No longer able to renew existing cert, nor make new certs

Hello! I've been using certbot quite smoothly for over a year now, but I'm currently experiencing some issues with one server that hosts 3 websites. For one I already activated the certificate, although when running "sudo certbot renew --dry-run" it gives an error I also encounter when trying to add new certificates to two other websites. The error and details are described below for one of the sites:

My domain is: http://theantimenagerie.net/

I ran this command: certbot --duplicate --nginx -v

It produced this output:
Requesting a certificate for theantimenagerie.net
Performing the following challenges:
http-01 challenge for theantimenagerie.net
Waiting for verification...
Challenge failed for domain theantimenagerie.net
http-01 challenge for theantimenagerie.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: theantimenagerie.net
Type: unauthorized
Detail: Invalid response from http://theantimenagerie.net/.well-known/acme-challenge/iZnW3TTA_YJvzDAfGo2TGeXB55_648TWq8McrYzhbIY [45.79.249.9]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n
"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

I'm adding also the nginx site config here: server { server_name theantimenagerie.net; root /var/www/ht - Pastebin.com

Would anyone be able to help with this? Many thanks!

1 Like

Hello,

With the paste you sent, this looks like it should work just fine.

Would you please be able to do a paste of the entire nginx configuration for me, as reported by this command?

sudo nginx -T
1 Like

Hi _az! Thanks for looking it over!
Here is the output I got: nginx: [warn] could not build optimal proxy_headers_hash, you should increase ei - Pastebin.com

1 Like

Thanks!

My main suspicion right now is that the mix of IPv4/IPv6/ipv6only listen settings across your virtual hosts is causing trouble. nginx can do some weird things when the settings are not consistent.

What I suggest trying is adding these listen directives to your virtual host in /etc/nginx/sites-enabled/theantimenagerie.net:

listen 80; 
listen [::]:80;

and give it another go.

1 Like

Thanks @_az ! I've tried adding those lines but it still gave the same error.

I think there might be something wrong in the virtual host conf of theantimenageriefeed.uk, that stops any certificate attempt. If I delete it from sites-enabled, the certbot dry run renewal command works. But I can't exactly figure out what it can be.

2 Likes

This suems unrelated but none-the-less conflicting code:

server {
    listen 80;
    listen [::]:80 ipv6only=on;
    server_name toknowexactlyhowmanytimestocry.net;
}
 
server {
    if ($host = toknowexactlyhowmanytimestocry.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name toknowexactlyhowmanytimestocry.net;
    listen 80;
    listen [::]:80;
    return 404; # managed by Certbot
}

I also agree, this section has no listen statement:

# configuration file /etc/nginx/sites-enabled/theantimenagerie.net:
server {
        server_name theantimenagerie.net;
        root /var/www/html/multispecies/theantimenagerie.net;
        index index.html;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ ^/\.well-known {
                allow all;
        }
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.