Renew certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
roger.kiwi.nz
I ran this command:
certbot certonly --force-renew
It produced this output:
http-01 challenge for roger.kiwi.nz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: roger.kiwi.nz
    Type: unauthorized
    Detail: 128.199.115.234: Invalid response from
    https://roger.kiwi.nz/.well-known/acme-challenge/HaujLV3vfWtLTLqI2TpTn8C-TvFhv09RwUpXMH5FzVQ:
    404

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    My web server is (include version):
    nginx
    The operating system my web server runs on is (include version):
    ubuntu 20.04.5 LTS
    My hosting provider, if applicable, is:
    digitalocean
    I can login to a root shell on my machine (yes or no, or I don't know):
    yes
    I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
    no
    The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
    0.40.0

2

Please do not use options of which you don't understand their purpose. E.g., the --force-renewal does NOT magically let you get a certificate without any validation. And as such it wouldn't help you with your issue what so ever, but, if used improperly, could lead to bad things such as rate limits.

By the way, renewal is usually done by running sudo certbot renew.

Also:

This version of Certbot is quite old. It's recommended to use snap to install Certbot and keep it (automatically) up to date. See https://certbot.eff.org/ for more info.

Now, to your issue: could you please post the contents of the renewal configuration file? It probably is /etc/letsencrypt/renewal/roger.kiwi.nz.conf.

Also, please post the output of the command sudo nginx -T.

4 Likes
3

Supplemental information: here is what curl is showing me
I see the redirect from HTTP to HTTPS portion is working as expected.

$ curl -Ii http://roger.kiwi.nz/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 09 Mar 2023 18:51:22 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://roger.kiwi.nz/.well-known/acme-challenge/sometestfile

$ curl -Ii https://roger.kiwi.nz/.well-known/acme-challenge/sometestfile
HTTP/2 404
server: nginx
date: Thu, 09 Mar 2023 18:51:33 GMT
content-type: text/html
content-length: 808
etag: "623fdc8c-328"
1 Like
4

Thank you - I've installed certbot via snap, and successfully renewed the certificate.

renew_before_expiry = 30 days

version = 2.4.0
archive_dir = /etc/letsencrypt/archive/roger.kiwi.nz
cert = /etc/letsencrypt/live/roger.kiwi.nz/cert.pem
privkey = /etc/letsencrypt/live/roger.kiwi.nz/privkey.pem
chain = /etc/letsencrypt/live/roger.kiwi.nz/chain.pem
fullchain = /etc/letsencrypt/live/roger.kiwi.nz/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 3b9b7b65745749c5dbe7a9b4cc29dbb7
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

5 Likes
5

I had also tried certbot renew, but it failed with the same output as the command I shouldn't have run! (thanks for the feedback). This server had been neglected for some time, I will keep a better eye on it now :slight_smile:

4 Likes
6

Ah, perhaps there was something in your nginx configuration confusing for the ancient Certbot, but easy to manage in the most recent one :slight_smile:

That's probably because "deep down" they were doing the same thing. I didn't know you already tried certbot renew though, so I thought I'd just mention certbot renew.

4 Likes
7

Thank you - I really appreciate your help and guidance as I fumbled my way through :slight_smile:

5 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.