I'm running into renewal problems on a test server. I've made some changes to my nginx.conf since I created the certificate but the server has been working fine.
My DNS resolves properly, created .well-known/acme-challenge and made sure it reachable via https.
I've read about similar problems and it seems this whole process is very delicate. I've made numerous changes but nothing solves the problem. Here is the current and relevant portion of my nginx.conf file.
index index.php index.html index.htm;
server {
listen 80;
server_name www.catspaw.club catspaw.club;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl default_server;
#listen [::]:443 ssl default_server;
server_name catspaw.club www.catspaw.club;
ssl_certificate "/usr/local/etc/letsencrypt/live/www.catspaw.club/cert.pem";
ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.catspaw.club/privkey.pem";
error_log /var/log/nginx/error.log;
error_page 500 502 503 504 /50x.html;
root /usr/local/www/nginx-dist;
…
location ~ /.well-known {
allow all;
}
Steve
My domain is:
I ran this command: catspaw.club
It produced this output:
root@selby:~ # certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for catspaw.club
http-01 challenge for www.catspaw.club
Waiting for verification...
Challenge failed for domain catspaw.club
Challenge failed for domain www.catspaw.club
http-01 challenge for catspaw.club
http-01 challenge for www.catspaw.club
Cleaning up challenges
Attempting to renew cert (www.catspaw.club) from /usr/local/etc/letsencrypt/renewal/www.catspaw.club.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/www.catspaw.club/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: catspaw.club
Type: unauthorized
Detail: Invalid response from
https://www.catspaw.club/.well-known/acme-challenge/QIkuVVIveDwVmrj6AfGJR7SflNb9CBAn0nqmvXjJXBY
[50.116.12.132]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
Domain: www.catspaw.club
Type: unauthorized
Detail: Invalid response from
https://www.catspaw.club/.well-known/acme-challenge/hWvpRwbJOGvj_CKKVa4thuLB_xNO1XDVqrhn_wcGOTs
[50.116.12.132]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
nginx 1.18.0
The operating system my web server runs on is (include version):
FreeBSD 12.1
My hosting provider, if applicable, is:
Linode
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 1.8.0