Ngnix certificate renew

I am running an EC2 instance.
OS: Ubuntu 20.04.4 LTS
Server is running on NGINX
Issue: I am trying to renew the certificates but when I do, i get this error
I am using sudo certbot --nginx certonly to renew the certificate.
The error message

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: backend-prod.chainwhiz.app
2: www.backend-prod.chainwhiz.app
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/backend-prod.chainwhiz.app.conf)

It contains these names: backend-prod.chainwhiz.app

You requested these names for the new certificate: backend-prod.chainwhiz.app,
www.backend-prod.chainwhiz.app.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.backend-prod.chainwhiz.app
http-01 challenge for backend-prod.chainwhiz.app
nginx: [warn] conflicting server name "backend-prod.chainwhiz.app" on [::]:80, ignored
nginx: [warn] conflicting server name "www.backend-prod.chainwhiz.app" on [::]:80, ignored
nginx: [warn] conflicting server name "backend-prod.chainwhiz.app" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.backend-prod.chainwhiz.app" on 0.0.0.0:80, ignored
Waiting for verification...
Challenge failed for domain www.backend-prod.chainwhiz.app
Challenge failed for domain backend-prod.chainwhiz.app
http-01 challenge for www.backend-prod.chainwhiz.app
http-01 challenge for backend-prod.chainwhiz.app
Cleaning up challenges
nginx: [warn] conflicting server name "backend-prod.chainwhiz.app" on [::]:80, ignored
nginx: [warn] conflicting server name "www.backend-prod.chainwhiz.app" on [::]:80, ignored
nginx: [warn] conflicting server name "backend-prod.chainwhiz.app" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.backend-prod.chainwhiz.app" on 0.0.0.0:80, ignored
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.backend-prod.chainwhiz.app
   Type:   unauthorized
   Detail: 13.58.80.238: Invalid response from
   http://www.backend-prod.chainwhiz.app/.well-known/acme-challenge/Ge52LnBkFWQ2iUU6U4KUFmFcX6-E75Y6wkfCUBtN0L8:
   404

   Domain: backend-prod.chainwhiz.app
   Type:   unauthorized
   Detail: 13.58.80.238: Invalid response from
   http://backend-prod.chainwhiz.app/.well-known/acme-challenge/QxGdJDtb3dJlb1HnNfSjM_W6ANMIinLpSHpZtxjl0rI:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Hi @akp111_eth, and welcome to the LE community forum :slight_smile:

Please show the output of:
nginx -T

5 Likes

Hey @rg305

Thank you very much.
Here is the log
https://paste.ubuntu.com/p/9sZRYHpHBr/

1 Like

There exists a name:port overlap:

# IN THE MAIN CONFIG
server {
      listen [::]:80;
      listen 80;
      server_name backend-prod.chainwhiz.app www.backend-prod.chainwhiz.app;
      return 301 https://backend-prod.chainwhiz.app$request_uri;
}

# configuration file /etc/nginx/sites-enabled/backend-prod.chainwhiz.app:
server {
     listen [::]:80;
     listen 80;
     server_name backend-prod.chainwhiz.app www.backend-prod.chainwhiz.app;
     location / {
         proxy_pass http://localhost:4001;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
         proxy_cache_bypass $http_upgrade;
    }
}
5 Likes

It seems like the simplest resolve to that conflict is to remove/disable the file:
/etc/nginx/sites-enabled/backend-prod.chainwhiz.app
[which would allow unencrypted access to your site]

3 Likes

Okay,
So if I just comment it out and run certbot --nginx certonly, it should work..right?
@rg305

I think you have to disable it.
[remove the link found in the /sites-enabled/ folder]

After that, show:
certbot certificates

3 Likes

@rg305
Really sorry to bug you. But I am not that great on server side of the things.
When you said disable it, you mean to remove it altogether?

So, I am getting this when I did ls -all

backend-prod.chainwhiz.app -> /etc/nginx/sites-available/backend-prod.chainwhiz.app
And all i need to do is delete this file

1 Like

If you don't think you will ever need that file again, yes (you can delete the file).
If you think you might need it (or just want to keep it), then you need to delete only the link to the file.
The file is in the /sites-available/ folder.
The link is in the /sites-enabled/ folder.

Your choice.
[I'd delete both - lol]

3 Likes

I mean
As long as it doest break anything, I can get rid of it

It wouldn't break anything.

3 Likes

So I deleted it and I got the following output when I ran sudo certbot certificates @rg305


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: backend-prod.chainwhiz.app
    Domains: backend-prod.chainwhiz.app
    Expiry Date: 2022-07-17 20:34:41+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/backend-prod.chainwhiz.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/backend-prod.chainwhiz.app/privkey.pem
  Certificate Name: www.backend-prod.chainwhiz.app
    Domains: www.backend-prod.chainwhiz.app
    Expiry Date: 2022-07-17 20:30:53+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/www.backend-prod.chainwhiz.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.backend-prod.chainwhiz.app/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This (expired) cert needs to be renewed (and expanded to include the "www"):

This (expired and unused) cert needs to be deleted:

For that, do:
certbot delete --cert-name www.backend-prod.chainwhiz.app

3 Likes

Okay got it
Let me do that and after that?

1 Like

Always come back to:
certbot certificates
[to confirm the latest status]

3 Likes

So, I have deleted the one you mentioned
Here is the latest status

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: backend-prod.chainwhiz.app
    Domains: backend-prod.chainwhiz.app
    Expiry Date: 2022-07-17 20:34:41+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/backend-prod.chainwhiz.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/backend-prod.chainwhiz.app/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Now how to go about implementing it @rg305

Do that again (Expand):

3 Likes

You are super amazing @rg305 !!
It worked!
Thank you very much

1 Like

Just one last question
I have setup a cron task to renew the certificate.
I have defined 0 0,12 * * * certbot renew >/dev/null 2>&1 in sudo crontab -e

Is it the correct way?