My domain is: www.rosto.io
I ran this command:
sudo docker run -it --rm \
-v faces_certs:/etc/letsencrypt \
-v faces_certs_data:/data/letsencrypt \
deliverous/certbot \
certonly \
--agree-tos \
--dry-run \
--renew-by-default \
--webroot --webroot-path=/data/letsencrypt \
-d rosto.io -d www.rosto.io
It produced this output:
Saving debug log to /var/letsencrypt/log/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for rosto.io
http-01 challenge for www.rosto.io
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.rosto.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.rosto.io/.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.15.6</ce"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.rosto.io
Type: unauthorized
Detail: Invalid response from
http://www.rosto.io/.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0:
"<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx/1.15.6</ce"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Nginx
The operating system my web server runs on is (include version): Debian Stretch
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.29.0.dev0
There is already a certificate issued, but I can’t renew it. I am not sure what has changed since I have succeed first time. Here is some more information I have:
I can access a file into the .well-known/acme-challenge directory, for example https://www.rosto.io/.well-known/acme-challenge/test.txt and https://www.rosto.io/.well-known/acme-challenge/test
Nginx logs when I run the certbot command:
52.29.173.72 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
52.29.173.72 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 200 87 "http://rosto.io/.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2019/02/02 21:36:56 [error] 8#8: *4 open() "/etc/nginx/html/.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0" failed (2: No such file or directory), client: 52.29.173.72, server: www.rosto.io, request: "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1", host: "www.rosto.io"
52.29.173.72 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
13.58.30.69 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
66.133.109.36 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
13.58.30.69 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
2019/02/02 21:36:56 [error] 8#8: *8 open() "/etc/nginx/html/.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0" failed (2: No such file or directory), client: 13.58.30.69, server: www.rosto.io, request: "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1", host: "www.rosto.io"
34.213.106.112 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
2019/02/02 21:36:56 [error] 8#8: *9 open() "/etc/nginx/html/.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0" failed (2: No such file or directory), client: 34.213.106.112, server: www.rosto.io, request: "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1", host: "www.rosto.io"
66.133.109.36 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
2019/02/02 21:36:56 [error] 8#8: *10 open() "/etc/nginx/html/.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0" failed (2: No such file or directory), client: 66.133.109.36, server: www.rosto.io, request: "GET /.well-known/acme-challenge/-EDDkTDQiUDR16q_CcbU5G-KmEq5_IquVvNqlDqHyg0 HTTP/1.1", host: "www.rosto.io"
34.213.106.112 - - [02/Feb/2019:21:36:56 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
13.58.30.69 - - [02/Feb/2019:21:36:57 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 200 87 "http://rosto.io/.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [02/Feb/2019:21:36:57 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 200 87 "http://rosto.io/.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.213.106.112 - - [02/Feb/2019:21:36:57 +0000] "GET /.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY HTTP/1.1" 200 87 "http://rosto.io/.well-known/acme-challenge/hbaBGaXKSQrvUHJql-j-0Ke-X5rjUuV0KhTPUiXaheY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Nginx Configuration file (I have commented out all the ipv6 references, as I thought it could have been the caveat, turns out it changed nothing):
upstream rails_app {
server front:3000;
}
# redirect www.rosto.io to https
server {
listen 80;
# listen [::]:80 ipv6only=on;
server_name www.rosto.io
return 301 https://www.rosto.io$request_uri;
}
# redirect rosto.io to https
server {
listen 80;
# listen [::]:80;
server_name rosto.io;
return 301 https://www.rosto.io$request_uri;
}
# redirect https://rosto.io to https://www.rosto.io
server {
listen 443 ssl http2;
# listen [::]:443 ipv6only=on ssl http2;
server_name rosto.io;
return 301 https://www.rosto.io$request_uri;
ssl on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/rosto.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rosto.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/rosto.io/chain.pem;
access_log /dev/stdout;
error_log /dev/stderr info;
}
# handles https://www.rosto.io
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name www.rosto.io
ssl on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/www.rosto.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.rosto.io/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.rosto.io/chain.pem;
access_log /dev/stdout;
error_log /dev/stderr info;
# images are at most this size
client_max_body_size 4M;
# define the public application root
root /var/www/rosto/public;
index index.html;
# define where nginx should write its logs
access_log /var/www/rosto/log/nginx.access.log;
error_log /var/www/rosto/log/nginx.error.log;
# serve static (compiled) assets directly if they exist (for rails production)
location ~ ^/assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
# send non-static file requests to the app server
location / {
try_files $uri @rails;
}
location @rails {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_redirect off;
proxy_pass http://rails_app;
}
# certbot needs either port 80 or 443 open to connect
location /.well-known/acme-challenge {
allow all;
root /data/letsencrypt/;
}
}
Specific Nginx part of my docker-compose file
nginx:
image: nginx:alpine
depends_on:
- front
ports:
- 80:80
- 443:443
volumes:
- assets:/var/www/rosto/public/assets:ro
# host directory:container directory -- 'nginx_conf:/etc/nginx/conf.d/'
# will not work, the ./ prefix is needed here to indicate the origin
- ./nginx_conf/production:/etc/nginx/conf.d/
- nginx_logs:/var/www/rosto/log/
- certs:/etc/letsencrypt
- certs_data:/data/letsencrypt
networks:
- webnet
Result of letsdebug.net: https://letsdebug.net/www.rosto.io/20802
Result of https://crt.sh/?q=www.rosto.io
Any suggestions on how to tackle this problem are welcome. My cert is expiring in 20 days