Hallo community,
I have the b.m. issue only randomly meaning I found a workaround for it when it appears but it requires always manual intervention, what is really annoying. My configuration:
- nginx server with reverse proxy on a virtual machine: radulov.net www.radulov.net - receives all 80 and 443 requests from the router
- apache server on another virtual machine: cloud.radulov.net
- two raspberry pi station with nginx: pi1.radulov.net , pi2.radulov.net
All were configured with letsencrypt and at the beginning everything worked as expected. First I noticed that the one pi had expired certificated, what obviously was not automatically renewed. I tried manual renewal what didn't work as well (see error below). The only workaround I found was to delete the certificates and to comment out the changes from the certbot in the nginx config files (pi and proxy), and them made "fresh" certificate installation.
The weird thing is that after fresh install --dry-run and --force-renew work without the b.m. error but after some (undefined) time, it just stops and gives the below error and then only the workaround works.
This issue is only with the two raspberries, with the cloud server for example was never the case.
First I thought I did some configuration change without noticing but it happened already few times and with both raspberries, so I am a bit annoyed doing the manual delete-reinstall workaround.
Currently the pi1 station is Ok (after the workaround), the pi2 station gives the b.m. error. Both PIs have the same configuration.
My domain is: pi2.radulov.net
I ran this command: sudo certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/pi2.radulov.net.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pi2.radulov.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (pi2.radulov.net) from /etc/letsencrypt/renewal/pi2.radulov.net.conf produced an unexpected error: Failed authorization procedure. pi2.radulov.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://pi2.radulov.net/.well-known/acme-challenge/YjgIqEVdGzB_RIKOg-ONdV_g0_O7zhC8MN9dUNSftd4 [80.108.240.176]: "\n404 Not Found\nNot Found
\nThe requested URL was". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/pi2.radulov.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/pi2.radulov.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: pi2.radulov.net
Type: unauthorized
Detail: Invalid response from
https://pi2.radulov.net/.well-known/acme-challenge/YjgIqEVdGzB_RIKOg-ONdV_g0_O7zhC8MN9dUNSftd4
[80.108.240.176]: "\n404 Not Found\nNot
\n
FoundThe requested URL was"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): nginx
The operating system my web server runs on is (include version): debian (proxy) and raspbian (pi)
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 0.31.0
nginx proxy config:
server {
server_name pi2.radulov.net; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass https://192.168.0.116:443; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/pi2.radulov.net/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/pi2.radulov.net/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = pi2.radulov.net) {
return 301 https://$host$request_uri;
} # managed by Certbotlisten 80; server_name pi2.radulov.net; return 404; # managed by Certbot
}
raspberry nginx config:
server {
server_name pi2.radulov.net;location / { include uwsgi_params; uwsgi_pass unix:/var/www/pi2.radulov.net/rasp2.sock; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/pi2.radulov.net/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/pi2.radulov.net/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = pi2.radulov.net) {
return 301 https://$host$request_uri;
} # managed by Certbotlisten 80;
server_name pi2.radulov.net;
return 404; # managed by Certbot
}