SSL certificate renew failing

Summary:
I set up a ghost droplet digital ocean a few months ago to host my blog at ev.terminusfoundry.com. After expiry, the system has failed to renew the cert (even though ghost is supposed to do that). I switched from godaddy to namecheap, and have populated the A record for ev to point to the digitalocean droplet. For the first three months, SSL was working fine, and I was able to access the site no problem. I dove in to try to manually refresh the cert, but am getting errors and don't know what to do now. I'm pretty sure the problem is related to this line:

[Wed Jul 28 14:29:39 UTC 2021] ev.terminusfoundry.com:Verify error:Invalid response from http://ev.terminusfoundry.com/.well-known/acme-challenge/FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo [206.189.228.217]

Note that I also have a blog hosted at sec.terminusfoundry.com, and that one works fine still.


My domain is: ev.terminusfoundry.com

I ran this command: /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain ev.terminusfoundry.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail my@email.com --log

It produced this output in the logs:

[Wed Jul 28 14:29:34 UTC 2021] Running cmd: renew
[Wed Jul 28 14:29:34 UTC 2021] Using config home:/etc/letsencrypt
[Wed Jul 28 14:29:35 UTC 2021] default_acme_server
[Wed Jul 28 14:29:35 UTC 2021] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Wed Jul 28 14:29:35 UTC 2021] DOMAIN_PATH='/etc/letsencrypt/ev.terminusfoundry.com'
[Wed Jul 28 14:29:35 UTC 2021] e[1;32mRenew: 'ev.terminusfoundry.com'e[0m
[Wed Jul 28 14:29:35 UTC 2021] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Wed Jul 28 14:29:35 UTC 2021] Using config home:/etc/letsencrypt
[Wed Jul 28 14:29:35 UTC 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed Jul 28 14:29:35 UTC 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Jul 28 14:29:35 UTC 2021] Retrying GET
[Wed Jul 28 14:29:35 UTC 2021] GET
[Wed Jul 28 14:29:35 UTC 2021] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Jul 28 14:29:35 UTC 2021] timeout=
[Wed Jul 28 14:29:35 UTC 2021] displayError='1'
[Wed Jul 28 14:29:35 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Wed Jul 28 14:29:35 UTC 2021] ret='0'
[Wed Jul 28 14:29:35 UTC 2021] _hcode='0'
[Wed Jul 28 14:29:35 UTC 2021] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed Jul 28 14:29:35 UTC 2021] ACME_NEW_AUTHZ
[Wed Jul 28 14:29:35 UTC 2021] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jul 28 14:29:35 UTC 2021] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Jul 28 14:29:35 UTC 2021] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed Jul 28 14:29:35 UTC 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Jul 28 14:29:35 UTC 2021] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jul 28 14:29:35 UTC 2021] _main_domain='ev.terminusfoundry.com'
[Wed Jul 28 14:29:35 UTC 2021] _alt_domains='no'
[Wed Jul 28 14:29:35 UTC 2021] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed Jul 28 14:29:35 UTC 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Jul 28 14:29:35 UTC 2021] Le_NextRenewTime='1624050639'
[Wed Jul 28 14:29:35 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Jul 28 14:29:35 UTC 2021] _on_before_issue
[Wed Jul 28 14:29:35 UTC 2021] _chk_main_domain='ev.terminusfoundry.com'
[Wed Jul 28 14:29:35 UTC 2021] _chk_alt_domains
[Wed Jul 28 14:29:35 UTC 2021] Le_LocalAddress
[Wed Jul 28 14:29:35 UTC 2021] d='ev.terminusfoundry.com'
[Wed Jul 28 14:29:35 UTC 2021] Check for domain='ev.terminusfoundry.com'
[Wed Jul 28 14:29:35 UTC 2021] _currentRoot='/var/www/ghost/system/nginx-root'
[Wed Jul 28 14:29:35 UTC 2021] d
[Wed Jul 28 14:29:35 UTC 2021] _saved_account_key_hash is not changed, skip register account.
[Wed Jul 28 14:29:35 UTC 2021] Read key length:
[Wed Jul 28 14:29:35 UTC 2021] _createcsr
[Wed Jul 28 14:29:35 UTC 2021] Single domain='ev.terminusfoundry.com'
[Wed Jul 28 14:29:35 UTC 2021] Getting domain auth token for each domain
[Wed Jul 28 14:29:35 UTC 2021] d
[Wed Jul 28 14:29:35 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jul 28 14:29:35 UTC 2021] payload='{"identifiers": [{"type":"dns","value":"ev.terminusfoundry.com"}]}'
[Wed Jul 28 14:29:35 UTC 2021] RSA key
[Wed Jul 28 14:29:35 UTC 2021] Retrying post
[Wed Jul 28 14:29:35 UTC 2021] HEAD
[Wed Jul 28 14:29:35 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Jul 28 14:29:35 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g  -I  '
[Wed Jul 28 14:29:35 UTC 2021] _ret='0'
[Wed Jul 28 14:29:35 UTC 2021] _hcode='0'
[Wed Jul 28 14:29:36 UTC 2021] Retrying post
[Wed Jul 28 14:29:36 UTC 2021] POST
[Wed Jul 28 14:29:36 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Jul 28 14:29:36 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Wed Jul 28 14:29:36 UTC 2021] _ret='0'
[Wed Jul 28 14:29:36 UTC 2021] _hcode='0'
[Wed Jul 28 14:29:36 UTC 2021] code='201'
