[solved] Renewing certificate fails for one domain

Devices · January 19, 2017, 4:29pm

When I try to run certbot renew I get this error: https://owncloud.izumi.tv/.well-known/error.txt
As you can see, izumi.tv gets renewed just fine.
But when I run certbot renew --dry-run, the challenge for izumi.tv fails as well.

OS: Fedora server 25
Web server: nginx
owncloud config file: https://izumi.tv/f/owncloud.conf
izumi.tv config file: https://izumi.tv/f/izumissl.conf

As you can see, files from .well-known get served just fine. The challenges do get made since I see these errors in the DEBUG logs:

2017-01-19 16:22:16,902:INFO:certbot.auth_handler:Cleaning up challenges 2017-01-19 16:22:16,906:DEBUG:certbot.plugins.webroot:Removing /var/www/izumi.tv/html/.well-known/acme-challenge/[HASH REMOVED] 2017-01-19 16:22:16,906:DEBUG:certbot.plugins.webroot:Removing /var/www/owncloud/.well-known/acme-challenge/[HASH REMOVED]

.well-known permissions (including SELinux) for Owncloud:
drwxrwxr-x. 2 root nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 4.0K Jan 19 17:22 .well-known/

.well-known permissions (including SELinux) for izumi.tv:
drwxrwxr-x. 2 root [myusers] system_u:object_r:httpd_sys_content_t:s0 4.0K Jan 19 17:22 .well-known/

These permissions seem to be in order to. At least to me.

Does anyone have any insights as to why the challenge for owncloud.izumi.tv might fail? And perhaps also insights as to why izumi.tv fails when including --dry-run?

serverco · January 19, 2017, 5:16pm

If I try going to owncloud.izumi.tv on port 80 (http) to check for the ,well-known folder I don’t get a http response (I get a binary response ) - have you got something else running on port 80 ?

Devices · January 19, 2017, 5:22pm

running sudo netstat -anp | grep 80 says only nginx is listening on port 80.

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 25199/nginx: master tcp6 0 0 :::80 :::* LISTEN 25199/nginx: master

serverco · January 19, 2017, 5:28pm

Interesting - is it going through a router or anything which could be routing the traffic elsewhere ?

curl --silent -I http://owncloud.izumi.tv/.well-known/ | hd
00000000  00 00 12 04 00 00 00 00  00 00 03 00 00 00 80 00  |................|
00000010  04 00 01 00 00 00 05 00  ff ff ff 00 00 04 08 00  |................|
00000020  00 00 00 00 7f ff 00 00  00 00 08 07 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  01                       |.........|
00000039

TCM · January 19, 2017, 6:41pm

listen 80 http2;

“HTTP/2 is a binary, rather than text, protocol, making it more compact and efficient”

Edit: Actually reading the nginx manual, I’m not even sure that this would make HTTP non-functional. Hmm.

serverco · January 19, 2017, 9:16pm

Good point. I’m pretty sure ACME requires HTTP not HTTP/2 though - it has to be a plain text response I think.

Devices · January 19, 2017, 9:25pm

I had default_type application/octet-stream; in my nginx.conf which caused the binary output. I removed that line, but then the same error still occurs when trying to renew the cert.

TCM · January 19, 2017, 9:33pm

No, a MIME type doesn’t cause a purely binary output. You’d still see HTTP headers in plaintext. What about the HTTP/2?

Devices · January 19, 2017, 9:42pm

Well that’s the one thing I changed and now you don’t get a binary output anymore. Can’t tell you more than that sadly.

serverco · January 19, 2017, 9:45pm

I still get binary output from http://owncloud.izumi.tv/.well-known/

Devices · January 19, 2017, 9:52pm

You’re right. I tested it on a different file that outputted binary, but didn’t anymore afterwards.

Any idea on how to fix it?

EDIT: I found out why. I missed you guys talking about HTTP2. Once I removed that from the config it worked.

Thanks for the help dudes.

system · February 18, 2017, 10:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.