Processing /etc/letsencrypt/renewal/swk.nl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for swk.nl and www.swk.nl
Performing the following challenges:
http-01 challenge for swk.nl
http-01 challenge for www.swk.nl
Waiting for verification...
Challenge failed for domain swk.nl
Challenge failed for domain www.swk.nl
http-01 challenge for swk.nl
http-01 challenge for www.swk.nl
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: swk.nl
Type: unauthorized
Detail: 136.144.238.184: Invalid response from https://swk.nl/.well-known/acme-challenge/JpV3AQ3BfGP8rpo4CckzT-FK_BiCTqNg02NmY2u34Po: 404
Domain: www.swk.nl
Type: unauthorized
Detail: During secondary validation: 136.144.238.184: Invalid response from https://swk.nl/.well-known/acme-challenge/zFNqf-AY1t2RQb49qru3kX7ggQ3rNuANVtkNJtIGQA4: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges
Failed to renew certificate swk.nl with error: Some challenges have failed.
My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20
My hosting provider, if applicable, is: TransIP
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.28.0
Hm, weird. For your www subdomain, the validation server returns an error terug containing "During secondary validation (...)". This is due to the fact Let's Encrypt tries to validate the challenge from multiple locations. And "During secondary validation" means the primary validation location is just fine, but at least two of the three secondary validation servers are not OK..
But for some reason this doesn't happen with your apex domain?
Anyway, let's just check the basics for now. Could you please show the output of sudo nginx -T ?
Pinging psg.com [147.28.0.62] with 32 bytes of data:
Reply from 147.28.0.62: bytes=32 time=15ms TTL=53
Reply from 147.28.0.62: bytes=32 time=13ms TTL=53
Reply from 147.28.0.62: bytes=32 time=15ms TTL=53
Reply from 147.28.0.62: bytes=32 time=13ms TTL=53
Ping statistics for 147.28.0.62:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 15ms, Average = 14ms
I see the multiple IPs [in an overlapping network] and it doesn't make that other IP any less "strange".
It's a "/32" IP [which is strange all on its' own] that is within a covered "/24" [making it even stranger].
Thanks for your replies, but unfortunately not. The 404's are logged in our access logs, which means it is not a DNS issue since the requests are received by Nginx.
Yes, this is the command I ran: sudo certbot renew --dry-run -i nginx -a webroot -w /var/www/certbot
And this is the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/diepezakken-staging.website-lab.nl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for diepezakken-staging.website-lab.nl
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: diepezakken-staging.website-lab.nl
Type: unauthorized
Detail: 2606:4700:3034::6815:36fd: Invalid response from https://diepezakken-staging.website-lab.nl/.well-known/acme-challenge/Y2CU0RIfyrbj6kOD2zOn842b0qYoWMbw77TAq0AMmFo: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Failed to renew certificate diepezakken-staging.website-lab.nl with error: Some challenges have failed.
This is the server block for diepezakken-staging.website-lab.nl:
# configuration file /etc/nginx/sites-enabled/diepezakken-staging.website-lab.nl:
server {
index index.html;
server_name diepezakken-staging.website-lab.nl www.diepezakken-staging.website-lab.nl;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
access_log /var/log/nginx/diepezakken-staging.website-lab.access.log;
error_log /var/log/nginx/diepezakken-staging.website-lab.error.log;
if ($host = www.diepezakken-staging.website-lab.nl) {
return 301 https://diepezakken-staging.website-lab.nl$request_uri;
}
location / {
proxy_pass http://127.0.0.1:3101;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header Range "";
proxy_cache_bypass $http_upgrade;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/diepezakken-staging.website-lab.nl/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/diepezakken-staging.website-lab.nl/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = diepezakken-staging.website-lab.nl) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name diepezakken-staging.website-lab.nl www.diepezakken-staging.website-lab.nl;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";