Renew Dry-Run Failing

My domain is: friendlymetals.com.au , www.friendlymetals.com.au

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/friendlymetals.com.au.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for friendlymetals.com.au
http-01 challenge for www.friendlymetals.com.au
Using the webroot path /var/www/friendlymetals.com.au for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.friendlymetals.com.au
Challenge failed for domain friendlymetals.com.au
http-01 challenge for www.friendlymetals.com.au
http-01 challenge for friendlymetals.com.au
Cleaning up challenges
Attempting to renew cert (friendlymetals.com.au) from /etc/letsencrypt/renewal/friendlymetals.com.au.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/friendlymetals.com.au/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/friendlymetals.com.au/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.friendlymetals.com.au
   Type:   unauthorized
   Detail: Invalid response from
   http://www.friendlymetals.com.au/.well-known/acme-challenge/I-53HCO9G2hMAYF9Lz2MTMn0hS0RZPyAguzqOVY9FoY
   [18.218.180.117]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   Domain: friendlymetals.com.au
   Type:   unauthorized
   Detail: Invalid response from
   https://friendlymetals.com.au/.well-known/acme-challenge/jCu8pQIcys8gQixR5c5Ba3Kmj77NY1gSnZNuNjEV7S0
   [18.218.180.117]: "<html>\r\n<head><title>403
   Forbidden</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>403
   Forbidden</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

Hi @Phelx,

Do you know if you have any nginx rules in your configuration which block "dotfiles"?

See below:

This is often caused by well-meaning rules which look something like:

location ~ /\.  {
    deny all;
}

but they end up interfering with the renewal process.

You can also try:

certbot renew --dry-run -a nginx

to see whether the nginx authenticator works around this problem for you.

1 Like

The command using the nginx authenticator worked a treat!

Just updated the cronjob to include the -a nginx flag in it as well, hopefully that resolves it.

1 Like