Problem with renewing letsencrypt certificates


#1

running this command: Preformatted text /usr/bin/certbot renew --quiet --renew-hook “service ngnix restart”Preformatted text

and got this error:

Preformatted textAttempting to renew cert (family.thegroveacademy.com.au) from /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)Preformatted text

family.thegroveacademy.com.au.conf:

Preformatted text# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/family.thegroveacademy.com.au
cert = /etc/letsencrypt/live/family.thegroveacademy.com.au/cert.pem
privkey = /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem
chain = /etc/letsencrypt/live/family.thegroveacademy.com.au/chain.pem
fullchain = /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 54a7d4c667e04282d569c50d92dd0417
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
family.thegroveacademy.com.au = /usr/share/nginx/html

renew_before_expiry = 30 days

version = 0.19.0
archive_dir = /etc/letsencrypt/archive/family.thegroveacademy.com.au
cert = /etc/letsencrypt/live/family.thegroveacademy.com.au/cert.pem
privkey = /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem
chain = /etc/letsencrypt/live/family.thegroveacademy.com.au/chain.pem
fullchain = /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 54a7d4c667e04282d569c50d92dd0417
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
family.thegroveacademy.com.au = /usr/share/nginx/htmlPreformatted text


#2

You’ll need to wait an hour until this rate limit has subsided, and then try again. If it still doesn’t work at that point, then provide the new/different error message.

In the meantime, can you please show the full nginx virtual host configuration for family.thegroveacademy.com.au ?

At the moment it looks like you have a Rails app behind it, and it’s not clear whether you’re properly excluding the /.well-known/acme-challenge/ URL properly.


#3

Thank you for prompt answer! Will try in an hour


#4

older try

Attempting to renew cert (family.thegroveacademy.com.au) from /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf produced an unexpected error: Failed authorization procedure. family.thegroveacademy.com.au (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://family.thegroveacademy.com.au/.well-known/acme-challenge/0FIKD4zFE3SmHlIzxp3pwy_QmTtJAFtXL3MiPW_VYE8: "

Action Controller: Exception caught <style". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (failure)

#5

Show your nginx configuration (both the port 80 and port 443 server blocks for that domain).

You likely need something like

location /.well-known/acme-challenge/ {
    root /usr/share/nginx/html;
}

#6

nginx conf:

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {
##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##

#include /etc/nginx/naxsi_core.rules;

##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##

#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

sites-enabled:

upstream app {

Path to Puma SOCK file, as defined previously

server unix:/home/deploy/the-grove-academy/shared/tmp/sockets/puma.sock fail_timeout=0;
}

server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;

server_name family.thegroveacademy.com.au localhost;

}

server {
listen 443 default ssl;

server_name family.thegroveacademy.com.au localhost;

ssl on;

ssl_certificate /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.crt;

ssl_certificate_key /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.key;

ssl_certificate /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

root /home/deploy/the-grove-academy/public;

try_files $uri/index.html $uri @app;

location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection ‘’;
proxy_pass http://app;
proxy_read_timeout 300;
}

error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 300;
}


#7

Add the code I suggested inside the port 443 server, reload nginx, and try run Certbot again with --dry-run (this will just do a test run to see if the change will fix your problem).


#8

server {
listen 443 default ssl;

server_name family.thegroveacademy.com.au localhost;

location /.well-known/acme-challenge/ {
root /usr/share/nginx/html;
}

ssl on;

ssl_certificate /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.crt;

ssl_certificate_key /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.key;

ssl_certificate /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

root /home/deploy/the-grove-academy/public;

try_files $uri/index.html $uri @app;

location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection ‘’;
proxy_pass http://app;
proxy_read_timeout 300;
}

error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 300;
}

Can i try right now or wait until this rate limit has subsided?


#9

For the actual renewal you’ll have to wait, but you can try with --dry-run right now to see whether it will work in an hour, since it is not affected by rate limits.


#10

Processing /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for family.thegroveacademy.com.au
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

seems like everything is ok now?


#11

Yes, looks like that will work :slight_smile: .


#12

Thanks a lot. You are very helpful!


#13

i ran this command: /usr/bin/certbot renew --quiet --renew-hook "service ngnix restart"
**and after i tried to check site: ‘https://family.thegroveacademy.com.au/’, but still ssl doesn`t work… **
also tried: certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start”
and:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf

Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.


#14
nginx -t
grep -REI ssl_certificate /etc/nginx

Also try a manual reload, it’s possible that a renewal ran automatically in the background that didn’t reload nginx:

service nginx reload

#15

ok, thanks again. now is fine


#16

If your /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf doesn’t contain a hook to reload nginx, you may need to manually modify that file so you don’t have to reload nginx next time.


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.