Renewal Issues - Unauthorized?

inspired · February 15, 2021, 6:38pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://in-spired.xyz

I ran this command: certbot renew

It produced this output:

root@localhost:/var/www/in-spired.xyz/.well-known# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/in-spired.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate for in-spired.xyz and www.in-spired.xyz
Performing the following challenges:
http-01 challenge for in-spired.xyz
http-01 challenge for www.in-spired.xyz
Waiting for verification...
Challenge failed for domain in-spired.xyz
Challenge failed for domain www.in-spired.xyz
http-01 challenge for in-spired.xyz
http-01 challenge for www.in-spired.xyz
Cleaning up challenges
Failed to renew certificate in-spired.xyz with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/in-spired.xyz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: in-spired.xyz
   Type:   unauthorized
   Detail: Invalid response from
   https://in-spired.xyz/.well-known/acme-challenge/-u0cowwidemvyvh2cncjyjz5hwtlsvqe743-himoezq/
   [139.162.201.166]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n\n
   <meta charset=\"utf-8\" />\n    <meta
   http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /"

   Domain: www.in-spired.xyz
   Type:   unauthorized
   Detail: Invalid response from
   https://www.in-spired.xyz/.well-known/acme-challenge/hvbo6ommlsoleypj46cnzsj11x2ejbtiweiaavvik-e/
   [139.162.201.166]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n\n
   <meta charset=\"utf-8\" />\n    <meta
   http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" /"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Nginx 1.18

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

Not really sure what's changed, as I was able to add the certificate fine originally. I'm in a bit of a muddle as I used Run your blog with Ghost, Docker and LetsEncrypt to create the platform, and using docker is kind of confusing me a little bit as to where everything is getting put. If I run certbot renew -a nginx --dry-run it seems to succeed, so I'm unsure why it won't work normally, runs out in 5 days.

Thanks for any help, I really appreciate any time given.

Some additional information.

Nginx Configuration

root@localhost:/var/www/in-spired.xyz/.well-known# cat /etc/nginx/conf.d/default                                                                                                                               
server {                                                                                                                                                                                                       
        listen 80;                                                                                                                                                                                             
        server_name in-spired.xyz;                                                                                                                                                                             
        location /.well-known/ {                                                                                                                                                                               
                root /var/www/in-spired.xyz/.well-known/;                                                                                                                                                      
        }                                                                                                                                                                                                      

        location / {
                return 301 https://$server_name$request_uri;
        }
}
server {
        server_name in-spired.xyz;
        listen 443 ssl;

        location / {
                proxy_pass      http://127.0.0.1:2368;
                proxy_set_header    X-Real-IP $remote_addr;
                proxy_set_header    Host      $http_host;
                proxy_set_header X-Forwarded-Proto https;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

        ssl_certificate     /etc/letsencrypt/live/in-spired.xyz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/in-spired.xyz/privkey.pem;
        ssl on;

}
root@localhost:/var/www/in-spired.xyz/.well-known#

_az · February 15, 2021, 9:57pm

Does this command show any warnings?

sudo nginx -t

Based on how your server behaves I suspect you have some duplicate virtual hosts in nginx.

inspired · February 15, 2021, 10:37pm

Hi,

Thanks for your reply.

This is the response to that command, there doesn't appear to be any issues in my Nginx configuration. I copied it word for word from that blog I've linked when setting it up with Ghost and Docker.

I've only got the "default" site in my Nginx which is my site.

root@localhost:/etc/nginx/sites-enabled# ls -la
total 8
drwxr-xr-x 2 root root 4096 Jan 31 18:09 .
drwxr-xr-x 8 root root 4096 Feb 15 18:30 ..
lrwxrwxrwx 1 root root   34 Jan 31 18:09 default -> /etc/nginx/sites-available/default

_az · February 15, 2021, 10:40pm

Edit: blah, I am blind. It's right there in your original post:

You originally set up this to renew with the webroot authenticator. If you change it to nginx:

certbot renew -a nginx

it should succeed, and permanently save the new authenticator for next time.

inspired · February 15, 2021, 10:47pm

Oh jeez, weeks I've been pulling my hair out over this trying to workout where my docker web root is and fighting with this. Thank you so much

system · March 17, 2021, 10:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate Renewal Issue Help	5	423	December 29, 2023
Certificate Renewal Failed Help	23	1622	October 23, 2021
Failed authorizations renew Help	21	1013	January 4, 2021
Failed to renew - Some challenges have failed Help	3	606	January 9, 2022
Problem renewing Help	22	805	October 15, 2023

Renewal Issues - Unauthorized?

Nginx Configuration

Related topics