Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: sekretyrozwojuosobistego.pl
I ran this command: certbot renew
It produced this output:
Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/sekretyrozwojuosobistego.pl-0001.conf with version 0.40.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sekretyrozwojuosobistego.pl
http-01 challenge for www.sekretyrozwojuosobistego.pl
Cleaning up challenges
Attempting to renew cert (sekretyrozwojuosobistego.pl-0001) from /etc/letsencrypt/renewal/sekretyrozwojuosobistego.pl-0001.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for sekretyrozwojuosobistego.pl:. Skipping.
...
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sekretyrozwojuosobistego.pl-0001/fullchain.pem (failure)
/etc/letsencrypt/live/sklep.sergiosdorje.com/fullchain.pem (failure)
My web server is (include version): nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): ubuntu 20
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0
In this machine I have many sites with certificates. All are Wordpress, and it was easy to install the certificates, because it used the site root directory and put temporrary files there.
However this site I am having a problem with does not have a root directory accessible by the web.
This is an Express.js server, that is proxied via Nginx.
In the past this site was in another machine. Another person helped me to put that certificate.
It was working fine. I move to this new server. It was working fine until now. In 20 days the cert will expire.
And it can't be renewed. I remember we added a record to the dns in order to assign this new certificate.
Can anybody help to renew this certificate? What can I do?
1 Like
Welcome Back to the Let's Encrypt Community 
You need to specify the webroot for each website. This is the base folder containing the contents of a website. For nginx, this is usually the path specified with the root directive in your nginx conf files.
The idea is to add -w root/path before any -d domain in your certbot command. Since renew is non-interactive, it doesn't allow you to manually type the webroots.
For example:
certbot certonly --cert-name sekretyrozwojuosobistego.pl-0001 --webroot -w /var/www/sekretyrozwojuosobistego.pl/public_html -d "sekretyrozwojuosobistego.pl,www.sekretyrozwojuosobistego.pl" --deploy-hook "nginx -s reload"
Thank you for the warm welcome.
Unfortunately for this specific website there is not a webroot.
The files are created dynamically. It is not a html site, it is not wordpress site that has a root.
Also for this site there is not a root directive in nginx.
This is an express.js site without a root directory. The files are generated automatically on each node.js build.
Here is needed a different solution than a webroot
1 Like
Are you running certbot from the nginx proxy server? Are you terminating SSL/TLS (serving your SSL/TLS certificates) from the nginx proxy server?
Yes, nginx is a proxy:
server {
listen 443 ssl;
server_name sekretyrozwojuosobistego.pl www.sekretyrozwojuosobistego.pl;
ssl_certificate /etc/letsencrypt/live/sekretyrozwojuosobistego.pl-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sekretyrozwojuosobistego.pl-0001/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
# auth_basic "Work in progress";
# auth_basic_user_file /etc/nginx/restricted/.htpasswd;
proxy_pass http://localhost:3006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
1 Like
And the listen 80 server block?
Try this:
certbot certonly --cert-name sekretyrozwojuosobistego.pl-0001 --nginx -d "sekretyrozwojuosobistego.pl,www.sekretyrozwojuosobistego.pl" --dry-run
1 Like
here is all:
server {
listen 80;
#listen 443 ssl;
server_name sekretyrozwojuosobistego.pl www.sekretyrozwojuosobistego.pl;
#ssl_certificate /etc/letsencrypt/live/sekretyrozwojuosobistego.pl/ca-bundle.pem;
#ssl_certificate_key /etc/letsencrypt/live/sekretyrozwojuosobistego.pl/private-key.pem;
#location / {
#proxy_pass http://localhost:3006;
#}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name sekretyrozwojuosobistego.pl www.sekretyrozwojuosobistego.pl;
ssl_certificate /etc/letsencrypt/live/sekretyrozwojuosobistego.pl-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sekretyrozwojuosobistego.pl-0001/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
# auth_basic "Work in progress";
# auth_basic_user_file /etc/nginx/restricted/.htpasswd;
proxy_pass http://localhost:3006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
1 Like
$ nginx certonly --cert-name sekretyrozwojuosobistego.pl-0001 --nginx -d "sekretyrozwojuosobistego.pl,www.sekretyrozwojuosobistego.pl" --dry-run
nginx: invalid option: "certonly"
1 Like
$ sudo certbot certonly --cert-name sekretyrozwojuosobistego.pl-0001 --nginx -d "sekretyrozwojuosobistego.pl,www.sekretyrozwojuosobistego.pl" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for sekretyrozwojuosobistego.pl and www.sekretyrozwojuosobistego.pl
Performing the following challenges:
http-01 challenge for sekretyrozwojuosobistego.pl
http-01 challenge for www.sekretyrozwojuosobistego.pl
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
1 Like
Beautiful! 
What's the output of certbot certificates ?
1 Like
a plenty of other certificates (valid), and:
Certificate Name: sekretyrozwojuosobistego.pl-0001
Serial Number: 3018ab128fff2d04c5e91c12b20854fcf30
Key Type: RSA
Domains: sekretyrozwojuosobistego.pl www.sekretyrozwojuosobistego.pl
Expiry Date: 2021-03-30 21:31:12+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/sekretyrozwojuosobistego.pl-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sekretyrozwojuosobistego.pl-0001/privkey.pem
1 Like
Do you have a Certificate Name of sekretyrozwojuosobistego.pl (without the -0001)?
No, this name was automatically generated in the old server. It was just copied here manually.
All the other sites do not have such suffixes.
1 Like
Let's do this piecemeal then...
First...
certbot certonly --cert-name sekretyrozwojuosobistego.pl --nginx -d "sekretyrozwojuosobistego.pl,www.sekretyrozwojuosobistego.pl" --deploy-hook "nginx -s reload"
What did it do?
$ sudo certbot certonly --cert-name sekretyrozwojuosobistego.pl --nginx -d "sekretyrozwojuosobistego.pl,www.sekretyrozwojuosobistego.pl" --deploy-hook "nginx -s reload"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for sekretyrozwojuosobistego.pl and www.sekretyrozwojuosobistego.pl
Performing the following challenges:
http-01 challenge for sekretyrozwojuosobistego.pl
http-01 challenge for www.sekretyrozwojuosobistego.pl
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: nginx -s reload
Error output from deploy-hook command nginx:
nginx: [warn] conflicting server name "http2" on 0.0.0.0:443, ignored
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sekretyrozwojuosobistego.pl/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sekretyrozwojuosobistego.pl/privkey.pem
Your certificate will expire on 2021-06-08. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
1 Like
It successfully acquired a certificate and put it under Certificate Name of sekretyrozwojuosobistego.pl. It also created a "deployment hook" associated with the certbot renewal configuration for sekretyrozwojuosobistego.pl that gracefully reloads the nginx server when the certificate is successfully acquired (or renewed).
1 Like
Second...
Edit the nginx conf file containing the configuration info you gave me above and remove the -0001 from the ssl_certificate and ssl_certificate_key directives.
When that's done, run:
nginx -s reload
1 Like
wow! it looks like it now works fine. Certbot certifcates sees it updated.
So now it should update automatically regularly?
1 Like