I have a NGINX server that redirects users from a subdomain (help.hellobonafide.com ) to a Shopify site (hellobonafide.com ). I am trying to renew the SSL cert with certbot but I do not understand the error message.
My domain is: help.hellobonafide.com
I ran this command:
It produced this output:
Domain: help.hellobonafide.com
Type: unauthorized
Detail: 40.70.27.24: Invalid response from
https://hellobonafide.com/pages/help-center: "<!DOCTYPE
html>\n<html class=\"no-js\" lang=\"en\">\n <head><meta
charset=\"utf-8\">\n <meta http-equiv=\"X-UA-Compatible\"
content=\"IE"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site:
The version of my client is:
Hello @bansavage , welcome to the Let's Encrypt community.
This redirect seems fine.
$ curl -Ii http://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 06 Jul 2023 22:03:11 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
This redirect seems not so good.
$ curl -k -Ii https://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 06 Jul 2023 22:03:13 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://www.hellobonafide.com/pages/help-center
Here is a online tool to help check your redirects https://www.redirect-checker.org/
3 Likes
Here is a list of issued certificates crt.sh | help.hellobonafide.com , the latest being 2023-03-31 .
2 Likes
Also this is what I see for DNS: https://dnsspy.io/scan/hellobonafide.com
Looks like help.hellobonafide.com, www.hellobonafide.com, and hellobonafide.com are different machines.
Observer the redirect from help.hellobonafide.com ultimately ends up at hellobonafide.com.
2 Likes
Thanks for the help Bruce.help.hellobonafide.com "
Here I ran command: "sudo certbot certificates"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
OCSP check failed for /etc/letsencrypt/live/help.hellobonafide.com/cert.pem (are we offline?)
OCSP check failed for /etc/letsencrypt/live/patient.hellobonafide.com/cert.pem (are we offline?)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: api.hellobonafide.com
Domains: api.hellobonafide.com
Expiry Date: 2023-09-29 07:53:19+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/api.hellobonafide.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api.hellobonafide.com/privkey.pem
Certificate Name: help.hellobonafide.com
Domains: help.hellobonafide.com
Expiry Date: 2023-06-29 03:38:10+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/help.hellobonafide.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/help.hellobonafide.com/privkey.pem
Certificate Name: patient.hellobonafide.com
Domains: patient.hellobonafide.com
Expiry Date: 2023-05-30 23:52:00+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/patient.hellobonafide.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/patient.hellobonafide.com/privkey.pem
It shows my SSH certs as EXPIRED. This is contrary to the link you posted (crt.sh | help.hellobonafide.com )
1 Like
Then why the redirect to it?
2 Likes
We are redirecting "help.hellobonafide.com " to "hellobonafide.com ".help.hellobonafide.com " they hit the typically unsafe browser page (due to expired SSL)
Not from what I see for http://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
$ curl -Ii http://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 06 Jul 2023 23:15:29 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
Observe Location: https://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
2 Likes
Thanks, but I don't understand. If you just go to "http://help.hellobonafide.com " on a fresh browser, you will hit the unsecure connection browser page.
1 Like
Please use https://www.redirect-checker.org/ with the URL you have in quotas to see what I mean.
I see this
Result
CONGRATULATION. Everything seems to be fine.
http://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
301 Moved Permanently
https://help.hellobonafide.com/.well-known/acme-challenge/sometestfile
301 Moved Permanently
https://www.hellobonafide.com/pages/help-center
301 Moved Permanently
https://hellobonafide.com/pages/help-center
200 OK
3 Likes
This site does not reflect the true experience though. See my screenshot above
Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.
3 Likes
crt.sh | 9048400940 shows what looks to me like EXPIRED.
Validity (Expired)
Not Before: Mar 31 03:38:11 2023 GMT
Not After : Jun 29 03:38:10 2023 GMT
1 Like
Agreed, for the User Experience. But I believe this issue is not the User Experience but the Renewal of the Certificate(s ). The 2 are not necessarily the same.
