Renew certificates fails please help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:kodi.pjrawlings.co.uk

I ran this command:
certbot --nginx

It produced this output:
pi@kodi:~ $ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: kodi.pjrawlings.co.uk


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kodi.pjrawlings.co.uk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. kodi.pjrawlings.co.uk (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for kodi.pjrawlings.co.uk

IMPORTANT NOTES:

My web server is (include version):
nginx version: nginx/1.14.2

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is:
IONOS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No using command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Output from https://check-your-website.server-daten.de/?q=kodi.pjrawlings.co.uk suggests I have A record so not sure what the issue is.

To date I have always created my certificates with the command
sudo certbot -d kodi.pjrawlings.co.uk --manual --preferred-challenges dns certonly --force-interactive

But as I have a nginx server on this machine I would like to use renew and hopefully work through getting this to renew automatically.

2 Likes

Welcome Back to the Let's Encrypt Community, Pete :slightly_smiling_face:

In order to use http-01 challenges for authentication, you must have a publicly-accessible IP address, not a local IP address.

2 Likes

[not sure what now having nginx (web server) has to do with certbot (an ACME client) usage, but...]

Then you are familiar with DNS authentication.
Automating DNS authentication requires:

  • a client capable of such: Check (certbot)
    [although you might want to upgrade it to the latest version via snapd]
  • a DNS service provider that supports automated DNS updates (via API): ???
    [Who is your DNS provider? Do they support DNS updates via API?]
1 Like

Hi @plug_it_in

please read the check result. There is an ip address.

But it's Grade Y:

Private IP-Address found

And the explantation in the #comments - part:

Y kodi.pjrawlings.co.uk

192.168.1.4
Warning: Private ip address found. No connection possible. There are two types of ip addresses: Worldwide unique, global addresses and private addresses. If you want that other users connect your domain, your domain must have minimal one A- (ipv4) or AAAA- (ipv6) entry with a global ip address. Check https://en.wikipedia.org/wiki/Private_network to understand the details: 192.168.0.0 to 192.168.255.255: Class C - 256 private net, every with 256 addresses

A public visible ip address is required to use http validation.

@JuergenAuer

Why are you duplicating so many answers today?

He wants to use nginx now so that he can automate his renewals.

ugggh...?

1 Like

@rg305

I think the whole purpose of the initial post was the trouble he ran into with certbot when attempting to use nginx instead of his usual manual route. Rearranging the original post helps greatly with clarity.

OK I see what you see (now).

But here is what I see, most, if not all, went unmentioned.
He had always used DNS authentication in the past.
That, to me, implies he HAD to use DNS auth and understood the "why" behind it.
Meaning: He has always had a 192.168 IP and dealt with it via DNS auth.

We both (all should) know nginx can't do DNS auth.

We have reinforced the idea that 192.168 IPs will fail HTTP auth (but he should have already known that).

We have also made it clear that DNS auth is the only auth method left if he can't change the global IP.

But I wonder how this "works" at all...
If the entire planet only sees the 192.168 IP, how do they gain access to his system (from anywhere outside his network)?
So that leaves... "It's a personal cert that is globally signed".

2 Likes

Inside his own network the private IP will work and show a secure domain. :grin:

He probably never knew about the private IP address issue if he had always been using dns-01 challenges.

No one starts out by using DNS auth.
That is always a method of last resort.
[unless you want a wildcard and then it is the only resort (with any vacancy)]

1 Like

Griffin is so spot on I have zero idea of what I am doing in this area. All I want to do is use auto renewal and dont understand why its such an issue. I have a web server , I have a certificate , why cant I get a simple renewal.

2 Likes

I did. :pensive: And still do. I've always used wildcards though. DNS auth is the oldest and most established method, albeit not the most friendly to renew under many circumstances.

1 Like

How about we back up one step first.

Who is/are the intended audience?
[who will be seeing that cert (as a client)?]

If only in your network, then this requires DNS auth.
If anywhere else (on the Internet), then you first have to give them an IP they can reach.
[which will help with the AUTH choices]

1 Like

You should look into using acme-dns to aid with your dns authorizations. Rudy (@rg305) and I are good friends, so don't take our banter as bickering. We like a good discussion. :upside_down_face:

1 Like

Let's find out WHO will use it first.
[wait one more minute before giving your final advice]

1 Like

I concur @rg305.

@plug_it_in

What's the reasoning behind the private certification? Testing or something? This will help us guide you.

1 Like

@plug_it_in

The whole reason for me was to clean up a
Messages that I was using insure access on my octoprint and kodi installs. So only on my home private network. I found the whole process of trying yov get certificates very confusing and fell back to stealing the manual command from a post with no real understanding of the command. It just worked with a set of instructions what to do. I now find I can't use the renewal process that makes this all a pain. Don't assume I understood anything or made intelligent choices about forms of authentication. I'm clueless. Happy to learn.

1 Like

No worries there my friend. We'll help you out. I'm in the midst of eating and such, but I'll be back in a bit to help. Someone else like @rg305 might be around though.