Renew certificate failure

Help
1

I'm running into renewal problems on a test server. I've made some changes to my nginx.conf since I created the certificate but the server has been working fine.

My DNS resolves properly, created .well-known/acme-challenge and made sure it reachable via https.

I've read about similar problems and it seems this whole process is very delicate. I've made numerous changes but nothing solves the problem. Here is the current and relevant portion of my nginx.conf file.

index  index.php index.html index.htm;
server {
    listen       80;
    server_name  www.catspaw.club catspaw.club;
    return 301 https://$server_name$request_uri;
}

server {
            listen       443 ssl  default_server;
            #listen       [::]:443 ssl default_server;
    server_name  catspaw.club www.catspaw.club;
    ssl_certificate "/usr/local/etc/letsencrypt/live/www.catspaw.club/cert.pem";
    ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.catspaw.club/privkey.pem";
            error_log /var/log/nginx/error.log;
            error_page   500 502 503 504  /50x.html;

            root   /usr/local/www/nginx-dist;
…
	location ~ /.well-known {
	     allow all;
     }

Steve

My domain is:

I ran this command: catspaw.club

It produced this output:

root@selby:~ # certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for catspaw.club
http-01 challenge for www.catspaw.club
Waiting for verification...
Challenge failed for domain catspaw.club
Challenge failed for domain www.catspaw.club
http-01 challenge for catspaw.club
http-01 challenge for www.catspaw.club
Cleaning up challenges
Attempting to renew cert (www.catspaw.club) from /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: catspaw.club
   Type:   unauthorized
   Detail: Invalid response from
   https://www.catspaw.club/.well-known/acme-challenge/QIkuVVIveDwVmrj6AfGJR7SflNb9CBAn0nqmvXjJXBY
   [50.116.12.132]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   Domain: www.catspaw.club
   Type:   unauthorized
   Detail: Invalid response from
   https://www.catspaw.club/.well-known/acme-challenge/hWvpRwbJOGvj_CKKVa4thuLB_xNO1XDVqrhn_wcGOTs
   [50.116.12.132]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

nginx 1.18.0

The operating system my web server runs on is (include version):

FreeBSD 12.1

My hosting provider, if applicable, is:

Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.8.0

1 Like
2

The standalone plugin is suitable when you do not have a web server, or when you are proxying requests through to Certbot.

It creates its own webserver on port 80 when it runs. Since nginx is also bound to port 80, trying to use both at once would result in a conflict.

You can try renew using the nginx authenticator instead:

certbot renew --cert-name www.catspaw.club -a nginx --dry-run

If that works, you can remove --dry-run to do it for real. The choice of authenticator will be saved for next time.

1 Like
3

Apparently, I'm missing the "nginx plugin". Does that mean more python dependancies?

root@selby:~ # certbot renew --cert-name www.catspaw.club -a nginx --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The requested nginx plugin does not appear to be installed
Attempting to renew cert (www.catspaw.club) from /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf produced an unexpected error: The requested nginx plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
1 Like
4

I'm not sure about FreeBSD packaging, sorry. It may be the py-certbot-nginx package.

If you do not want to install another dependency, there is also a more basic route you can go, which is to use webroot-based authentication.

Basically you'll want add something this to the port 80 server:

location /.well-known/acme-challenge/ { root /path/to/some/empty/dir/; }

and then renew using the webroot authenticator:

certbot renew --cert-name www.catspaw.club --webroot -w /path/to/some/empty/dir/ --dry-run
1 Like
5

Oddly. The combination of your renew command and nginx plugin successfully worked in dry-run mode, but when I removed dry-run it didn't work. And then when I tried dry-run again it failed!

root@selby:~ # pkg install py37-certbot-nginx-1.8.0
...
root@selby:~ # certbot renew --cert-name www.catspaw.club -a nginx --dry-run
...
Congratulations, all renewals succeeded. The following certs have been renewed:

But without dry-run it failed,

root@selby:~ # certbot renew --cert-name www.catspaw.club -a nginx 

Processing /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for catspaw.club
http-01 challenge for www.catspaw.club
Waiting for verification...
Challenge failed for domain www.catspaw.club
http-01 challenge for www.catspaw.club
Cleaning up challenges
Attempting to renew cert (www.catspaw.club) from /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.catspaw.club
   Type:   dns
   Detail: No valid IP addresses found for www.catspaw.club
1 Like
6

Well, I don't think that's your fault.

It looks like something is wrong with Linode's DNS hosting and it's randomly returning NXDOMAIN when queried for your domain.

