Renewing certificate inside ISP router network

Last time I was able to renew it just fine.
Setup is:
ISP Router WAN IP: 186.32.131.69
ISP Router LAN IP: 192.168.0.1
Port Forwarding: HTTPS 443 -> 443 of Linksys Router IP 192.168.0.10

Linksys Internal Router IP: 192.168.0.10
Linksys Port Forwarding: HTTPS 443 -> RPi 192.168.1.55

RPi runs nginx with this site config:
server {
listen 80;
listen [::]:80;
server_name butler.mydomain.com;
root /www/butler.mydomain.com;

}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name butler.mydomain.com;

        ssl_certificate          /etc/letsencrypt/live/butler.mydomain.com/fullchain.pem;
        ssl_certificate_key      /etc/letsencrypt/live/butler.mydomain.com/privkey.pem;

        root /www/butler.mydomain.com;
        index index.php index.html index.htm;
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;

        # Error & Access logs
        error_log /www/butler.mydomain.com/logs/error.log error;
        access_log /www/butler.mydomain.com/logs/access.log;

        location / {
                index index.html index.php;
                proxy_pass http://192.168.1.55:443;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;

Now Im getting this at the renew prompt:

pi@raspberrypi:/etc/nginx/sites-available $ sudo /etc/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/butler.mydomain.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for butler.mydomain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (butler.mydomain.com) from /etc/letsencrypt/renewal/butler.mydomain.com.conf produced an unexpected error: Failed authorization procedure. butler.mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://butler.mydomain.com/.well-known/acme-challenge/gadWzdQNzrHXEwaVNQ2TRo0zpLwrCf1T4uXOxZrRAnc [186.32.131.69]: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/butler.mydomain.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/butler.mydomain.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: butler.santiapps.com
  Type: unauthorized
  Detail: Invalid response from
  http://butler.mydomain.com/.well-known/acme-challenge/gadWzdQNzrHXEwaVNQ2TRo0zpLwrCf1T4uXOxZrRAnc
  [186.32.131.69]: 404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

Why is it Skipping?

In some places you have butler.santiapps.com, in others you have butler.mydomain.com. I assume you replaced the base domain in some places, and don’t actually own mydomain.com? Otherwise that would be a place to look for mismatches.

The validation server is getting a 404 when asking your Nginx server for the /.well-known file. Possibly it’s not hitting the server you think it is, or possibly the webroot directory in your config is wrong. I’d recommend that you double-check your Nginx logs to see if the request actually hit your server. If it is hitting your server, check the configured webroot directory in /etc/letsencrypt/renewal/butler.mydomain.com.conf and make sure it’s still right.

Also, for the webroot method you’ll need something listening on port 80 and forwarding that to your nginx server as well (not just forwarding port 443).

Neither port 80 nor 443 is now accessible from the Internet.

Thanks for writing us.
We will respond to you as soon as possible!

Gracias, responderemos lo antes posible!

ok yeah I tried to replace the actual domain but I guess I missed some

I dont think its hitting my server because checking the rpi logs for nginx I get no activity for today.
I checked the butler.santiapps.com.conf file but dont see anything off:

# renew_before_expiry = 30 days
version = 0.16.0
archive_dir = /etc/letsencrypt/archive/butler.santiapps.com
cert = /etc/letsencrypt/live/butler.santiapps.com/cert.pem
privkey = /etc/letsencrypt/live/butler.santiapps.com/privkey.pem
chain = /etc/letsencrypt/live/butler.santiapps.com/chain.pem
fullchain = /etc/letsencrypt/live/butler.santiapps.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = be4f74hfkd929g4e5ce
[[webroot_map]]
butler.santiapps.com = /www/butler.santiapps.com

What do you mean byt needing something for port 80 on the webroot method?

Nevermind, I got it. I had my linksys router port forwarding the http80 to one place and http443 to another. At the same time that I was trying to renew the ssl on 443 by forwarding the ip to the rpi-nginx, I was also trying out and arduino-wifi shield remote access which required me to forward http80 to the wifi shield.

I guess I cant do both at the same time

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.