4f8:c2c:ccb7::

So trying to reach your domain with IPv6 fails:

$ curl -IkL6 -m10 melius.live
curl: (28) Connection timed out after 10000 milliseconds

But using the right ip (2a01:4f8:c2c:ccb7::1) it works:

$ curl -IkL6 -m10 --resolve 'melius.live:80:2a01:4f8:c2c:ccb7::1' melius.live
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 16 Oct 2021 17:11:57 GMT
Content-Type: text/html
Content-Length: 10918
Last-Modified: Mon, 26 Jul 2021 12:28:46 GMT
Connection: keep-alive
ETag: "60feaa7e-2aa6"
Accept-Ranges: bytes

So double check you have the right AAAA records for your domains in your DNS servers.

Cheers,
sahsanu

4 Likes

Thanks! I see, the ::1 at the end was necessary. SMH my provider doesn't list it. I think it's solved.

2 Likes

It is :wink:


$ curl -IkL6 -m10 melius.live
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 16 Oct 2021 17:50:32 GMT
Content-Type: text/html
Content-Length: 10918
Last-Modified: Mon, 26 Jul 2021 12:28:46 GMT
Connection: keep-alive
ETag: "60feaa7e-2aa6"
Accept-Ranges: bytes
3 Likes

Thanks so much!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.