OMV5, NGINX and Let´s Encrypt renewing certificates

Gnarf · September 22, 2021, 8:58pm

Hi

I have had problems renewing the certificates for my domain and subdomains.
I run OMV5 with NGINX and I have subdomains for wordpress, Airsonic, Netdata, pwndrop etc.
Renewing is same problem on all domains and subdomains.
From NGINX I get "internal error" no matter what I do and same error in the NGINX log as described below.
I am NOT a power user but i'll manage...
I have had this problem since 2 months. Had not had the time to fix it since it's not critical.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: brynare.com

I ran this command:

It produced this output:

[Nginx ] › info Reloading Nginx

[9/22/2021] [8:43:06 PM] [SSL ] › info Requesting Let'sEncrypt certificates for Cert #111: music.brynare.com
[9/22/2021] [8:43:11 PM] [Express ] › warning Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-111" --agree-tos --email "gnarf@protonmail.com" --preferred-challenges "dns,http" --domains "music.brynare.com"

My web server is (include version):

Wordpress (can't reach it due to certificate issue)

The operating system my web server runs on is (include version): OMV5

My hosting provider, if applicable, is: Porkbun

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Certbot 1.19.0

rg305 · September 22, 2021, 9:22pm

Hi @Gnarf, welcome to the LE community forum

Is that about the time your started using CloudFlare?
If not, then have you previously been able to renew any cert through CloudFlare?

Gnarf · September 22, 2021, 9:31pm

Hi and thanks for your answer!

I've had my server up and running about 1.5 years without problems. The autorenew function has had problems on some occasions but now I can't even manually update certificates.
I haven't done any changes to the domain or Cloudflare.

rg305 · September 22, 2021, 10:14pm

OK, let's see what we can do.

Please show the output of:
certbot certificates

And the public contents of this file:
/etc/letsencrypt.ini

And the file:
/etc/letsencrypt/renewal/npm-111.conf

Gnarf · September 23, 2021, 6:40am

Hi
certbot certificates output:

No certificates found.

The two files does not exist.

Looks like all config and certificates has disappeared but how can that be and why can't I create new ones? I have also tried creating new ones instead of renewing but same error message appear. Will a fresh install om NGINX help you think?

rg305 · September 23, 2021, 4:30pm

How is that possible?
Are you on the right server?

Gnarf · September 23, 2021, 4:59pm

Yes sir, I have only one server and I am logged in as root.

rg305 · September 23, 2021, 5:04pm

Then you need to go back a few steps...
And get a (new) cert.

Gnarf · September 23, 2021, 8:19pm

I've already tried that. I deleted and got a new but no luck =(

at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1022:16)
at Socket.<anonymous> (internal/child_process.js:444:11)
at Socket.emit (events.js:314:20)
at Pipe.<anonymous> (net.js:675:12)

[9/23/2021] [7:58:03 PM] [SSL ] › info Renewing SSL certs close to expiry...
[9/23/2021] [8:03:46 PM] [SSL ] › error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-16 with error: Some challenges have failed.
Failed to renew certificate npm-17 with error: Some challenges have failed.
Failed to renew certificate npm-20 with error: Some challenges have failed.
Failed to renew certificate npm-21 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-16/fullchain.pem (failure)
/etc/letsencrypt/live/npm-17/fullchain.pem (failure)
/etc/letsencrypt/live/npm-20/fullchain.pem (failure)
/etc/letsencrypt/live/npm-21/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)
at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1022:16)
at Socket. (internal/child_process.js:444:11)
at Socket.emit (events.js:314:20)

Gnarf · September 23, 2021, 8:48pm

Creating a new certificates via NGINX gives "internal error" in NGINX and this in the logs:

[9/23/2021] [8:44:16 PM] [Nginx ] › info Reloading Nginx

[9/23/2021] [8:44:16 PM] [SSL ] › info Requesting Let'sEncrypt certificates for Cert #119: drop.brynare.com

[9/23/2021] [8:44:30 PM] [Nginx ] › info Reloading Nginx

[9/23/2021] [8:44:30 PM] [Express ] › warning Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-119" --agree-tos --email "gnarf@protonmail.com" --preferred-challenges "dns,http" --domains "drop.brynare.com"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[9/23/2021] [8:46:38 PM] [Nginx ] › info Reloading Nginx

[9/23/2021] [8:46:40 PM] [Nginx ] › info Reloading Nginx

rg305 · September 23, 2021, 8:57pm

There is not enough information to work with.

FreeNique · September 24, 2021, 11:27am

The last Lets Encrypt certificate you had expired 2021-04-12 crt.sh | brynare.com

Gnarf · September 24, 2021, 6:03pm

Problably right... Have had a very busy summer. The server has been up and runing however those things have not been functioning...

Gnarf · October 11, 2021, 8:00pm

I've tried that as well. The other day i'v even tried getting a cloudflkare cert with 15years of expiry time...so I guess the problem is not in the Certbot but somewhere elsa... still clueless

MikeMcQ · October 11, 2021, 8:23pm

@Gnarf What problem are you trying to resolve?

When I visit your site with a browser I get an "Error 1020" from Cloudflare. These are not related to certificates but to firewall settings. I got the same msg with music.brynare.com and drop.brynare.com.

Further, using openssl I see your server sends the Cloudflare cert you got in June which is good thru Jun 2022. I don't see that your past Lets Encrypt certificates are being used.

See this Cloudflare community topic to fix the 1020 message:

Gnarf · October 12, 2021, 8:34am

Thank you! I will try that

system · November 11, 2021, 8:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.