Renew fails with error 403 on nginx reverse proxy


#1

My domain is: https://nextcloud.filder.cloud

I ran this command: ~/certbot/.certbot-auto renew

It produced this output:

Domain: nextcloud.filder.cloud
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b5ac6e01109bd3bbf59f61bbc09daffe.7d3ef5861c3c440475d1b42b7ee7b105.acme.invalid
from 46.237.201.66:443. Received 2 certificate(s), first
certificate had names “nextcloud.filder.cloud”

My web server is (include version):

nginx 1.12.2

The operating system my web server runs on is (include version):

freeBSD 11.1

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

My Setup is: self hosted Server with static public IP -> nginx server configured as reverse proxy -> pointing to several servers on different machines

certbot is installed on the reverse proxy and valid certificates have been issued and placed on it for each server it is proxieng to. And yes - that worked fine for the last three months.

Now I need to renew the certificates. Tried to do this with the command provided above and received the mentioned failure.

The output of /var/log/letsencrypt/letsencrypt.log is:
My domain is: https://nextcloud.filder.cloud

I ran this command: ~/certbot/.certbot-auto renew

It produced this output:

Domain: nextcloud.filder.cloud
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b5ac6e01109bd3bbf59f61bbc09daffe.7d3ef5861c3c440475d1b42b7ee7b105.acme.invalid
from 46.237.201.66:443. Received 2 certificate(s), first
certificate had names “nextcloud.filder.cloud”

My web server is (include version):

nginx 1.12.2

The operating system my web server runs on is (include version):

freeBSD 11.1

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

My Setup is: self hosted Server with static public IP -> nginx server configured as reverse proxy -> pointing to several servers on different machines

certbot is installed on the reverse proxy and valid certificates have been issued and placed on it for each server it is proxieng to. And yes - that worked fine for the last three months.

Now I need to renew the certificates. Tried to do this with the command provided above and received the mentioned failure.

The output of /var/log/letsencrypt/letsencrypt.log is:

root@webproxy:/usr/home/admin/certbot # cat /var/log/letsencrypt/letsencrypt.log
2018-05-15 09:16:55,723:DEBUG:certbot.main:certbot version: 0.24.0
2018-05-15 09:16:55,724:DEBUG:certbot.main:Arguments: []
2018-05-15 09:16:55,724:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-05-15 09:16:55,746:DEBUG:certbot.log:Root logging level set at 20
2018-05-15 09:16:55,747:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-05-15 09:16:55,789:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x808fe67d0> and installer <certbot.cli._Default object at 0x808fe67d0>
2018-05-15 09:16:55,798:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-05-26 07:23:25 UTC.
2018-05-15 09:16:55,798:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-05-15 09:16:55,829:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-05-15 09:16:55,888:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x809209ed0>
Prep: True
2018-05-15 09:16:55,889:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x809209ed0> and installer None
2018-05-15 09:16:55,889:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-05-15 09:16:55,891:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=u’valid’, terms_of_service_agreed=None, contact=(u’mailto:rbuhr@outlook.de’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x8092093d0>)>)), uri=u’https://acme-v01.api.letsencrypt.org/acme/reg/30064737’, new_authzr_uri=u’https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), 349147d789cb97c667d20d4fa80c1455, Meta(creation_host=u’webproxy.fritz.box’, creation_dt=datetime.datetime(2018, 2, 25, 7, 28, 19, tzinfo=)))>
2018-05-15 09:16:55,893:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-05-15 09:16:55,898:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-05-15 09:16:56,394:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2018-05-15 09:16:56,395:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: 5W5LujO09CD9jqEexqCPSqMsSc4GHPncolQHeWdKXU4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 15 May 2018 07:16:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 15 May 2018 07:16:56 GMT
Connection: keep-alive

{
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“m2fxJ8JpAIY”: “Adding random entries to the directory”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert

Please help me :slight_smile:
Robin


#2

Please show the renewal conf:
/etc/letsencrypt/renewal/<your cert name>.conf
./certbot-auto certificates