[Wed Jul 28 14:29:36 UTC 2021] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/120062253/12835633250'
[Wed Jul 28 14:29:36 UTC 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/120062253/12835633250'
[Wed Jul 28 14:29:36 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/16929203890'
[Wed Jul 28 14:29:36 UTC 2021] payload
[Wed Jul 28 14:29:36 UTC 2021] Retrying post
[Wed Jul 28 14:29:36 UTC 2021] POST
[Wed Jul 28 14:29:36 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/16929203890'
[Wed Jul 28 14:29:36 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Wed Jul 28 14:29:36 UTC 2021] _ret='0'
[Wed Jul 28 14:29:36 UTC 2021] _hcode='0'
[Wed Jul 28 14:29:36 UTC 2021] code='200'
[Wed Jul 28 14:29:36 UTC 2021] d='ev.terminusfoundry.com'
[Wed Jul 28 14:29:36 UTC 2021] Getting webroot for domain='ev.terminusfoundry.com'
[Wed Jul 28 14:29:36 UTC 2021] _w='/var/www/ghost/system/nginx-root'
[Wed Jul 28 14:29:36 UTC 2021] _currentRoot='/var/www/ghost/system/nginx-root'
[Wed Jul 28 14:29:36 UTC 2021] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg","token":"FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo"'
[Wed Jul 28 14:29:36 UTC 2021] token='FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo'
[Wed Jul 28 14:29:36 UTC 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:36 UTC 2021] keyauthorization='FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738'
[Wed Jul 28 14:29:36 UTC 2021] dvlist='ev.terminusfoundry.com#FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738#https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg#http-01#/var/www/ghost/system/nginx-root'
[Wed Jul 28 14:29:36 UTC 2021] d
[Wed Jul 28 14:29:36 UTC 2021] vlist='ev.terminusfoundry.com#FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738#https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg#http-01#/var/www/ghost/system/nginx-root,'
[Wed Jul 28 14:29:36 UTC 2021] d='ev.terminusfoundry.com'
[Wed Jul 28 14:29:36 UTC 2021] ok, let's start to verify
[Wed Jul 28 14:29:36 UTC 2021] Verifying: ev.terminusfoundry.com
[Wed Jul 28 14:29:36 UTC 2021] d='ev.terminusfoundry.com'
[Wed Jul 28 14:29:37 UTC 2021] keyauthorization='FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738'
[Wed Jul 28 14:29:37 UTC 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:37 UTC 2021] _currentRoot='/var/www/ghost/system/nginx-root'
[Wed Jul 28 14:29:37 UTC 2021] wellknown_path='/var/www/ghost/system/nginx-root/.well-known/acme-challenge'
[Wed Jul 28 14:29:37 UTC 2021] writing token:FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo to /var/www/ghost/system/nginx-root/.well-known/acme-challenge/FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo
[Wed Jul 28 14:29:37 UTC 2021] Changing owner/group of .well-known to root:root
[Wed Jul 28 14:29:37 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:37 UTC 2021] payload='{}'
[Wed Jul 28 14:29:37 UTC 2021] Retrying post
[Wed Jul 28 14:29:37 UTC 2021] POST
[Wed Jul 28 14:29:37 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:37 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Wed Jul 28 14:29:37 UTC 2021] _ret='0'
[Wed Jul 28 14:29:37 UTC 2021] _hcode='0'
[Wed Jul 28 14:29:37 UTC 2021] code='200'
[Wed Jul 28 14:29:37 UTC 2021] trigger validation code: 200
[Wed Jul 28 14:29:37 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Wed Jul 28 14:29:37 UTC 2021] sleep 2 secs to verify again
[Wed Jul 28 14:29:39 UTC 2021] checking
[Wed Jul 28 14:29:39 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:39 UTC 2021] payload
[Wed Jul 28 14:29:39 UTC 2021] Retrying post
[Wed Jul 28 14:29:39 UTC 2021] POST
[Wed Jul 28 14:29:39 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:39 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Wed Jul 28 14:29:39 UTC 2021] _ret='0'
[Wed Jul 28 14:29:39 UTC 2021] _hcode='0'
[Wed Jul 28 14:29:39 UTC 2021] code='200'
[Wed Jul 28 14:29:39 UTC 2021] ev.terminusfoundry.com:Verify error:Invalid response from http://ev.terminusfoundry.com/.well-known/acme-challenge/FggxNLoZcazX1dvFEoCms3Uvy_UDyzFP7GT1ARNjfpo [206.189.228.217]: 
[Wed Jul 28 14:29:39 UTC 2021] pid
[Wed Jul 28 14:29:39 UTC 2021] No need to restore nginx, skip.
[Wed Jul 28 14:29:39 UTC 2021] _clearupdns
[Wed Jul 28 14:29:39 UTC 2021] dns_entries
[Wed Jul 28 14:29:39 UTC 2021] skip dns.
[Wed Jul 28 14:29:39 UTC 2021] _on_issue_err
[Wed Jul 28 14:29:39 UTC 2021] Please check log file for more details: /etc/letsencrypt/acme.sh.log
[Wed Jul 28 14:29:39 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:39 UTC 2021] payload='{}'
[Wed Jul 28 14:29:39 UTC 2021] Retrying post
[Wed Jul 28 14:29:39 UTC 2021] POST
[Wed Jul 28 14:29:39 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16929203890/WDr2Xg'
[Wed Jul 28 14:29:39 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Wed Jul 28 14:29:40 UTC 2021] _ret='0'
[Wed Jul 28 14:29:40 UTC 2021] _hcode='0'
[Wed Jul 28 14:29:40 UTC 2021] code='400'

