Renewal problems - lots of confusion

My domain is: meet.ostroff.xyz

I ran this command: “certbot renew” (with lots of variations)

It produced this output: various inscrutible errors (expanded below)

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Gentoo Linux (current kernel 5.6.11)

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.4.0

Hopefully the outcome is just for someone to point me to the Fine Manual I haven’t read (or haven’t read carefully enough…) I mainly looking for a sense of direction in troubleshooting, and maybe some suggestions on where exactly my problem is.

All of this started because I was trying to spin up my own jitsi instance. I got nginx and some of the other components installed (but not fully working) before I started with certificates. So, about three months ago, I obtained both staging and production certificates for meet.ostroff.xyz. I don’t know if it was a mistake to use the same domain for both. Anyway, having not gotten jitsi to work, I gave up on this for a while, and that particular PC has been powered off for several weeks. This week I got the emails warning I needed to renew - for both the staging and production certs. I powered up the PC, and tried a simple “certbot renew” and got errors I didn’t quite understand, and apparently hit the 5 tries in an hour limit, which I recognized only when I started adding -v to the certbot line. So - reading up on that error, I figured I needed to get things working with your staging server, but I still got various errors, ending with the warning about not overriding production certs with staging.

So, I have two separate questions. The second is (assuming my web server and all IP stuff is actually working correctly) is how would I test a renew with the staging server? I assume the staging certs are the ones with xxx1.pem in the …/archive/meet.ostroff.xyz folder, as the …/live/meet.ostroff.xyz files all point to the xxx2.pem versions. Does this indicate I should not have used the same domain for both sets of certs? Would I need to temporarily change the live folder to point to the other set of pem files?

The first question is what is the best way to configure nginx to allow me to renew the certs? I’m pretty sure that meet.ostroff.xyz really does point to the public IP of my ISP’s gateway, and I have 80 and 443 IP forwarded to the PC I’m working on. My assumption right now is that because nginx is configured for jitsi (or at least partially so) that certbot’s request for the certs is not getting the correct (or any) response. No proof, but I have a feeling the …/.well-known/ path is getting lost, and not actually being handed off to the acme script.

I think the core of the error is

2020-08-22 19:02:22,584:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: meet.ostroff.xyz
Type: connection
Detail: Fetching http://meet.ostroff.xyz/.well-known/acme-challenge/JoVh2zFrrnK8LoRZwRQJYg8OWS4DGqX-8zLyyHRShjg: Server is speaking HTTP/2 over HTTP

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable
IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

I’ll be glad to post the full certbot logs and nginx config files, but I don’t want to spam the forum here if someone can just point me to an appropriate example or appropriate docs I might have missed.

Thanks for any suggestions or hints.

1 Like

Open up your nginx config. You probably have a line like this:

listen 80 http2;

Get rid of the http2.

Practically speaking, no clients support HTTP/2 over port 80. Browsers (and the Let’s Encrypt validation servers) only speak HTTP/1.1 on that port.

Once that’s fixed, try:

sudo certbot renew --nginx --dry-run
1 Like

Thank you for the almost instant fix. How did you see past all my blathering? :grinning: There were only two lines with listen and http2. I fixed the one for *:80 and left it on the one with 443. My cert is renewed.

I suppose I don’t really need the staging cert any more, but if I do want to use it for testing, should I just let it expire and get one for a different domain, or do I somehow need a different/testing instance of nginx?

1 Like

For testing, don’t use a separate certificate - use --dry-run. It uses the staging server, but discards the certificate at the end.

1 Like