Here's a good response:

$ dig -6 @ns1.linode.com www.catspaw.club

; <<>> DiG 9.16.1-Ubuntu <<>> -6 @ns1.linode.com www.catspaw.club
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25952
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.catspaw.club.              IN      A

;; ANSWER SECTION:
www.catspaw.club.       86400   IN      CNAME   catspaw.club.
catspaw.club.           86400   IN      A       50.116.12.132

;; AUTHORITY SECTION:
catspaw.club.           86400   IN      NS      ns4.linode.com.
catspaw.club.           86400   IN      NS      ns1.linode.com.
catspaw.club.           86400   IN      NS      ns5.linode.com.
catspaw.club.           86400   IN      NS      ns2.linode.com.
catspaw.club.           86400   IN      NS      ns3.linode.com.

;; ADDITIONAL SECTION:
ns1.linode.com.         300     IN      A       162.159.27.72
ns1.linode.com.         300     IN      AAAA    2400:cb00:2049:1::a29f:1a63
ns2.linode.com.         300     IN      A       162.159.24.39
ns2.linode.com.         300     IN      AAAA    2400:cb00:2049:1::a29f:1827
ns3.linode.com.         300     IN      A       162.159.25.129
ns3.linode.com.         300     IN      AAAA    2400:cb00:2049:1::a29f:1981
ns4.linode.com.         300     IN      A       162.159.26.99
ns4.linode.com.         300     IN      AAAA    2400:cb00:2049:1::a29f:1b48
ns5.linode.com.         300     IN      A       162.159.24.25
ns5.linode.com.         300     IN      AAAA    2400:cb00:2049:1::a29f:1819

;; Query time: 300 msec
;; SERVER: 2400:cb00:2049:1::a29f:1a63#53(2400:cb00:2049:1::a29f:1a63)
;; WHEN: Tue Dec 15 09:59:23 AEDT 2020
;; MSG SIZE  rcvd: 395

Here's a bad response for the exact same query:

$ dig -6 @ns1.linode.com www.catspaw.club

; <<>> DiG 9.16.1-Ubuntu <<>> -6 @ns1.linode.com www.catspaw.club
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32598
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.catspaw.club.              IN      A

;; AUTHORITY SECTION:
catspaw.club.           86400   IN      SOA     ns1.linode.com. info.steephill.tv. 2021000007 14400 14400 1209600 86400

;; Query time: 260 msec
;; SERVER: 2400:cb00:2049:1::a29f:1a63#53(2400:cb00:2049:1::a29f:1a63)
;; WHEN: Tue Dec 15 09:59:26 AEDT 2020
;; MSG SIZE  rcvd: 112

Sorry. You could try get in contact with Linode support and show them this post.

Otherwise, you could try again and hope that (through random chance) that your renewal succeeds.

Finally, assuming this is some kind of anycast DNS caching problem on Linode's side, you could simply try to wait the problem out. Though this would only apply if you recently changed your DNS records.

2 Likes
7

Thanks. You were right. I re-ran your renew command as you suggested without any changes and it worked. I'll contact Linode because won't the flaky DNS resolving effect random web visitors too?

2 Likes
8

To some extent, probably. However, it's less likely to affect random web visitors as they will be using caching DNS resolvers like 8.8.8.8 or 1.1.1.1 or their ISPs'.

Let's Encrypt's resolvers don't cache ~anything, which means it's more likely that the problem will manifest itself there.

1 Like
9

And LE checks both names, users only type in one name.

It seems like the CNAME option is having caching problems as of late.
You might want to try using two identical A records instead of A & CNAME.

1 Like
10

Linode doesn't allow two identical A records ie. www.domain.com and domain.com

1 Like
11

hmm...
Does the A record require the three dots?
If not, use "846466180" for the second A record.

1 Like
12

Sorry, I don't understand the format of A records enough to answer your question. Do you have a resource you can point me to?

What does "846466180" represent?

I've deleted the CNAME record with just www in it and was then able to successfully add www.catspaw.club as the second A record. Is that a better setup?

2 Likes
13

PING it.

That is what was originally asked for and you said:

[probably because you had to delete the CNAME first]

1 Like
14

re: PING it.

Ok. So, 846466180 is the integer representation of my IP address. Not sure why that would help resolve the www version of my domain level url.

re: [probably because you had to delete the CNAME first]

Regarding, CNAME. Yes, I had to delete the CNAME record with www before could be add the second A record with www. (Thought of that after I replied to you.)

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.