Renewal failed (ACME challenge 404)

alex_s · June 28, 2020, 2:43pm

Hi,

I’m running nginx as a proxy webserver in Docker and got certificates using certbot. The certificates are located on my host machine, which nginx Docker accesses using volume binding. I’m getting the following error when I try to renew the certificates on my host machine. Can anybody help? Thanks!

My domain is: services.brandl-nutrition.de

I ran this command: /usr/local/bin/certbot-auto/renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/services.brandl-nutrition.de.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for services.brandl-nutrition.de
Using default addresses 80 and [::]:80 for authentication.
Waiting for verification…
Challenge failed for domain services.brandl-nutrition.de
http-01 challenge for services.brandl-nutrition.de
Cleaning up challenges
Attempting to renew cert (services.brandl-nutrition.de) from /etc/letsencrypt/renewal/services.brandl-nutrition.de.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/services.brandl-nutrition.de/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/services.brandl-nutrition.de/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: services.brandl-nutrition.de
Type: unauthorized
Detail: Invalid response from
http://services.brandl-nutrition.de/.well-known/acme-challenge/2Iy4wBF0PAQmig5MuhXC4sGAE4uxGVOorduU3NGiLg4
[89.163.209.29]: “\n\n404 Not
Found\n\n

Not Found
\n<p”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): nginx (served via Docker)

The operating system my web server runs on is (include version): Debian 10 (in Docker)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.5.0

rg305 · June 28, 2020, 5:30pm

Something is wrong with your nginx configuration.
It is serving a cert for wh.brandl-nutrition.de at https://services.brandl-nutrition.de/

Please show the output of:
nginx -t

And then let’s also have a look at the output of:
grep -Eri 'server_name|SSL|listen' /etc/nginx/

alex_s · June 28, 2020, 5:56pm

The main server is running Plesk, but separately I’m serving a Python docker service using another nginx docker container as a reverse proxy

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

/etc/nginx/fastcgi.conf.default:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/plesk.conf.d/server.conf.bak: listen 89.163.209.29:80;
/etc/nginx/plesk.conf.d/server.conf.bak: listen [2001:4ba0:babe:2057::]:80 ipv6only=on;
/etc/nginx/plesk.conf.d/server.conf.bak: listen 89.163.209.29:443 ssl;
/etc/nginx/plesk.conf.d/server.conf.bak: ssl_certificate /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf.bak: ssl_certificate_key /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf.bak: ssl_client_certificate /usr/local/psa/var/certificates/scf5u43qj;
/etc/nginx/plesk.conf.d/server.conf.bak: listen [2001:4ba0:babe:2057::]:443 ipv6only=on ssl;
/etc/nginx/plesk.conf.d/server.conf.bak: ssl_certificate /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf.bak: ssl_certificate_key /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf.bak: ssl_client_certificate /usr/local/psa/var/certificates/scf5u43qj;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: listen 89.163.209.29:443 ssl;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: server_name “webmail.brandl-nutrition.de”;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: server_name “webmail.brandlnutrition.de”;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: ssl_certificate /usr/local/psa/var/certificates/scfDANZXZ;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: ssl_certificate_key /usr/local/psa/var/certificates/scfDANZXZ;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: ssl_client_certificate /usr/local/psa/var/certificates/scfQ2r83r;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: listen 89.163.209.29:80;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: server_name “webmail.brandl-nutrition.de”;
/etc/nginx/plesk.conf.d/webmails/brandl-nutrition.de_webmail.conf: server_name “webmail.brandlnutrition.de”;
/etc/nginx/plesk.conf.d/server.conf: listen 89.163.209.29:80;
/etc/nginx/plesk.conf.d/server.conf: listen [2001:4ba0:babe:2057::]:80 ipv6only=on;
/etc/nginx/plesk.conf.d/server.conf: listen 89.163.209.29:443 ssl;
/etc/nginx/plesk.conf.d/server.conf: ssl_certificate /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf: ssl_certificate_key /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf: ssl_client_certificate /usr/local/psa/var/certificates/scf5u43qj;
/etc/nginx/plesk.conf.d/server.conf: listen [2001:4ba0:babe:2057::]:443 ipv6only=on ssl;
/etc/nginx/plesk.conf.d/server.conf: ssl_certificate /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf: ssl_certificate_key /usr/local/psa/var/certificates/scfc7kaZu;
/etc/nginx/plesk.conf.d/server.conf: ssl_client_certificate /usr/local/psa/var/certificates/scf5u43qj;
/etc/nginx/uwsgi_params.default:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/scgi_params.default:scgi_param SERVER_NAME $server_name;
/etc/nginx/fastcgi_params.default:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/conf.d/ssl.conf:ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
/etc/nginx/conf.d/ssl.conf:ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
/etc/nginx/conf.d/ssl.conf:ssl_prefer_server_ciphers on;
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;

rg305 · June 28, 2020, 11:35pm

The output seems to have missed where you handle the “services.brandl-nutrition.de” name.

Please double-check it with, and show the output of, this search:
nginx -T | grep -Ei 'server_name|SSL|listen'

system · July 28, 2020, 11:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Renewal failed (ACME challenge 404)

Not Found