Renewal isn't working [Raspberry Pi 3, Nginx, Certbot]

Hello everyone,

I’m running a Raspberry Pi 3 as webserver since December 2016: Raspbian (‘Jessie’), Nginx, PHP7, MariaDB, DynDNS already setup, ssh enabled, root rights, …

I was able to generate SSL certificates from Let’s Encrypt using certbot last year for these domains:
nx1.benjamintauscher.com (default server)
nx2.benjamintauscher.com

I created configuration files including server blocks at /etc/nginx/sites-available

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL configuration
    #
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    ssl_protocols TLSv1.2;
    ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers On;

    ssl_certificate /etc/letsencrypt/live/nx1.benjamintauscher.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nx1.benjamintauscher.com/privkey.pem;

    ssl_trusted_certificate /etc/letsencrypt/live/nx1.benjamintauscher.com/chain.pem;
    ssl_session_cache shared:SSL:128m;

    ssl_stapling on;
    ssl_stapling_verify on;

    # Force https, also on subdomains
    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";

    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1";


    root /var/www/nx1.benjamintauscher.com/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    server_name nx1.benjamintauscher.com www.nx1.benjamintauscher.com;

    location ^~ /.well-known/acme-challenge/ {
            allow all;
    }

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #       include snippets/fastcgi-php.conf;
    #
    #       # With php-fpm (or other unix sockets):
            fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
            fastcgi_index index.php;
            include fastcgi.conf;
    #       # With php-cgi (or other tcp sockets):
    #       fastcgi_pass 127.0.0.1:9000;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #       deny all;
    #} }

They are identical (except from subdomains).

Certificate for subdomain nx2 was renewed without any problem – also force renewals worked fine. I’m for some reason not able to renew the certs for nx1.

Actually I guess that authentification could be the cause of the problem, but I have no idea why.

There also exists a server block file default in /etc/nginx/sites-available beeing identical to nx1.benjamintauscher.com at the same directory.

Do you have any idea?

Kind regards,
Ben

What happens when you try to renew it? What's the rest of your Nginx configuration?

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

My domain is: nx1.benjamintauscher.com

I ran this command: sudo certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/nx1.benjamintauscher.com.conf 
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nx1.benjamintauscher.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/nx1.benjamintauscher.com.conf produced an unexpected error: Failed authorization procedure. nx1.benjamintauscher.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nx1.benjamintauscher.com/.well-known/acme-challenge/ZGPidlPALYRtmKQ7-JbdaObqcXBXa3S69itWdcgy_QA: "404 Not Found". Skipping.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nx1.benjamintauscher.com
   Type:   unauthorized
   Detail: Invalid response from
   http://nx1.benjamintauscher.com/.well-known/acme-challenge/ZGPidlPALYRtmKQ7-JbdaObqcXBXa3S69itWdcgy_QA:
   "404 Not Found"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: nx1.benjamintauscher.com
   Type:   unauthorized
   Detail: Invalid response from
   http://nx1.benjamintauscher.com/.well-known/acme-challenge/wviLrh2zYVEhwsl57AhzDVbNAFd8jB7hsErXcyZErT0:
   "404 Not Found"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My operating system is (include version): Debian 8 (raspberry pi)

My web server is (include version): Nginx 1.10.2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

Can you be more specific please? What information would be helpful for you?

Best,
Ben

Does anybody have an idea how to solve the problem?

Hello @DerPapst,

Could you please show the content of files /etc/letsencrypt/renewal/nx1.benjamintauscher.com.conf and /etc/letsencrypt/renewal/nx2.benjamintauscher.com.conf ?.

Also, create a test file inside .well-known/acme-challenge/ dir and try to get it.

echo "This is a test" > /var/www/nx1.benjamintauscher.com/html/.well-known/acme-challenge/test

Now use your own browser to check that you can get that test file: http://nx1.benjamintauscher.com/.well-known/acme-challenge/test

You can also use curl from command line:

curl -iL http://nx1.benjamintauscher.com/.well-known/acme-challenge/test

Show us the result of previous command.

