SSL renew failed, nothing in access log - physiotherapieferber.de

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: physiotherapieferber.de

I ran this command:certbot renew

It produced this output: https://gist.github.com/serverok/6ae4db64b3adfe96577c4660502dc9ee/raw

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: http://contabo.com/

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

Here is complete log file for my last run

https://gist.github.com/serverok/ed15c649d54f8ac4bdf49dc4da1c6093/raw

I watched the access log, i don’t see any access to files with .well-known. Verified the URL accesable by creating a file manually and it worked.

root@ok:~# curl -i "https://physiotherapieferber.de/.well-known/acme-challenge/vgeOplvy5Q_wPRdrihX_9RJ1xVrbSjUveygTJQG2ms4"                                                                                
HTTP/2 200
server: nginx/1.10.3
date: Mon, 04 Nov 2019 17:25:25 GMT
content-type: application/octet-stream
content-length: 3
last-modified: Mon, 04 Nov 2019 17:03:53 GMT
etag: "5dc059f9-3"
accept-ranges: bytes

ok
root@ok:~#

Look like for some reason letsencrypt can’t reach my web site. I disabled firewall. Still same.

Any idea how to debug this issue ?

Hi @HostOnNet

please check your output. That can’t work.

There is a pre-hook command:

Running pre-hook command: service nginx stop

Then you want

Plugins selected: Authenticator webroot, Installer None

But webroot requires a running webserver.

So what? Running webserver and webroot or stopping the webserver?

The hook is for another domain, for this domain renewal config is

root@mail:/etc/letsencrypt/renewal# cat physiotherapieferber.de.conf 
# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/physiotherapieferber.de
cert = /etc/letsencrypt/live/physiotherapieferber.de/cert.pem
privkey = /etc/letsencrypt/live/physiotherapieferber.de/privkey.pem
chain = /etc/letsencrypt/live/physiotherapieferber.de/chain.pem
fullchain = /etc/letsencrypt/live/physiotherapieferber.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = da2741d321a8782bc72a4cec2197ff46
[[webroot_map]]
physiotherapieferber.de = /www/sites/physiotherapie-ferber.de/htdocs
root@mail:/etc/letsencrypt/renewal# 

Another site on the server have following pre_hook

root@mail:/etc/letsencrypt/renewal# cat 2fly4.de.conf
# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/2fly4.de
cert = /etc/letsencrypt/live/2fly4.de/cert.pem
privkey = /etc/letsencrypt/live/2fly4.de/privkey.pem
chain = /etc/letsencrypt/live/2fly4.de/chain.pem
fullchain = /etc/letsencrypt/live/2fly4.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = da2741d321a8782bc72a4cec2197ff46
pref_challs = http-01,
post_hook = service nginx start
pre_hook = service nginx stop
root@mail:/etc/letsencrypt/renewal# 

Can this site cause problem with renewal of domain physiotherapieferber.de ?

Fixed by replacing

authenticator = webroot

with

authenticator = standalone
pref_challs = http-01,
post_hook = service nginx start
pre_hook = service nginx stop

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.