3 Likes
@bansavage
Would you show contents of this file
/etc/letsencrypt/renewal/help.hellobonafide.com.conf
And, can you show the contents of the server block for that domain which listens on port 80? (the HTTP server block)
We'll try to fix why you can't renew your cert. The rest will resolve once that is done
We'll just do this one domain and check the other one after this is working.
3 Likes
Thanks for you help Mike!
Here is the contents of file : /etc/letsencrypt/renewal/help.hellobonafide.com.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/help.hellobonafide.com
cert = /etc/letsencrypt/live/help.hellobonafide.com/cert.pem
privkey = /etc/letsencrypt/live/help.hellobonafide.com/privkey.pem
chain = /etc/letsencrypt/live/help.hellobonafide.com/chain.pem
fullchain = /etc/letsencrypt/live/help.hellobonafide.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fe0d64ea008ab1eadc073e755b520f9d
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
Here is the server block:
server {
listen 443 ssl;
server_name help.hellobonafide.com;
ssl_certificate /etc/letsencrypt/live/help.hellobonafide.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/help.hellobonafide.com/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location ~ ^/(hc/en-us/articles/360037951753-What-is-Bonafide-) {
return 301 $scheme://hellobonafide.com/pages/help-center?a=What-is-Bonafide---id--JEiQRnDaSeGGCQBqlVn3_w;
}
location ~ ^/(hc/en-us/articles/360050101394-I-have-a-Bonafide-subscription-How-can-I-add-an-additional-Bonafide-product-to-my-existing-subscription-) {
return 301 $scheme://hellobonafide.com/pages/help-center?a=I-have-a-Bonafide-subscription.-How-can-I-add-an-additional-Bonafide-product-to-my-existing-subsc$
}
location ~ ^/(hc/en-us/articles/360050626093-I-have-multiple-Bonafide-subscriptions-How-can-I-make-changes-to-one-and-not-the-other-) {
return 301 $scheme://hellobonafide.com/pages/help-center?a=I-have-multiple-Bonafide-subscriptions.-How-can-I-make-changes-to-one-and-not-the-other---id--KVX$
}
}
server {
if ($host = help.hellobonafide.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name help.hellobonafide.com;
return 404; # managed by Certbot
}
1 Like
Thanks. That's puzzling.
The --nginx plug-in authenticator inserts temp code into your http server block to handle the ACME Challenge. But, the error in your first post showed that HTTP request being redirected to HTTPS. That shouldn't happen with the --nginx authenticator. So, we need to find out why this broke.
Your system had been working reliably for some time. So, your older certbot version isn't the obvious reason for this new failure.
One obscure problem can occur with the --nginx plug-in is that nginx itself can get in a bad state. If it's easy try rebooting your server and trying the renew making sure nginx was started successfully before the renew command. If it's not easy to try that we can look at other stuff first.
Can you run this command and then upload the /var/log/letsencrypt/letsencrypt.log file
sudo certbot renew --dry-run --cert-name help.hellobonafide.com
3 Likes
linkp
July 7, 2023, 3:57am
18
Exempt the .well-known/acme-challenge path from redirection and you should achieve your desired results.
2 Likes
The --nginx authenticator does that automatically. It makes temp changes that look something like below and removes them after the request
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot
listen 80;
listen [::]:80;
server_name example.com www.example.com;
root /var/www/html;
location = /.well-known/acme-challenge/MxkxRxkxzxkxgxHxvxkxOxpxkxVxkx8xkx4xFxExuxg {default_type text/plain;return 200 MxkxRxkxzxkxgxHxvxkxOxpxkxVxkx8xkx4xFxExuxg.AwQwgwgwzwgwJwgw4wew3wrwxwiw-wpwvwqwxwBwswT;} # managed by Certbot
}
3 Likes
linkp
July 7, 2023, 4:06am
20
I did not notice mention of the certbot nginx plugin being used. Are you certain that is being used here?
2 Likes
