SSL Failed, now renew won't run

Help
#1

Please fill out the fields below so we can help you better.

My domain is:
http://repcleaner.net
I ran this command:
sudo certbot renew
It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/repcleaner.net-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/blog.repcleaner.net/fullchain.pem (failure)
/etc/letsencrypt/live/repcleaner.net/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

I thought i had auto renew setup and everything functioning correctly. I noticed my sites giving off a security warning this week and this seems to be the issue :frowning:

#2

You already have issued two certificates for repcleaner.net and www.repcleaner.net today (note: repcleaner.ca is missing from this certificate):

https://crt.sh/?id=142412816
https://crt.sh/?id=142402963

So something is working…

403 Forbidden errors are mostly due to webserver configurations. The 404 File not found error is probably due to an erroneous webroot path.

#3

Hey Osiris,

Thanks for the response.

Do you have any suggestions on what I should do from here?

#4

You could run certbot certificates to see whether the repcleaner.net-0001 certificate is an accidental overlap with one of your other certificates and if, perhaps, you no longer need one of them.

Apart from that, you could look up your webroot directories in /etc/letsencrypt/renewal/blog.repcleaner.net.conf and /etc/letsencrypt/renewal/repcleaner.net.conf to see if ① you agree that the webroot directories are actually where your site content is served from and ② if making test files under those directories allows the test files to appear in the corresponding place on your web site.

#5

@schoen Hey Seth,

Thank you for the detailed response! I think it has gotten me closer to a solve.

I tried running certbot certificates but it returns ‘unrecognized arguments: certificates’

However, I did checkout the /etc/letsencrypt/renewal/blog.repcleaner.net.conf
and /etc/letsencrypt/renewal/repcleaner.net.conf

Inside the repcleaner.net.conf I noticed that the webroot directories seem to be my nginx root, being /usr/share/nginx/html

See below the contents of my conf file:

renew_before_expiry = 30 days

version = 0.9.3
cert = /etc/letsencrypt/live/repcleaner.net/cert.pem
privkey = /etc/letsencrypt/live/repcleaner.net/privkey.pem
chain = /etc/letsencrypt/live/repcleaner.net/chain.pem
fullchain = /etc/letsencrypt/live/repcleaner.net/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 62f3099187531d92b9c15bd17ebc7872
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
www.repcleaner.net = /usr/share/nginx/html
repcleaner.net = /usr/share/nginx/html
repcleaner.ca = /usr/share/nginx/html

Does this look correct?

I know the root for my site files is located at /var/www/repcleaner.net/html
should I change all the paths from /usr/share/nginx/html to the directory with my site content?
Could this be what is preventing it from renewing properly?

Thanks again for the support!

#6

In that case, you have an older version of Certbot which doesn't have some of the newer certificate management features.

Yes, that should work!

#7

Thanks Schoen,

This solved the issue for the repcleaner.net domain! Everything is live for that one and the SSL cert has been renewed, so thanks for the help there :slight_smile:

However, the blog.repcleaner.net domain is giving me the same error and I can’t seem to figure out why, the .conf settings are now updated the same as the main domain.

It is returning this error when I try running sudo certbot renew

Processing /etc/letsencrypt/renewal/repcleaner.net.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/repcleaner.net-0001/fullchain.pem (skipped)
/etc/letsencrypt/live/repcleaner.net/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/blog.repcleaner.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Here is the .conf file for the blog domain.

renew_before_expiry = 30 days

version = 0.9.3
cert = /etc/letsencrypt/live/blog.repcleaner.net/cert.pem
privkey = /etc/letsencrypt/live/blog.repcleaner.net/privkey.pem
chain = /etc/letsencrypt/live/blog.repcleaner.net/chain.pem
fullchain = /etc/letsencrypt/live/blog.repcleaner.net/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 62f3099187531d92b9c15bd17ebc7872
[[webroot_map]]
www.blog.repcleaner.net = /var/www/blog.repcleaner.net/html
blog.repcleaner.net = /var/www/blog.repcleaner.net/html

#8

Probably blog.repcleaner.net has a different webroot directory than /var/www/repcleaner.net/html, because http://blog.repcleaner.net/ has different content than http://repcleaner.net/. So you should set the appropriate webroot path for that certificate too.

#9

If you check my previous post of the conf file you can see it has a different path for the webroot.

The main site is /var/www/repcleaner.net/html
where the blog is /var/www/blog.repcleaner.net/html

could it be anything else or is it most certainly the webroot?

#10

I’m sorry, I didn’t notice some of the details that you posted.

You’re getting a 403 (forbidden) error, not a 404 (not found) error. Therefore, your webroot may be set correctly but your web server may be configured to forbid access to /var/www/blog.repcleaner.net/html/.well-known/acme-challenge for some reason. You should look at your web server configuration to see if there’s any reason why this access would be forbidden.

You can also create a file /var/www/blog.repcleaner.net/html/.well-known/acme-challenge/test.txt and see if you can see it with a web browser at http://blog.repcleaner.net/.well-known/acme-challenge/test.txt. If you get a 404 error, your webroot is probably specified incorrectly; if you get a 403 error, you can investigate what to change in the web server configuration to allow this file to be accessed.

#11

Ohh okay, I see.

I have tried uploading a test.html into blog.repcleaner.net/.well-known/

The .well-known folder is empty on my server, I have checked permissions and they are 774, and I am noticing that it will not let me upload the test.html file into the folder as I do not have permissions. So I have changed the permissions via sudo chmod 777 -R /var/www/blog.repcleaner.net/.well-known

Now this has worked I ran the cert and it passed!
but… when I view the page, It is returning 502 bad gateway! :frowning:

so no 403 or 404

#12

@bmw, can you understand a scenario in which certbot renew with webroot fails the challenge and then changing the permissions on /.well-known/acme-challenge makes it succeed? I would think we would get IOError: [Errno 13] in this case, rather than Certbot thinking that it's set up the challenge properly...

This is probably not directly related to your certificate, even though a misconfiguration might have been triggered by something to do with the certificate configuration. If you look in /var/log/apache2 or a similar directory, you should be able to find an Apache error log which may explain in more detail why your site isn't working.

#13

@schoen, so strange… the site was functioning properly prior to the past cert expiring.

Now i’ve just renewed it and the site is now providing a 502 bad gateway…
Maybe it has something to do with my nginx conf files, but nothing should be different in those than before… i’ll update once I figure it out.

Thanks again for the help

#14

@schoen
Just an update, here is my nginx conf file located within /etc/nginx/conf.d/ for the blog incase you might see something blatantly obvious that I have missed:

server { listen 80; listen 443 ssl http2;

server_name blog.repcleaner.net www.blog.repcleaner.net;

access_log  /var/log/nginx/ghost.access.log;
error_log   /var/log/nginx/ghost.error.log;

#return 301 https://$server_name$request_uri;

proxy_buffers 16 64k;
proxy_buffer_size 128k;

location ^~ /.well-known {
  allow all;
  root /var/www/blog.repcleaner.net/html;
}

location / { proxy_pass http://127.0.0.1:2000; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off;

    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto https;
}

include snippets/ssl-blog.repcleaner.net.conf; include snippets/ssl-params.conf;

#15

@schoen, testing at least the simple cases, Certbot errors out with an IOError or OSError if the webroot plugin can’t create the necessary files or directories. I have seen this problem though when the webserver has insufficient permissions to access the challenge files.

#16

does this have anything to do with my current bad gateway issue?

#17

No. I would suggest taking a look at your web server logs under /var/log, which hopefully will have more detail about why you see that error.

#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.