SSL re-installation fail on Ubuntu server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: swpdev.macbiz.co

I ran this command: certbot certonly --manual

It produced this output: below output

ubuntu@ip-172-31-3-179:/ certbot certonly --manual The following error was encountered: [Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock' Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths. ubuntu@ip-172-31-3-179:/ clear
ubuntu@ip-172-31-3-179:/$ sudo certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): swpdev.macbiz.co
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for swpdev.macbiz.co


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Create a file containing just this data:

ctWf5Q2xX2UzoT47tvEPJFBX9epTZm28hjkWsdtTCUc.kwlycHLrThgSMT4B1oEJ0IYHN8Nu3KFpi9PiDwqs9Fo

And make it available on your web server at this URL:

http://swpdev.macbiz.co/.well-known/acme-challenge/ctWf5Q2xX2UzoT47tvEPJFBX9epTZm28hjkWsdtTCUc


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. swpdev.macbiz.co (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://swpdev.macbiz.co/.well-known/acme-challenge/ctWf5Q2xX2UzoT47tvEPJFBX9epTZm28hjkWsdtTCUc [54.177.238.204]: 404

IMPORTANT NOTES:

My web server is (include version): Ubuntu 18.04

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @kerlosense,

It looks like you’ve been having trouble with getting autorenewal working with your Node.js application for a while now.

When you want to use Let’s Encrypt with an application server like Node.js instead of the usual nginx, Apache etc, it is definitely a lot more complicated to get everything working.

I can suggest two different approaches:

  1. Use a library like greenlock to fully manage Let’s Encrypt within your Node.js application. This means no Certbot and no external processes, everything is fully encapsulated within your application, including managed autorenewal.

  2. Use a reverse proxy, like nginx, to listen on 80 and 443, and to proxy to your Node.js server (running on another port like 8080). This is what most people do and it simplifies things a lot, because your instructions are then just to run sudo certbot --nginx.

Your approach today doesn’t have a feasible autorenewal mechanism, because you have no authentication strategy and no way to reload the certificates, even if they were renewed. One of the two options above would serve you much better.

2 Likes

Hi,

Appreciate your answer however i don’t understand the Greenlock, does that mean i don’t need to install the Lets Encrypt or issue a new certificate, it will be managed by itself?

Thanks

1 Like

Yes, it will be self-managed inside Node.js. You could try run through the quickstart with a blank Node.js project to see whether it works in a way you like.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.