I’m getting a renew failure of my certificate.
My server is configured correctly because I can verify access to acme-challange folder with this curl command:
curl http://reportbase.com/.well-known/acme-challenge/a.jpg
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for reportbase.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/reportbase.com.conf produced an unexpected error: Failed authorization procedure. reportbase.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://reportbase.com/.well-known/acme-challenge/64HvQ55fQUoChlIFPMyeJ2DemhuM2mjntB2_Xy4ccJ8: "
404 Not Found
404 Not Found
". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/reportbase.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
rg305
July 15, 2017, 9:47pm
2
wget http://reportbase.com/.well-known/acme-challenge/a.jpg
–2017-07-15 17:46:01-- http://reportbase.com/.well-known/acme-challenge/a.jpg
Resolving reportbase.com (reportbase.com )… 206.196.115.56
Connecting to reportbase.com (reportbase.com )|206.196.115.56|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://reportbase.com/.well-known/acme-challenge/a.jpg [following]
–2017-07-15 17:46:01-- https://reportbase.com/.well-known/acme-challenge/a.jpg
Connecting to reportbase.com (reportbase.com )|206.196.115.56|:443… connected.
ERROR: cannot verify reportbase.com ’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’:
Issued certificate has expired.
To connect to reportbase.com insecurely, use `–no-check-certificate’.
rg305
July 15, 2017, 9:49pm
3
reportbase:
http-01 challenge
For simple/straight http challenges, you should probably exclude /.well-known/ from the HTTPS redirection.
Not sure what you mean by excluding ./well-known.
I can get the acme-challenge folder from the brower like this.
http://reportbase.com/.well-known/acme-challenge/a.jpg
Here is my nginix config:
server
{
listen 80;
listen [::]:80;
server_name reportbase.com ;
return 301 https://$host$request_uri;
}
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/reportbase.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/reportbase.com/privkey.pem;
server_name reportbase.com ;
root /srv/http/reportbase.com;
location /icons/
{
root /srv/http;
}
location /js/
{
root /srv/http;
}
location /.well-known/acme-challenge
{
allow all;
root /srv/http;
default_type “text/plain”;
try_files $uri =404;
}
location /
{
proxy_pass http://reportbase.com:3999 ;
}
}
Here is my error message:
Attempting to renew cert from /etc/letsencrypt/renewal/reportbase.com.conf
produced an unexpected error: Failed authorization procedure. reportbase.com
(http-01): urn:acme:error:unauthorized :: The client lacks sufficient
authorization :: Invalid response from
http://reportbase.com/.well-known/acme-challenge/oyr9QAeppy5mPWIRkuQK0odcmU3SzRAjw_8wI_y3S44
:
Thanks so much.
jsha
July 16, 2017, 12:16am
5
Can you tell us what plugin you are using (Apache, nginx, manual, standalone, etc)?
nginx Standalone. Vanilla nginx setup.
hi @reportbase
I can see you are doing a redirection from HTTP to HTTPS
The only issue I can see with that is that your certificate expired I can view your image with a browser if I ignore SSL errors.
I am not sure how boulder deals with expired certs (if it ignores them or if the connection fails) but it should follow the 301 redirects
I would suggest turning of the HTTP to HTTPS redirection of temporarily and see if the challenge passes and then turn it back on
Andrei
jsha
July 16, 2017, 1:22am
8
Does that mean you are using the standalone plugin (–save) with nginx? Can you send us the exact command line you ran originally?
What command?
I run it with systemd like this:
systemctl restart nginx
Thats all I do to start nginix. I don’t know what standalone is.
Turning off http to https rederiect did not fix it either.
jsha
July 16, 2017, 3:02am
10
No, I mean what is your Certbot command? Since this is a renewal, it’s possible you don’t remember; if so, share /etc/letsencrypt/HOSTNAME /renewal.conf
1 # renew_before_expiry = 30 days
2 version = 0.13.0
3 archive_dir = /etc/letsencrypt/archive/reportbase.com
4 cert = /etc/letsencrypt/live/reportbase.com/cert.pem
5 privkey = /etc/letsencrypt/live/reportbase.com/privkey.pem
6 chain = /etc/letsencrypt/live/reportbase.com/chain.pem
7 fullchain = /etc/letsencrypt/live/reportbase.com/fullchain.pem
8
9 # Options used in the renewal process
10 [renewalparams]
11 authenticator = webroot
12 installer = None
13 account = 74f43f88696303e4e85aa1777aa18114
14 webroot_path = /srv/http/reportbase.com,
15 [[webroot_map]]
16 reportbase.com = /srv/http/reportbase.com
rg305
July 16, 2017, 4:40am
12
Try this:
server
{
listen 80;
listen [::]:80;
server_name reportbase.com ;
location /.well-known/acme-challenge
{
allow all;
root /srv/http;
default_type “text/plain”;
try_files $uri =404;
}
return 301 https://$host$request_uri;
}
I changed the root path
I made my nginx paths match up with the paths in this file.
/etc/letsencrypt/HOSTNAME /renewal.conf
system
Closed
August 15, 2017, 7:08pm
16
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.