Recent Renewal issues

I have been using letsencrypt for ~2 years, I have multiple domains on this server, all renewing fine. I have one domain which is now not renewing now.

My domain is: example.com

I ran this command: certbot renew

It produced this output:

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.example.com/.well-known/acme-challenge/iNNET70129MHp2KLjakforoUSCjiDXkn1sHHbzh0vrA
   [195.224.139.115]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.16.1</ce"

   Domain: www.example,com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.example.com/.well-known/acme-challenge/An-hKzN48fU3tlN7Y5kJEDxIVBTZJf7dRBDCWGL8FRs
   [195.224.139.115]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.16.1</ce"

My web server is (include version):
Nginx 1.16.1

The operating system my web server runs on is (include version):
FreeBSD 12.1-Release

My hosting provider, if applicable, is:
N/A self hosted

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.3.0

I have the following nginx vhost:

    server {
    # listen on port 80
        listen       80;
        server_name www.example.co.uk;
        # Forward all traffic to SSL
        return         301 https://www.example.com$request_uri;

    }

    server {
    # listen on port 80
        listen       80;
        server_name example.com;
        # Forward all traffic to SSL
        return         301 https://www.example.com$request_uri;
    }

    server {
    # listen on port 80
        listen       80;
        server_name example.co.uk;
        # Forward all traffic to SSL
        return         301 https://www.example.com$request_uri;
    }
    
    server {
        listen         443 ssl;
        ssl    on;
        ssl_certificate    /usr/local/etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key    /usr/local/etc/letsencrypt/live/example.com/privkey.pem;
        server_name    www.example.com;
	
	client_max_body_size 10M;
	client_body_buffer_size 128k;


	location ~ /.well-known/acme-challenge/ {
            root /usr/local/www/nginx/example;
            allow all;
        }

	
	location / {
        	add_header Access-Control-Allow-Origin *;
        	add_header Access-Control-Max-Age 3600;
        	add_header Access-Control-Expose-Headers Content-Length;
        	add_header Access-Control-Allow-Headers Range;
        	proxy_set_header Host $host;
        	proxy_pass  http://10.1.1.6:8000;
		allow   all;  
        }

	error_page 404 /404.html;
        location = /404.html {
                root    /home/luke/custom_404;
                allow   all;
         }

        error_page 403 /403.html;
        location = /403.html {
                root    /home/luke/custom_404;
                allow   all;
         }

        error_page 500 502 503 504 /500.html;
        location = /500.html {
        	root    /home/luke/custom_404;
        	allow   all;
         }

   }

Whats even stranger is if I place a file in: “/usr/local/www/nginx/ng-example/.well-known/acme-challenge/foo” I can download it by navigating to: https://www.example.com/.well-known/acme-challenge/foo does anyone in here have any ideas as to what might be wrong? This config looks identical to others running with letsencrypt?

How did you originally get the certicates for these hostnames? I.e., which plugin was used? This is also covered in the log file of the certbot run.

1 Like

Hi, originally the certificate was produced with:

certbot certonly --webroot -w /usr/local/www/nginx/ng-solenti -d example.com -d www.example.com