Cheers,
sahsanu

2 Likes

Hello @sahsanu,

you are awesome!

The [[webroot_map]] paremeters for nx1.benjamintauscher.com were not correct. I just re-configured the mapping, the renewal process worked perfectly fine after that.

Thank you so much for your help!

Best regards,
Ben

3 Likes

Seems like I cheered way to early…

I noticed that the certificate for nx1.benjamintauscher.com is still going to expire beginning of March. I repeated sudo certbot renew but still no effect. I also tried sudo certbot renew --force-renew but the result did not change:

Gültigkeitsdauer = Period of validity
Beginnt mit = Beginning
Ablaufdatum = Expiring date 

So maybe still somethings wrong with the renewal conf, here are both files content:

/etc/letsencrypt/renewal/nx1.benjamintauscher.com.conf

# renew_before_expiry = 30 days
version = 0.10.2
cert = /etc/letsencrypt/live/nx1.benjamintauscher.com/cert.pem
privkey = /etc/letsencrypt/live/nx1.benjamintauscher.com/privkey.pem
chain = /etc/letsencrypt/live/nx1.benjamintauscher.com/chain.pem
fullchain = /etc/letsencrypt/live/nx1.benjamintauscher.com/fullchain.pem
archive_dir = /etc/letsencrypt/archive/nx1.benjamintauscher.com

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 6b3b9b5dc6eb1fc0e8af86301eec0958
[[webroot_map]]
nx1.benjamintauscher.com = /var/www/nx1.benjamintauscher.com/html/
www.nx1.benjamintauscher.com = /var/www/www.nx1.benjamintauscher.com/html/

/etc/letsencrypt/renewal/nx2.benjamintauscher.com.conf

# renew_before_expiry = 30 days
version = 0.10.2
cert = /etc/letsencrypt/live/nx2.benjamintauscher.com/cert.pem
privkey = /etc/letsencrypt/live/nx2.benjamintauscher.com/privkey.pem
chain = /etc/letsencrypt/live/nx2.benjamintauscher.com/chain.pem
fullchain = /etc/letsencrypt/live/nx2.benjamintauscher.com/fullchain.pem
archive_dir = /etc/letsencrypt/archive/nx2.benjamintauscher.com

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 6b3b9b5dc6eb1fc0e8af86301eec0958
[[webroot_map]]
www.nx2.benjamintauscher.com = /var/www/nx2.benjamintauscher.com/html
nx2.benjamintauscher.com = /var/www/nx2.benjamintauscher.com/html

Have you restarted / reloaded nginx ? (to use the updated certificates you have obtained)

2 Likes

Hi @DerPapst,

Your certs have been renewed:

CRT ID    DOMAIN (CN)                        VALID FROM             VALID TO                EXPIRES IN  SANs
94636395  nx1.benjamintauscher.com           2017-Feb-19 14:22 CET  2017-May-20 15:22 CEST  88 days     nx1.benjamintauscher.com
94636374  nx1.benjamintauscher.com           2017-Feb-19 14:22 CET  2017-May-20 15:22 CEST  88 days     nx1.benjamintauscher.com
                                                                                                        www.nx1.benjamintauscher.com

Are you sure you have restarted/reload your nginx server?. If you did it, show us the result of these commands:

openssl x509 -in /etc/letsencrypt/live/nx1.benjamintauscher.com/cert.pem -text -noout | grep -E '(Not After|DNS:)'

openssl x509 -in /etc/letsencrypt/live/www.nx1.benjamintauscher.com/cert.pem -text -noout | grep -E '(Not After|DNS:)'

Edit: Ups, I didn’t see the @serverco reply :wink:

Cheers,
sahsanu

2 Likes

No, sir! I totally forgot to do that! Sorry, my bet.

Everything worked fine, certs are all going to expire in exact 90 days. Thank you very much @serverco and @sahsanu!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.