Hello, I have migrated my Wordpress sites to a new host, Digital Ocean. I migrated my certs and config over from the old host. The sites are working and the old SSL certs still have remaining days, but renewal is failing. I have tried to keep everything the same from the old host other than changing the A Record. I run ufw and crowdsec on this host. I have tried disabling both, but the issue persists. Any help is greatly appreciated.
My domain is: clarkcc.com
I ran this command: renew --dry-run -v --cert-name clarkcc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/clarkcc.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Could not parse file: /etc/nginx/conf.d/crowdsec_nginx.conf due to Expected stringEnd, found 'i' (at char 150), (line:4, col:1)
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for clarkcc.com and www.clarkcc.com
Performing the following challenges:
http-01 challenge for clarkcc.com
http-01 challenge for www.clarkcc.com
Waiting for verification...
Challenge failed for domain clarkcc.com
Challenge failed for domain www.clarkcc.com
http-01 challenge for clarkcc.com
http-01 challenge for www.clarkcc.com
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: clarkcc.com
Type: unauthorized
Detail: 104.248.122.58: Invalid response from https://clarkcc.com/.well-known/acme-challenge/TSBeaWKyHhfrLUMA6UjYN95rxtS1sj2s_VxQfhKr860: 404
Domain: www.clarkcc.com
Type: unauthorized
Detail: 104.248.122.58: Invalid response from https://clarkcc.com/.well-known/acme-challenge/feEiP5xE5xpLPBVuHMNLRqokrpKaFB3JIo8VNKgMY64: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges
Could not parse file: /etc/nginx/conf.d/crowdsec_nginx.conf due to Expected stringEnd, found 'i' (at char 150), (line:4, col:1)
Failed to renew certificate clarkcc.com with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/clarkcc.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl reload nginx
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Ubuntu 22.04 Server
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0
Here is my nginx config at site config...
user zack;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
multi_accept on;
}
http {
##
# Basic Settings
##
keepalive_timeout 15;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off;
client_max_body_size 256m;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
##
# Sercurity Headers
#
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "origin-when-cross-origin" always;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Cache Settings
##
fastcgi_cache_key "$scheme$request_method$host$request_uri";
add_header Fastcgi-Cache $upstream_cache_status;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
}
# Nginx Key Zone
fastcgi_cache_path /var/www/clarkcc.com/cache levels=1:2 keys_zone=clarkcc.com:200m max_size=10g inactive=2h use_temp_path=off;
#fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name clarkcc.com;
ssl_certificate /etc/letsencrypt/live/clarkcc.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/clarkcc.com/privkey.pem;
access_log /var/log/nginx/clarkcc.com.access.log;
error_log /var/log/nginx/clarkcc.com.error.log;
root /var/www/clarkcc.com/;
index index.php;
# Set upload size to 1GB
client_max_body_size 1024m;
## Start Cache (objects not to cache) ##
set $skip_cache 0;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
# Don’t cache uris containing the following segments
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# Don’t use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
## End Cache ##
## Cache Static Elements ##
# Caches images, icons, video, audio, HTC, etc.
location ~* \.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|otf|eot|ogg|ogv|woff)$ {
expires max;
add_header Cache-Control "public";
# Comment out these lines if you wish to record access/error logs for static files.
log_not_found off;
access_log off;
}
# Cache CSS and JavaScript.
location ~* \.(?:css|js)$ {
expires 1y;
add_header Cache-Control "public";
}
location ~* \.(txt|xml|js)$ {
expires 8d;
}
location ~* \.(css)$ {
expires 8d;
}
# Block Code Execution in Uploads
location ~* /uploads/.*\.php$ {
return 503;
}
# Prevent Viewing User.ini
location ~ ^/\.user\.ini {
deny all;
}
location ~* \.(flv|ico|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|svg)$ {
expires 8d;
}
## Webp
location ~* ^.+\.(png|jpe?g)$ {
add_header Vary Accept;
try_files $uri$webp_suffix $uri =404;
}
location ~* \.(jpg|jpeg|png|gif|swf|webp)$ {
expires 8d;
}
## End Cache Static Elements ##
# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
ssl_protocols TLSv1.2;
## Use secure ciphers
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
## Define the size of the SSL session cache in MBs.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
## End Security
location ~ ^/\.user\.ini {
deny all;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_cache clarkcc.com;
fastcgi_cache_valid 60m;
fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
fastcgi_cache_min_uses 1;
fastcgi_cache_lock on;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
add_header X-FastCGI-Cache $upstream_cache_status;
}
# Trust Builders
location /wp-content/uploads/2022/05/Trust-Builder-Sessions-2022.pdf {
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
}
location ~* \.(pdf|ppt)$ {
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.clarkcc.com;
ssl_certificate /etc/letsencrypt/live/clarkcc.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/clarkcc.com/privkey.pem;
return 301 https://clarkcc.com$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name clarkcc.com www.clarkcc.com;
return 301 https://clarkcc.com$request_uri;
}