Renew ssl certificate

shwetha · April 26, 2022, 7:43am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: url hosting

I ran this command: certbot certonly --force-renew -d example.com

It produced this output:
Failed authorization procedure. cashier.amepos.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 139.59.92.90: Invalid response from https://cashier.amepos.io/.well-known/acme-challenge/sFJRvsk1-pnjDTa6kPZnJX1vlakE7vWa00Ty07UQMQk: "\n<html lang="en">\n\n\n <meta charset="utf-8" />\n <link rel="icon" href="/images/amepos-mg.png" />\n <meta n"

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: cashier.amepos.io
Type: unauthorized
Detail: 139.59.92.90: Invalid response from
https://cashier.amepos.io/.well-known/acme-challenge/sFJRvsk1-pnjDTa6kPZnJX1vlakE7vWa00Ty07UQMQk:
"\n<html lang="en">\n\n\n <meta
charset="utf-8" />\n <link rel="icon"
href="/images/amepos-mg.png" />\n <meta n"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):Debian 4.19.194-2 (2021-06-21) x86_64 GNU/Linux

The operating system my web server runs on is (include version): digitalocean

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0
DNS record is correctly given matched with ipaddress

9peppe · April 26, 2022, 9:46am

How did you get your certificate the first time around?

Show us /etc/letsencrypt/renewal and the files inside.

And don't use --force-renewal, forget the option even exists, please

shwetha · April 26, 2022, 10:42am

I use saltstack, letsencrypt formula, salt minion state.apply letsencrypt,
now my website is not secure. so i want to renew now ssl certificate.
https://cashier.amepos.io/login
actually salt stack renews ssl certificate automatically, i apply the command salt minion state.apply letsencrypt, same error failed authorization and manually also same error.
please help me out.
/etc/letsencrypt/renewal: i have cashier.amepos.io.conf file: archive_dir = /etc/letsencrypt/archive/cashier.amepos.io
cert = /etc/letsencrypt/live/cashier.amepos.io/cert.pem
privkey = /etc/letsencrypt/live/cashier.amepos.io/privkey.pem
chain = /etc/letsencrypt/live/cashier.amepos.io/chain.pem
fullchain = /etc/letsencrypt/live/cashier.amepos.io/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 775696bf6af5e166cf92ff4bbac791c3
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
webroot_path = /var/www/html,
[[webroot_map]]
cashier.amepos.io = /var/www/html

9peppe · April 26, 2022, 10:50am

Run this command:

certbot renew --nginx --cert-name "cashier.amepos.io"

shwetha · April 26, 2022, 11:51am

I get this error after running the command certbot renew --nginx --cert-name "cashier.amepos.io"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cashier.amepos.io.conf

An error occurred while parsing /etc/letsencrypt/renewal/cashier.amepos.io.conf. The error was Too many flags setting configurators/installers/authenticators 'webroot' -> 'nginx'. Skipping the file.

No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/cashier.amepos.io.conf (parsefail)

0 renew failure(s), 1 parse failure(s)

9peppe · April 26, 2022, 11:56am

strange. your certbot is too old for that, maybe.

check your nginx config for a root /some/directory; directive (there may be several, find them all)

grep -ir 'root ' /etc/nginx

shwetha · April 26, 2022, 12:04pm

/etc/nginx/scgi_params:scgi_param DOCUMENT_ROOT $document_root;
/etc/nginx/sites-enabled/amechain.conf: root /usr/share/nginx/html;
/etc/nginx/sites-enabled/cashier.amepos.io.conf: root /usr/share/nginx/html;
/etc/nginx/sites-enabled/default: root /var/www/html;
/etc/nginx/sites-enabled/default:# root /var/www/example.com;
/etc/nginx/fastcgi.conf:fastcgi_param DOCUMENT_ROOT $document_root;
/etc/nginx/sites-available/default: root /var/www/html;
/etc/nginx/sites-available/default:# root /var/www/example.com;
/etc/nginx/fastcgi_params:fastcgi_param DOCUMENT_ROOT $document_root;
/etc/nginx/uwsgi_params:uwsgi_param DOCUMENT_ROOT $document_root;

9peppe · April 26, 2022, 12:09pm

Is your website actually in that directory? That's unusual.

go with certbot renew --webroot -w /usr/share/nginx/html --cert-name "cashier.amepos.io"

shwetha · April 26, 2022, 12:18pm

No, its in /etc/nginx/sites-enabled/cashier.amepos.io.conf

9peppe · April 26, 2022, 12:23pm

That's one of the nginx config files. The files for the website, where are they?

shwetha · April 26, 2022, 12:28pm

The files for the website means project code rt?

9peppe · April 26, 2022, 12:31pm

I mean the directory from which nginx serves static files.

shwetha · April 26, 2022, 12:36pm

Okay, its /var/www/html/index.html

rg305 · April 26, 2022, 2:36pm

Please show this file:

shwetha · April 27, 2022, 4:29am

Can i what information is needed from conf file?

rg305 · April 27, 2022, 4:35am

Mainly the line that defines root
But there may also be location statements that affect the challenge request.
And there is also a redirect to HTTPS that might be part of the problem.

rg305 · April 27, 2022, 4:39am

These don't match:

But it might be the first one because the HTTP site redirects to HTTPS and the HTTPS site uses the shorter root
[just guessing since you haven't shown the files]

shwetha · April 27, 2022, 4:52am

authenticator: webroot.
webroot-path: /var/www/html
conf file is in /etc/nginx/sites-enabled/.conf
we have path of ssl certificate in conf file, /etc/letsencrypt/live/domain/fullchain.pem

rg305 · April 27, 2022, 4:58am

You fail to show the file(s) and fail to find the problem.
The secrecy is ridiculous.
Maybe someone else can help you - I can't help more without seeing the files that create the problem.

shwetha · April 30, 2022, 11:22am

Sorry for late reply, will share my nginx file.
server {
listen 80;
server_name example.com;

return 301 https://$host$request_uri;

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
# ssl_dhparam /etc/nginx/ssl/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; 

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

location / {
    include proxy_params;
    proxy_pass http://127.0.0.1:port;
}

error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

access_log /var/log/nginx/example.com.access;
error_log /var/log/nginx/example.com.error;

}