Problem with Certificate-Renew using certbot

Hi!

i have a problem with renewing my existing certificate with certbot.

My domain is: elberthome.dnshome.de.
The Problem says my domain has a problem with the dns a/aaaa-record.
but, the domain results in the right IP-Adress. and, if i check my domain in browser, i am at the right server.
my firewall accepts port 443 and 80 to the raspberry-client.
Thank you in Advance!

I ran this command: certbot renew

It produced this output:
certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/elberthome.dnshome.de.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for elberthome.dnshome.de

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (elberthome.dnshome.de) from /etc/letsencrypt/renewal/elberthome.dnshome.de.conf produced an unexpected error: Failed authorization procedure. elberthome.dnshome.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://elberthome.dnshome.de/.well-known/acme-challenge/sMxcHwbEG45R-5qncd4DwY73jRpvl-ATxzpuJdHmU5o 217.247.45.47: “<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=“white”>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>”. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/elberthome.dnshome.de/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/elberthome.dnshome.de/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: elberthome.dnshome.de

Type: unauthorized

Detail: Invalid response from

https://elberthome.dnshome.de/.well-known/acme-challenge/sMxcHwbEG45R-5qncd4DwY73jRpvl-ATxzpuJdHmU5o

Forbidden</title></head>\r\n<body

bgcolor=“white”>\r\n<center><h1>403

Forbidden</h1></center>\r\n<hr><center>"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

The operating system my web server runs on is (include version): raspbian v9 “stretch”

I can login to a root shell on my machine (yes or no, or I don’t know): yes! i sent “certbot -renew” from my root shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

What does Nginx’s error log file show?

Hi @noomiis

this isn’t a DNS problem. Your dns entries are correct:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
elberthome.dnshome.de A 217.247.45.47 yes 1 0
AAAA yes
www.elberthome.dnshome.de Name Error yes 1 0

Instead, there is an explicit http response

from your server

Server: nginx/1.10.3

You use already webroot

Check the directory permissions of /.well-known/acme-challenge.

If one directory doesn’t exist, create both

yourWebroot/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

http://elberthome.dnshome.de/.well-known/acme-challenge/1234

Checking such a (not existing) file there is now the wrong answer

Forbidden
Visible Content: 403 Forbidden nginx/1.10.3

instead of 404 / Not Found.

Hey Juergen!
Thank you for your reply,

you were right, the .well-known-directory was there, the …/acme-challenge - directory was missing.
i created a file like 1234, and the reply was the same as if i would try to open a file that doesnt exist.

How can i fix the issue?

Thank you very much in Advance!

warm Regards,

Simon

That isn’t that, what I see.

http://elberthome.dnshome.de/.well-known/acme-challenge/1234

produces a “forbidden”, not a “not found”. Check the directory permissions, should be 755.

403 Forbidden errors can have different causes.

Nginx’s error log should say what it is.

image

Hello Juergen,

they are :frowning: i set them again, but it didnt work :frowning:
but you are right, the error is 403

Hey mnordhoff,

sorry, but… where can i find this log?

sorry for the stupid question.

Thank you in Advance!

Warm Regards,

Simon

Typically /var/log/nginx/error.log, but it’s configurable.


can you see anything which helps me?
thank you!

“access forbidden by rule” means there’s something in your Nginx configuration blocking it.

hmm. a bit of googling said i have to “allow all” in nginx-configfile “sites-enabled”. i did, but i didnt work, the error is still the same. i know, this is not a webserver-forum, but… do you have an idea?

thank you in advance!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.