running this command: Preformatted text /usr/bin/certbot renew --quiet --renew-hook “service ngnix restart”Preformatted text

and got this error:

Preformatted textAttempting to renew cert (family.thegroveacademy.com.au) from /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)Preformatted text

family.thegroveacademy.com.au.conf:

Preformatted text# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/family.thegroveacademy.com.au
cert = /etc/letsencrypt/live/family.thegroveacademy.com.au/cert.pem
privkey = /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem
chain = /etc/letsencrypt/live/family.thegroveacademy.com.au/chain.pem
fullchain = /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 54a7d4c667e04282d569c50d92dd0417
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
family.thegroveacademy.com.au = /usr/share/nginx/html

renew_before_expiry = 30 days

version = 0.19.0
archive_dir = /etc/letsencrypt/archive/family.thegroveacademy.com.au
cert = /etc/letsencrypt/live/family.thegroveacademy.com.au/cert.pem
privkey = /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem
chain = /etc/letsencrypt/live/family.thegroveacademy.com.au/chain.pem
fullchain = /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 54a7d4c667e04282d569c50d92dd0417
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
family.thegroveacademy.com.au = /usr/share/nginx/htmlPreformatted text

You'll need to wait an hour until this rate limit has subsided, and then try again. If it still doesn't work at that point, then provide the new/different error message.

In the meantime, can you please show the full nginx virtual host configuration for family.thegroveacademy.com.au ?

At the moment it looks like you have a Rails app behind it, and it's not clear whether you're properly excluding the /.well-known/acme-challenge/ URL properly.

Thank you for prompt answer! Will try in an hour

older try

Attempting to renew cert (family.thegroveacademy.com.au) from /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf produced an unexpected error: Failed authorization procedure. family.thegroveacademy.com.au (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://family.thegroveacademy.com.au/.well-known/acme-challenge/0FIKD4zFE3SmHlIzxp3pwy_QmTtJAFtXL3MiPW_VYE8: "

Action Controller: Exception caught <style". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (failure)

Show your nginx configuration (both the port 80 and port 443 server blocks for that domain).

You likely need something like

location /.well-known/acme-challenge/ {
    root /usr/share/nginx/html;
}

nginx conf:

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {
##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##

#include /etc/nginx/naxsi_core.rules;

##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##

#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

sites-enabled:

upstream app {

Path to Puma SOCK file, as defined previously

server unix:/home/deploy/the-grove-academy/shared/tmp/sockets/puma.sock fail_timeout=0;
}

server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;

server_name family.thegroveacademy.com.au localhost;

}

server {
listen 443 default ssl;

server_name family.thegroveacademy.com.au localhost;

ssl on;

ssl_certificate /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.crt;

ssl_certificate_key /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.key;

ssl_certificate /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

root /home/deploy/the-grove-academy/public;

try_files $uri/index.html $uri @app;

location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection ‘’;
proxy_pass http://app;
proxy_read_timeout 300;
}

error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 300;
}

Add the code I suggested inside the port 443 server, reload nginx, and try run Certbot again with --dry-run (this will just do a test run to see if the change will fix your problem).

server {
listen 443 default ssl;

server_name family.thegroveacademy.com.au localhost;

location /.well-known/acme-challenge/ {
root /usr/share/nginx/html;
}

ssl on;

ssl_certificate /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.crt;

ssl_certificate_key /home/deploy/tga_parent_certs/family.thegroveacademy.com.au.key;

ssl_certificate /etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/family.thegroveacademy.com.au/privkey.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

root /home/deploy/the-grove-academy/public;

try_files $uri/index.html $uri @app;

location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection ‘’;
proxy_pass http://app;
proxy_read_timeout 300;
}

error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 300;
}

Can i try right now or wait until this rate limit has subsided?

For the actual renewal you’ll have to wait, but you can try with --dry-run right now to see whether it will work in an hour, since it is not affected by rate limits.

---

Processing /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for family.thegroveacademy.com.au
Waiting for verification…
Cleaning up challenges

---

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem

---

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

seems like everything is ok now?

Yes, looks like that will work .

Thanks a lot. You are very helpful!

i ran this command: /usr/bin/certbot renew --quiet --renew-hook "service ngnix restart"
**and after i tried to check site: ‘https://family.thegroveacademy.com.au/’, but still ssl doesn`t work… **
also tried: certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start”
and:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf

Cert not yet due for renewal

---

The following certs are not due for renewal yet:
/etc/letsencrypt/live/family.thegroveacademy.com.au/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.

nginx -t
grep -REI ssl_certificate /etc/nginx

Also try a manual reload, it’s possible that a renewal ran automatically in the background that didn’t reload nginx:

service nginx reload

ok, thanks again. now is fine

If your /etc/letsencrypt/renewal/family.thegroveacademy.com.au.conf doesn’t contain a hook to reload nginx, you may need to manually modify that file so you don’t have to reload nginx next time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.