Ssl certificate renewal issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: coinapi.battleworld.game

I ran this command:certbot renew --webroot --cert-name "coinapi.battleworld.game"

It produced this output:Attempting to renew cert (coinapi.battleworld.game) from /etc/letsencrypt/renewal/coinapi.battleworld.game.conf produced an unexpected error: Failed authorization procedure. coinapi.battleworld.game (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 139.59.92.90: Invalid response from https://coinapi.battleworld.game/.well-known/acme-challenge/ZGRA5C-r_k89iBLre0UFtEU54aEnlhshAZ9440TJy98: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/coinapi.battleworld.game/fullchain.pem (failure)

My web server is (include version): nginx

The operating system my web server runs on is (include version):debain

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

Check your nginx config. You're either blocking access to .well-known or you set the wrong webroot directory.

2 Likes

i have it,

# ACME http challenges
    location /.well-known/acme-challenge/ {
      root /var/www/html;     # matches name in certbot webroot folder
    }

    # Redirect all others
    location / {

    return 301 https://$host$request_uri;
}

still i have same issue

Failed authorization procedure. coinapi.battleworld.game (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 139.59.92.90: Invalid response from https://coinapi.battleworld.game/.well-known/acme-challenge/EOBmd3XfPDqqFyRdtT8K1glOdkn1KxIoOVVqfU2ctEg: 404

Can you upload the log file from one of these failures

/var/log/letsencrypt/letsencrypt.log

You may need to copy it to a .txt file to upload it.

Or, just copy/paste the entire log here. Please put 3 backticks before and after the output like this:
```
log data
```

2 Likes

The failure is via HTTPS, which implies that the HTTP challenge request was heard and redirected.

curl -Ii http://coinapi.battleworld.game/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Wed, 28 Sep 2022 16:13:11 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://coinapi.battleworld.game/.well-known/acme-challenge/Test_File-1234

Please post the entire nginx config:
nginx -T

3 Likes

certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2022-09-29 04:00:04,807:ERROR:certbot.renewal: /etc/letsencrypt/live/coinapi.amechain.io/fullchain.pem (failure)
2022-09-29 04:00:04,807:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 490, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 3 renew failure(s), 0 parse failure(s)

output of nginx -T

nginx: [emerg] "server" directive is not allowed here in /etc/nginx/sites-enabled/amechain.conf:21
nginx: configuration file /etc/nginx/nginx.conf test failed

Please show this file or fix it:

2 Likes
server {
listen 80;
server_name coinapi.battleworld.game;
# ACME http challenges
    location /.well-known/acme-challenge/ {
      root /var/www/html;     # matches name in certbot webroot folder
    }

    # Redirect all others
    location / {
return 301 https://$host$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name coinapi.battleworld.game;

ssl_certificate /etc/letsencrypt/live/coinapi.battleworld.game/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/coinapi.battleworld.game/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
# ssl_dhparam /etc/nginx/ssl/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

ssl_trusted_certificate /etc/letsencrypt/live/coinapi.battleworld.game/chain.pem; 

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

location / {
include proxy_params;
proxy_pass http://127.0.0.1:3454;
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

access_log /var/log/nginx/coinapi.battleworld.game.access;
error_log /var/log/nginx/coinapi.battleworld.game.error;
}

Looks like you might be missing a closing } for the first server block in that file. Should be one right after this section. It might be a formatting problem but just check all your { and } are equally paired.

I wanted to see the entire log. You only posted a small fragment. That was not helpful. If this bracket problem fixes the syntax error please show either nginx -T (all of it) or show the log as I previously described.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.