SSL renewal failing when using certbot renew

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dormmarket.cz

I ran this command:
certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.dormmarket.cz.conf

Renewing an existing certificate for www.dormmarket.cz

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:

Domain: www.dormmarket.cz

Type: unauthorized

Detail: 62.72.32.119: Invalid response from http://www.dormmarket.cz/.well-known/acme-challenge/xb1zkt4gTwj-D-gAYI6UauUd3tCUJVy6IpziKFXXw5A: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate www.dormmarket.cz with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/www.dormmarket.cz/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-1107-kvm x86_64)

My hosting provider, if applicable, is:
Hostinger

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

My nginx .conf file:

server {
    listen 80;
    server_name www.dormmarket.cz;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name www.dormmarket.cz;
    ssl_certificate /etc/letsencrypt/live/www.dormmarket.cz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.dormmarket.cz/privkey.pem; # managed by Certbot

    location / {
        proxy_pass http://62.72.32.119:8080;
    }
}

My DNS records

Screenshot 2024-03-19 at 01.36.38
Screenshot 2024-03-19 at 01.36.382164×1670 226 KB

2

Screenshot 2024-03-19 at 01.38.13
Screenshot 2024-03-19 at 01.38.132206×880 55.3 KB

3

Are you sure nginx is listening on port 80?

Try ss -tlpn src :80

3 Likes
4

This is what I see with curl

$ curl -i http://www.dormmarket.cz/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Content-Length: 0

$ curl -i http://www.dormmarket.cz
HTTP/1.1 302 Found
Location: https://www.dormmarket.cz/website/index.html
Content-Length: 0
1 Like
5

This results in this output

State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process        
LISTEN 0      511          0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=75658,fd=6),("nginx",pid=75657,fd=6),("nginx",pid=75656,fd=6),("nginx",pid=75655,fd=6),("nginx",pid=75554,fd=6))
6

Yes, i have a server running there that redirects calls to https://www.dormmarket.cz/website/index.html.

But when I do
curl -i http://www.dormmarket.cz/.well-known/acme-challenge/sometestfile
I get this

HTTP/1.1 301 Moved Permanently

**Server**: nginx/1.18.0 (Ubuntu)

**Date**: Tue, 19 Mar 2024 12:29:41 GMT

**Content-Type**: text/html

**Content-Length**: 178

**Connection**: keep-alive

**Location**: https://www.dormmarket.cz/.well-known/acme-challenge/sometestfile

<html>

<head><title>301 Moved Permanently</title></head>

<body>

<center><h1>301 Moved Permanently</h1></center>

<hr><center>nginx/1.18.0 (Ubuntu)</center>

</body>

</html>

Is there something I can do to make it work?

7

I don't get the redirect.
I get:

curl -i http://www.dormmarket.cz/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Content-Length: 0
3 Likes
8

I see, and what can I do to make it work. Just return HTTP 200 when someone calls
http://www.dormmarket.cz/.well-known/acme-challenge/anything

9

I have tried that and now I am getting this

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.dormmarket.cz
  Type:   unauthorized
  Detail: The key authorization file from the server did not match this challenge. Expected "Yq0Yw90IWPIcm1TB6ODO4Z_grYvo9-IIfBP5F_NBtLo.4Jl8s06zaEp9BDzRtfCICEb4H-kN1tH3vW6gZ3JnFn4" (got "")

I have also tried to pass this HTML but it is also not working.

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

What should be returned, or how should i route that call?
Should i make some changes in the DNS records or on the nginx configuration? I am a bit lost. I understand that there should some verification of the domain be happening, but what can i do?

10

My point was to show that we are getting two completely different replies.
Are you connecting from the same network or over the Internet?

3 Likes
11

I was executing if from the root server

12

You should try from the public internet.

It looks like something is handling the HTTP requests before it reaches your nginx server. Is there any kind of firewall or other protection setup in your server? Or maybe with your hosting service?

Here are some example requests

# An HTTP request is redirected but notice no "Server: nginx" response header
curl -i http://www.dormmarket.cz
HTTP/1.1 302 Found
Location: https://www.dormmarket.cz/website/index.html
Content-Length: 0

# An HTTPS request is also redirected but see "nginx/1.18.0 (Ubuntu)"
curl -i https://www.dormmarket.cz
HTTP/1.1 302 Found
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 20 Mar 2024 21:49:16 GMT
Content-Length: 0
Connection: keep-alive
Location: https://www.dormmarket.cz/website/index.html

# A test HTTP Challenge request is redirected wrong
# It is sent to "website/security.html" which is wrong
# It should do one of these two:
# Redirect but retain the URI "./well-known/acme-challenge/Test404"
# Or, it could just reply 404
curl -i http://www.dormmarket.cz/.well-known/acme-challenge/Test404
HTTP/1.1 302 Found
Location: https://www.dormmarket.cz/website/security.html
Content-Length: 0

This pattern of responses from your server usually indicate some sort of firewall or communications device inspecting and rejecting HTTP requests.

EDIT: OR,
Do you have some kind of DNS URL redirect feature just for HTTP requests? Maybe related to some kind of "parking" setting?

4 Likes
13

Thanks a lot
I think there was this type of problem. I have a screenshot of what I did

Screenshot 2024-03-21 at 01.22.04
Screenshot 2024-03-21 at 01.22.04896×366 21.4 KB

I had to change to the recommended option in Hosting, for some reason it was on the second one and that was probably causing the error. Now I can say the certificate is renewed.
Thanks a lot to all!!

4 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.