My web server is (include version): DigitalOcean droplet

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: DigitalOcean droplet

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): digitalOcean +shell

The version of my client is:
certbot 0.27.0

1 Like

Hello @devon welcome to the community.

You state that your version of certbot is 0.27.0 (outdated and should be upgraded).

BUT

The output from your client indicates you used acme.sh to attempt to obtain a cert from letsencrypt.

I am confused why one would install acme.sh in /etc/letsencrypt/ working folder... This may have hosed your permissions and LE configuration somehow (dunno)

Would you please post the output of log file: /etc/letsencrypt/acme.sh.log
This would undoubtedly be useful for someone here to help you resolve your issue.

2 Likes

That output above I posted in the OP is the log file you're asking for. I am using a digitalocean pre-installed ghost droplet, so all the folder choices were made by Ghost during install. I believe Ghost uses certbot, but the commands I found on forums while trying to debug called for that acme.sh command to be run to force the cert renew. Perhaps there's a certbot command that can instead be used to force the renew?

So you're using acme.sh instead of Certbot. The app is writing the challenge response to /var/www/ghost/system/nginx-root/.well-known/acme-challenge/<whatever> and then expects to be able to find that at http://ev.terminusfoundry.com/.well-known/acme-challenge/<whatever> so first check whether is /var/www/ghost/system/nginx-root/ is indeed the correct root folder for your website files.

