No longer able to renew existing cert, nor make new certs

ccl · August 24, 2021, 10:49pm

Hello! I've been using certbot quite smoothly for over a year now, but I'm currently experiencing some issues with one server that hosts 3 websites. For one I already activated the certificate, although when running "sudo certbot renew --dry-run" it gives an error I also encounter when trying to add new certificates to two other websites. The error and details are described below for one of the sites:

My domain is: http://theantimenagerie.net/

I ran this command: certbot --duplicate --nginx -v

It produced this output:
Requesting a certificate for theantimenagerie.net
Performing the following challenges:
http-01 challenge for theantimenagerie.net
Waiting for verification...
Challenge failed for domain theantimenagerie.net
http-01 challenge for theantimenagerie.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: theantimenagerie.net
Type: unauthorized
Detail: Invalid response from http://theantimenagerie.net/.well-known/acme-challenge/iZnW3TTA_YJvzDAfGo2TGeXB55_648TWq8McrYzhbIY [45.79.249.9]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n

"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

I'm adding also the nginx site config here: server { server_name theantimenagerie.net; root /var/www/ht - Pastebin.com

Would anyone be able to help with this? Many thanks!

_az · August 24, 2021, 11:31pm

Hello,

With the paste you sent, this looks like it should work just fine.

Would you please be able to do a paste of the entire nginx configuration for me, as reported by this command?

sudo nginx -T

ccl · August 24, 2021, 11:45pm

Hi _az! Thanks for looking it over!
Here is the output I got: nginx: [warn] could not build optimal proxy_headers_hash, you should increase ei - Pastebin.com

_az · August 24, 2021, 11:58pm

Thanks!

My main suspicion right now is that the mix of IPv4/IPv6/ipv6only listen settings across your virtual hosts is causing trouble. nginx can do some weird things when the settings are not consistent.

What I suggest trying is adding these listen directives to your virtual host in /etc/nginx/sites-enabled/theantimenagerie.net:

listen 80; 
listen [::]:80;

and give it another go.

ccl · August 25, 2021, 12:50am

Thanks @_az ! I've tried adding those lines but it still gave the same error.

I think there might be something wrong in the virtual host conf of theantimenageriefeed.uk, that stops any certificate attempt. If I delete it from sites-enabled, the certbot dry run renewal command works. But I can't exactly figure out what it can be.

rg305 · August 25, 2021, 2:03am

This suems unrelated but none-the-less conflicting code:

server {
    listen 80;
    listen [::]:80 ipv6only=on;
    server_name toknowexactlyhowmanytimestocry.net;
}
 
server {
    if ($host = toknowexactlyhowmanytimestocry.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name toknowexactlyhowmanytimestocry.net;
    listen 80;
    listen [::]:80;
    return 404; # managed by Certbot
}

rg305 · August 25, 2021, 2:07am

I also agree, this section has no listen statement:

# configuration file /etc/nginx/sites-enabled/theantimenagerie.net:
server {
        server_name theantimenagerie.net;
        root /var/www/html/multispecies/theantimenagerie.net;
        index index.html;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ ^/\.well-known {
                allow all;
        }
}

system · September 24, 2021, 2:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewing an existing certificate Help	10	1025	February 6, 2023
Certbot failed to authenticate some domains (authenticator: nginx) Help	9	104	October 23, 2024
Cert Renewal Failure Help	4	269	March 12, 2024
Error renewing certificate Help	8	350	May 29, 2024
Old user unable to renew cert Help	16	1479	April 10, 2022

No longer able to renew existing cert, nor make new certs

404 Not Found

Related topics