Renewall is failing

ChristianFarley · May 25, 2022, 12:24pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: setpad.ca

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/setpad.ca-0001.conf

Renewing an existing certificate for setpad.ca and 2 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: setpad.ca
Type: unauthorized
Detail: 141.193.213.10: Invalid response from https://ssl-purchase.wpengine.io/acme-challenge/mq0_e5bw9Ph2CXXl1PWi7uw2_Hm-di4Ok0Z0AbjQn8o: 404

Domain: www.setpad.ca
Type: unauthorized
Detail: 141.193.213.10: Invalid response from https://ssl-purchase.wpengine.io/acme-challenge/abN4VoyL2AbSmOrg45IA4FBQDklF1l5KDEzUSB_ZXIk: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate setpad.ca-0001 with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/setpad.ca-0001/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Debian GNU/Linux 9.12 (stretch)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

rg305 · May 25, 2022, 12:34pm

Is this expected?:

Name:      setpad.ca
Addresses: 141.193.213.11
           141.193.213.10

https://ssl-purchase.wpengine.io/acme-challenge/mq0_e5bw9Ph2CXXl1PWi7uw2_Hm-di4Ok0Z0AbjQn8o:

Two completely different FQDNs.
And:

curl -Ii 141.193.213.10
HTTP/1.1 403 Forbidden
Server: cloudflare

ChristianFarley · May 25, 2022, 12:37pm

Thanks for the quick response.
These are for a new website that was deployed a month ago. Meanwhile, the nginx host with the certificate was moved to "app.setpad.ca". Could this be the problem? I thought the certificate was covering the entire domain setpad.ca.
How can I fix this?

rg305 · May 25, 2022, 12:39pm

It is difficult to say exactly, I have very little information to work with.
I would "start over".
Remove any certs (and their use) that are no longer needed.
Then obtain (and use) any certs that you now need.

ChristianFarley · May 25, 2022, 12:42pm

I see. Is there a command that shows me what hosts are currently certified?
I am hoping to have
www.setpad.ca
app.setpad.ca
setpad.ca

ChristianFarley · May 25, 2022, 12:49pm

When you say "I have very little information to work with", what other information can I provide?

rg305 · May 25, 2022, 1:03pm

certbot certificates

We are here to help with problems related to certificates [their issuance, use, renewals, etc.]
In order to do so, we must clearly understand the problem and should also be within the scope of the forum.
It seems that, in your case, although you have answered all the questions, you haven't clearly defined all the relevant "details"; Such as:

Changes have been made without concern for the sites and certificates in use.
We are trying to remedy that by removing any unused certs
Cloudflare is involved
This may, or may not, be part of the problem

In other words, the problem is not "renewal is failing", the problem is that the system is trying to renew a site/cert that is no longer being used.

The more we know, the better we are prepared to resolve the issue.

ChristianFarley · May 25, 2022, 1:12pm

Understood. My apologies. Although these changes were done more than a month ago. As far as I could tell, eveything was humming and buzzing correctly. I am sorry that I didn't latch on this when I asked my question this AM.
As my site is currently down, I am rather in a pickle. The most urgent is that I have "app.setpad.ca" back up and running. This is the original host that had the orginal working certificates and is NOT on cloudflare. It is the same host with simply a different A name.
As you suggest to start over, do I simply run the "certbot" command and go through the script? Are there some gotchas? How long will it take for my host to be accepting https requests again?

rg305 · May 25, 2022, 1:26pm

Certificates are good for 90 days and will normally only try to renew during the last 30 days [after 2 months of use].
So, it is very possible that was broken a month ago and you are only now seeing that break.

Show the outputs of:
certbot certificates
nginx -T | grep -i certificate

ChristianFarley · May 25, 2022, 1:44pm

certbot certificates

system · June 24, 2022, 1:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.