#3

output of /etc/letsencrypt/renewal/nextcloud.filder.cloud.conf:

# renew_before_expiry = 30 days
version = 0.21.1
archive_dir = /etc/letsencrypt/archive/nextcloud.filder.cloud
cert = /etc/letsencrypt/live/nextcloud.filder.cloud/cert.pem
privkey = /etc/letsencrypt/live/nextcloud.filder.cloud/privkey.pem
chain = /etc/letsencrypt/live/nextcloud.filder.cloud/chain.pem
fullchain = /etc/letsencrypt/live/nextcloud.filder.cloud/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = 349147d789cb97c667d20d4fa80c1455

output from ./certbot-auto certificates

Found the following certs:
  Certificate Name: nextcloud.filder.cloud
    Domains: nextcloud.filder.cloud
    Expiry Date: 2018-05-26 07:23:25+00:00 (VALID: 10 days)
    Certificate Path: /etc/letsencrypt/live/nextcloud.filder.cloud/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/nextcloud.filder.cloud/privkey.pem
  Certificate Name: kniese.filder.cloud
    Domains: kniese.filder.cloud
    Expiry Date: 2018-05-27 09:44:33+00:00 (VALID: 12 days)
    Certificate Path: /etc/letsencrypt/live/kniese.filder.cloud/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kniese.filder.cloud/privkey.pem
  Certificate Name: kniese-schankanlagentechnik.de
    Domains: kniese-schankanlagentechnik.de
    Expiry Date: 2018-05-27 10:34:28+00:00 (VALID: 12 days)
    Certificate Path: /etc/letsencrypt/live/kniese-schankanlagentechnik.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kniese-schankanlagentechnik.de/privkey.pem
  Certificate Name: tonstudio.filder.cloud
    Domains: tonstudio.filder.cloud
    Expiry Date: 2018-05-27 10:57:07+00:00 (VALID: 12 days)
    Certificate Path: /etc/letsencrypt/live/tonstudio.filder.cloud/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tonstudio.filder.cloud/privkey.pem

Thanks :slight_smile:


#4

Using the Certbot standalone authenticator while running nginx doesn’t really make sense, unless you run the standalone authenticator on another port and and proxy the requests from nginx to Certbot.

If you want to use certonly, then it would make sense to use --authenticator webroot or --authenticator nginx .


#5

Did you install the other certs this way too?
Have you renewed any of them this way?


#6

Did you install the other certs this way too? = YES
Have you renewed any of them this way? = NO


#7

using--authenticator webroot outputs this error message:

Failed authorization procedure. nextcloud.filder.cloud (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.filder.cloud/.well-known/acme-challenge/ajkW5FEVIj4TgCqD_VprgHm-yP--IyPs6GF9j86Ay1o: "<!DOCTYPE html>
<html class="ng-csp" data-placeholder-focus="false" lang="en" >
        <head data-requesttoken="H0Jv665Ni6CaKT78NplLTI"

using --authenticator nginx runs into the following error:

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed

#8

FIXED IT! :smiley:

I have created a symbolic link from /usr/local/etc/nginx to /etc/nginx ang get certbot to create a new cert with:

./certbot-auto certonly --nginx -d nextcloud.filder.cloud

Thanks for your help


#9

in the/etc/letsencrypt/renewal/<your cert name>.conf what does the

authenticator = standalone
installer = None

stands for?


#10

The file basically records the last method used to get a cert for any future renewals.
But you originally used a combination that isn’t suited for automated renewals.
It should be updated now to your most current cert retrieval.
show the new contents:
cat /etc/letsencrypt/renewal/nextcloud.filder.cloud.conf
We should see that both of those lines have changed.
You should then be able to update the other renewal conf files with those new settings; so that they will renew without much effort when they are up for renewal.


#11

For what it’s worth, you can also use “--nginx-server-root /usr/local/etc/nginx”.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.