You should be able to put a test.txt file into /var/www/ghost/system/nginx-root/.well-known/acme-challenge/ then browse to http://ev.terminusfoundry.com/.well-known/acme-challenge/test.txt - if that doesn't work then that's the main problem. It can either be the wrong web root or your content management system may not be allowing /.well-known/acme-challenge requests to pass through to file system.

2 Likes

Ah damn, you found one issue right off, I was using the wrong root folder. /var/www/ghost is the general blogging platform admin folder, my website files are in /var/www/ev. I've adjusted and run the command below, and got different looking response, but still failing.

Command:
/etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain ev.terminusfoundry.com --webroot /var/www/ev/system/nginx-root --reloadcmd "nginx -s reload" --accountemail my@email.com

Here's the log files:

[Fri Jul 30 10:14:20 UTC 2021] Using config home:/etc/letsencrypt
[Fri Jul 30 10:14:20 UTC 2021] default_acme_server
[Fri Jul 30 10:14:20 UTC 2021] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Jul 30 10:14:20 UTC 2021] DOMAIN_PATH='/etc/letsencrypt/ev.terminusfoundry.com'
[Fri Jul 30 10:14:20 UTC 2021] e[1;32mRenew: 'ev.terminusfoundry.com'e[0m
[Fri Jul 30 10:14:20 UTC 2021] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Fri Jul 30 10:14:20 UTC 2021] Using config home:/etc/letsencrypt
[Fri Jul 30 10:14:20 UTC 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Jul 30 10:14:20 UTC 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Fri Jul 30 10:14:20 UTC 2021] Retrying GET
[Fri Jul 30 10:14:20 UTC 2021] GET
[Fri Jul 30 10:14:20 UTC 2021] url='https://acme-v02.api.letsencrypt.org/directory'
[Fri Jul 30 10:14:20 UTC 2021] timeout=
[Fri Jul 30 10:14:20 UTC 2021] displayError='1'
[Fri Jul 30 10:14:20 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Fri Jul 30 10:14:21 UTC 2021] ret='0'
[Fri Jul 30 10:14:21 UTC 2021] _hcode='0'
[Fri Jul 30 10:14:21 UTC 2021] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Fri Jul 30 10:14:21 UTC 2021] ACME_NEW_AUTHZ
[Fri Jul 30 10:14:21 UTC 2021] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Jul 30 10:14:21 UTC 2021] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Fri Jul 30 10:14:21 UTC 2021] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Fri Jul 30 10:14:21 UTC 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Fri Jul 30 10:14:21 UTC 2021] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri Jul 30 10:14:21 UTC 2021] _main_domain='ev.terminusfoundry.com'
[Fri Jul 30 10:14:21 UTC 2021] _alt_domains='no'
[Fri Jul 30 10:14:21 UTC 2021] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Fri Jul 30 10:14:21 UTC 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Fri Jul 30 10:14:21 UTC 2021] Le_NextRenewTime='1624050639'
[Fri Jul 30 10:14:21 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Jul 30 10:14:21 UTC 2021] _on_before_issue
[Fri Jul 30 10:14:21 UTC 2021] _chk_main_domain='ev.terminusfoundry.com'
[Fri Jul 30 10:14:21 UTC 2021] _chk_alt_domains
[Fri Jul 30 10:14:21 UTC 2021] Le_LocalAddress
[Fri Jul 30 10:14:21 UTC 2021] d='ev.terminusfoundry.com'
[Fri Jul 30 10:14:21 UTC 2021] Check for domain='ev.terminusfoundry.com'
[Fri Jul 30 10:14:21 UTC 2021] _currentRoot='/var/www/ghost/system/nginx-root'
[Fri Jul 30 10:14:21 UTC 2021] d
[Fri Jul 30 10:14:21 UTC 2021] _saved_account_key_hash is not changed, skip register account.
[Fri Jul 30 10:14:21 UTC 2021] Read key length:
[Fri Jul 30 10:14:21 UTC 2021] _createcsr
[Fri Jul 30 10:14:21 UTC 2021] Single domain='ev.terminusfoundry.com'
