Renew --dry-run failure

PyCatz · July 3, 2017, 12:48am

Please fill out the fields below so we can help you better.

Have new certificate installed using --webroot.
Primary domain and sub-domain work well.
Have error with sub-domains when attempting dry run renewal.

I’m really stumpt with this one.

My domain is:
inkblotcreations.com www.inkblotcreations.com beta.inkblotcreations.com www.beta.inkblotcreations.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

 Saving debug log to /var/log/letsencrypt/letsencrypt.log

 -------------------------------------------------------------------------------
 Processing /etc/letsencrypt/renewal/inkblotcreations.com.conf
 -------------------------------------------------------------------------------
 Cert not due for renewal, but simulating renewal for dry run
 Renewing an existing certificate
 Performing the following challenges:
 http-01 challenge for inkblotcreations.com
 http-01 challenge for beta.inkblotcreations.com
 http-01 challenge for www.beta.inkblotcreations.com
 http-01 challenge for www.inkblotcreations.com
 Waiting for verification...
 Cleaning up challenges
 Attempting to renew cert from /etc/letsencrypt/renewal/inkblotcreations.com.conf produced an unexpected error: Failed authorization procedure. www.beta.inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.beta.inkblotcreations.com/.well-known/acme-challenge/hYtrRgBvhBZdVGLHOK0-6UrBoytUhpU6LEAsVIonGP0: "<html>
 <head><title>404 Not Found</title></head>
 <body bgcolor="white">
 <center><h1>404 Not Found</h1></center>
 <hr><center>", beta.inkblotcreations.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://beta.inkblotcreations.com/.well-known/acme-challenge/7_HeiZklyShnmZ8i9S0zxEcu1rixfSkzL2LR8DSd7B4: "<html>
 <head><title>404 Not Found</title></head>
 <body bgcolor="white">
 <center><h1>404 Not Found</h1></center>
 <hr><center>". Skipping.
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates below have not been saved.)

 All renewal attempts failed. The following certs could not be renewed:
   /etc/letsencrypt/live/inkblotcreations.com/fullchain.pem (failure)
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates above have not been saved.)
 1 renew failure(s), 0 parse failure(s)

 IMPORTANT NOTES:
  - The following errors were reported by the server:

    Domain: www.beta.inkblotcreations.com
    Type:   unauthorized
    Detail: Invalid response from
    http://www.beta.inkblotcreations.com/.well-known/acme-challenge/hYtrRgBvhBZdVGLHOK0-6UrBoytUhpU6LEAsVIonGP0:
    "<html>
    <head><title>404 Not Found</title></head>
    <body bgcolor="white">
    <center><h1>404 Not Found</h1></center>
    <hr><center>"

    Domain: beta.inkblotcreations.com
    Type:   unauthorized
    Detail: Invalid response from
    http://beta.inkblotcreations.com/.well-known/acme-challenge/7_HeiZklyShnmZ8i9S0zxEcu1rixfSkzL2LR8DSd7B4:
    "<html>
    <head><title>404 Not Found</title></head>
    <body bgcolor="white">
    <center><h1>404 Not Found</h1></center>
    <hr><center>"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

Additional Information:

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;
        server_name inkblotcreations.com www.inkblotcreations.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        include snippets/ssl-inkblotcreations.com.conf;
        include snippets/ssl-params.conf;

        server_name inkblotcreations.com www.inkblotcreations.com;
        root /home/user/www/;
        index index.html;

        location / { try_files $uri $uri/ =404; }

        location /home/user/www/.well-known/acme-challenge { allow all; }
}

server {
        listen 80;
        listen [::]:80;
        server_name beta.inkblotcreations.com www.beta.inkblotcreations.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:433 ssl http2;
        include snippets/ssl-inkblotcreations.com.conf;
        include snippets/ssl-params.conf;

        server_name beta.inkblotcreations.com www.beta.inkblotcreations.com;
        root /home/user/beta/;
        index index.html;

        location / { try_files $uri $uri/ =404; }

        location /home/user/beta/.well-known/acme-challenge { allow all; }
}

schoen · July 3, 2017, 2:14am

Hi @PyCatz,

Two thoughts:

(Probably not the problem) You seem to have a type in listen [::]:433 ssl http2; which should probably be 443 rather than 433.

(Possibly the problem) Can you post the content of /etc/letsencrypt/renewal/inkblotcreations.com.conf? If it’s trying to use the same webroot directory for all of these domains, it will fail because the real webroot for the “beta” domain is different from that for the other domains.

rg305 · July 3, 2017, 2:58am

This doesn't seem entire correct.
Shouldn't be more like:
location /.well-known/acme-challenge { allow all; }

PyCatz · July 3, 2017, 5:20am

Hi rg305

Changed path to acme-challenge from absolute to relative. Wouldn’t have thought that this would make much difference as path to folder leads to same place. After change to: location /.well-known/acme-challenge { allow all; }
still have same fault.

Currently set as relative: location /.well-known/acme-challenge { allow all; }

PyCatz · July 3, 2017, 5:31am

Hi schoen

You are a legend. Your glasses 1, my dyslexia 0

Change 433 to 443 then (nginx -t and restart of course) and renew --dry-run worked without a problem.

FYI: I had looked (and re-looked after reading your message) at /etc/letsencrypt/renewal/inkblotcreations.com.conf , the [[webroot_map]] has correct mapping from domains to paths. Not the issue in this case but a good one to check.

Thanks again

PyCatz · July 3, 2017, 5:34am

Hey rg305, thanks for looking.

system · August 2, 2017, 5:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renew --dry-run failure Incorrect validation certificate for tls-sni-01 challenge Help	3	1342	August 2, 2017
Certbot renew dry run failed Help	8	1978	March 10, 2019
Dry run: failed with error: Input the webroot for new.subdomain Help	20	4438	November 5, 2020
Renewing certificate for one particular domain giving errors Help	7	2414	November 29, 2016
Certbot renew --dry-run works but certbot renew fails Help	5	2116	September 21, 2019

Renew --dry-run failure

Related topics