[Fri Jul 30 10:14:21 UTC 2021] Getting domain auth token for each domain
[Fri Jul 30 10:14:21 UTC 2021] d
[Fri Jul 30 10:14:21 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Jul 30 10:14:21 UTC 2021] payload='{"identifiers": [{"type":"dns","value":"ev.terminusfoundry.com"}]}'
[Fri Jul 30 10:14:21 UTC 2021] RSA key
[Fri Jul 30 10:14:21 UTC 2021] Retrying post
[Fri Jul 30 10:14:21 UTC 2021] HEAD
[Fri Jul 30 10:14:21 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri Jul 30 10:14:21 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g  -I  '
[Fri Jul 30 10:14:21 UTC 2021] _ret='0'
[Fri Jul 30 10:14:21 UTC 2021] _hcode='0'
[Fri Jul 30 10:14:22 UTC 2021] Retrying post
[Fri Jul 30 10:14:22 UTC 2021] POST
[Fri Jul 30 10:14:22 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Jul 30 10:14:22 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Fri Jul 30 10:14:22 UTC 2021] _ret='0'
[Fri Jul 30 10:14:22 UTC 2021] _hcode='0'
[Fri Jul 30 10:14:22 UTC 2021] code='201'
[Fri Jul 30 10:14:22 UTC 2021] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/120062253/13267510900'
[Fri Jul 30 10:14:22 UTC 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/120062253/13267510900'
[Fri Jul 30 10:14:22 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/17447895590'
[Fri Jul 30 10:14:22 UTC 2021] payload
[Fri Jul 30 10:14:22 UTC 2021] Retrying post
[Fri Jul 30 10:14:22 UTC 2021] POST
[Fri Jul 30 10:14:22 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/17447895590'
[Fri Jul 30 10:14:22 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Fri Jul 30 10:14:22 UTC 2021] _ret='0'
[Fri Jul 30 10:14:22 UTC 2021] _hcode='0'
[Fri Jul 30 10:14:22 UTC 2021] code='200'
[Fri Jul 30 10:14:22 UTC 2021] d='ev.terminusfoundry.com'
[Fri Jul 30 10:14:22 UTC 2021] Getting webroot for domain='ev.terminusfoundry.com'
[Fri Jul 30 10:14:22 UTC 2021] _w='/var/www/ghost/system/nginx-root'
[Fri Jul 30 10:14:22 UTC 2021] _currentRoot='/var/www/ghost/system/nginx-root'
[Fri Jul 30 10:14:23 UTC 2021] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw","token":"IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ"'
[Fri Jul 30 10:14:23 UTC 2021] token='IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ'
[Fri Jul 30 10:14:23 UTC 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:23 UTC 2021] keyauthorization='IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738'
[Fri Jul 30 10:14:23 UTC 2021] dvlist='ev.terminusfoundry.com#IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738#https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw#http-01#/var/www/ghost/system/nginx-root'
[Fri Jul 30 10:14:23 UTC 2021] d
[Fri Jul 30 10:14:23 UTC 2021] vlist='ev.terminusfoundry.com#IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738#https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw#http-01#/var/www/ghost/system/nginx-root,'
[Fri Jul 30 10:14:23 UTC 2021] d='ev.terminusfoundry.com'
[Fri Jul 30 10:14:23 UTC 2021] ok, let's start to verify
[Fri Jul 30 10:14:23 UTC 2021] Verifying: ev.terminusfoundry.com
[Fri Jul 30 10:14:23 UTC 2021] d='ev.terminusfoundry.com'
[Fri Jul 30 10:14:23 UTC 2021] keyauthorization='IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ.-NkmZ1i1DTxso9a_bfY3Xb9lKa0Z8Ljf4hEt_WFK738'
[Fri Jul 30 10:14:23 UTC 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:23 UTC 2021] _currentRoot='/var/www/ghost/system/nginx-root'
[Fri Jul 30 10:14:23 UTC 2021] wellknown_path='/var/www/ghost/system/nginx-root/.well-known/acme-challenge'
[Fri Jul 30 10:14:23 UTC 2021] writing token:IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ to /var/www/ghost/system/nginx-root/.well-known/acme-challenge/IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ
[Fri Jul 30 10:14:23 UTC 2021] Changing owner/group of .well-known to root:root
[Fri Jul 30 10:14:23 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:23 UTC 2021] payload='{}'
[Fri Jul 30 10:14:23 UTC 2021] Retrying post
[Fri Jul 30 10:14:23 UTC 2021] POST
[Fri Jul 30 10:14:23 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:23 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Fri Jul 30 10:14:23 UTC 2021] _ret='0'
[Fri Jul 30 10:14:23 UTC 2021] _hcode='0'
[Fri Jul 30 10:14:23 UTC 2021] code='200'
[Fri Jul 30 10:14:23 UTC 2021] trigger validation code: 200
[Fri Jul 30 10:14:23 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Jul 30 10:14:23 UTC 2021] sleep 2 secs to verify again
[Fri Jul 30 10:14:25 UTC 2021] checking
[Fri Jul 30 10:14:25 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:25 UTC 2021] payload
[Fri Jul 30 10:14:25 UTC 2021] Retrying post
[Fri Jul 30 10:14:25 UTC 2021] POST
[Fri Jul 30 10:14:25 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:25 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Fri Jul 30 10:14:25 UTC 2021] _ret='0'
[Fri Jul 30 10:14:25 UTC 2021] _hcode='0'
[Fri Jul 30 10:14:25 UTC 2021] code='200'
[Fri Jul 30 10:14:25 UTC 2021] ev.terminusfoundry.com:Verify error:Invalid response from http://ev.terminusfoundry.com/.well-known/acme-challenge/IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ [206.189.228.217]: 
[Fri Jul 30 10:14:25 UTC 2021] pid
[Fri Jul 30 10:14:25 UTC 2021] No need to restore nginx, skip.
[Fri Jul 30 10:14:25 UTC 2021] _clearupdns
[Fri Jul 30 10:14:25 UTC 2021] dns_entries
[Fri Jul 30 10:14:25 UTC 2021] skip dns.
[Fri Jul 30 10:14:25 UTC 2021] _on_issue_err
[Fri Jul 30 10:14:25 UTC 2021] Please check log file for more details: /etc/letsencrypt/acme.sh.log
[Fri Jul 30 10:14:25 UTC 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:25 UTC 2021] payload='{}'
[Fri Jul 30 10:14:26 UTC 2021] Retrying post
[Fri Jul 30 10:14:26 UTC 2021] POST
[Fri Jul 30 10:14:26 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/17447895590/mcIqBw'
[Fri Jul 30 10:14:26 UTC 2021] _CURL='curl --silent --dump-header /etc/letsencrypt/http.header  -L  -g '
[Fri Jul 30 10:14:26 UTC 2021] _ret='0'
[Fri Jul 30 10:14:26 UTC 2021] _hcode='0'
[Fri Jul 30 10:14:26 UTC 2021] code='400'```
2 Likes

So this is now trying to create the response file under:
/var/www/ghost/system/nginx-root/.well-known/acme-challenge
and expects to be able to read that at:
http://ev.terminusfoundry.com/.well-known/acme-challenge/IYXEHfkovgYI58jVKWBrN3c4UGBKZ7XkxQEtRZR7zvQ

This fails, probably because the path is still wrong. Create a test.txt under /var/www/ghost/system/nginx-root/.well-known/acme-challenge and confirm you can browse to that file on your site using a web browser. That will confirm if the path is correct or not.

2 Likes

I did more reading and determined that ghost does indeed use certbot not acme.sh. So I ran the command below:

certbot --nginx -d ev.terminusfoundry.com

And the site is now functioning! This leaves me with two questions:

  1. Have I 'messed things up' by running a combination of acme.sh commands and certbot? Anything I can look at and clean up?
  2. Will this auto-renew correctly in 3 months? Is there a command or file I can check to see how it's configured?
2 Likes

Probably not.

See which certs are being used.
And compare that to the certs being maintained:
certbot certificates
acme.sh list

That depends entirely on which certs are being used.

Please be more clear on what you mean by "it" there.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.