Suddenly Certbot Stop Working - Some challenges have failed

OK. let's try using the --nginx as an installer only, with:

sudo certbot -i nginx \
--webroot -w /var/www/linkjoy/public \
-d ssltesting.notionjoy.io --force-renewal

NOTE: Don't ever script the use of --force-renewal
[do it only once, manually - just to get it to create the secure vhost config file for you]

Command - sudo certbot -i nginx --webroot -w /var/www/linkjoy/public -d ssltesting.notionjoy.io --force-renewal

Output -

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/ssltesting.notionjoy.io

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/ssltesting.notionjoy.io


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:
https://ssltesting.notionjoy.io

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ssltesting.notionjoy.io


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/ssltesting.notionjoy.io/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/ssltesting.notionjoy.io/privkey.pem
    Your cert will expire on 2021-12-01. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Now, I get expected result.

How about now?

Remember to restart nginx

Now, I get result
server_name ssltesting.notionjoy.io;
ssl_certificate /etc/letsencrypt/live/ssltesting.notionjoy.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ssltesting.notionjoy.io/privkey.pem; # managed by Certbot

Excellent!

Now it looks good:

curl -Iki http://ssltesting.notionjoy.io/ | grep -Ei 'moved|location'
HTTP/1.1 301 Moved Permanently
Location: https://ssltesting.notionjoy.io/

That is from our side and I have fixed it. Now you can check.

Can you just give us which command we have to use to generate SSL and reflact in nginx file ?

Just change the domain name and webroot location [to match root for name].

OR
Find out what's messing with the nginx... and fix that.
You mentioned:

Is there some URL manipulation or PROXY device inline?

Have we required to change webroot?

The webroot must match the root used in the vhost config for the domain you want to renew.

Here look at this output:
[you don't need to post it here - just look at it and you will understand]

nginx -T | grep -Ei 'root|server_name'

Not all of the entries in the nginx config linked earlier in the thread have a an entry to allow well-known to pass trhough to the file system:

location ~ /.well-known {
        allow all;
        root /var/www/html;
}

Is certbot supposed to put that there automatically? If so, it's apparently not doing it. Is there a way to make that a global rule in nginx?

None that I have ever seen.

I think so; but it will affect ALL sites equally.
[which may need to be approved by all entities serviced]

Now, I am able to generate SSL certificate for new Domian.

As SSL certificate has expired in 3 months, we have to run renew command to renew certificate. I got following error.

Command -
sudo certbot renew --cert-name 7phut.vuahieusuat.vn --dry-run

Output -
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/7phut.vuahieusuat.vn.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for 7phut.vuahieusuat.vn
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (7phut.vuahieusuat.vn) from /etc/letsencrypt/renewal/7phut.vuahieusuat.vn.conf produced an unexpected error: Failed authorization procedure. 7phut.vuahieusuat.vn (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://7phut.vuahieusuat.vn/.well-known/acme-challenge/Mvlqzb67afGJsBLwjSa4eSmd-NttJ4gM9d6dGyjthUA [3.213.80.151]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n
". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/7phut.vuahieusuat.vn/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/7phut.vuahieusuat.vn/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Can you guide me how to fix this error?

You may have to use --webroot (like we did with ssltesting)

It is URL manipulation from the code side.

As we discussed,

  1. sudo certbot -i nginx --webroot -n --redirect -w /var/www/linkjoy/public -d link.gridle.io
    We use this command to generate SSL certificate and it is working

  2. Can you give me renew command with webroot to renew any particular SSL?

  3. Which command do I have to put in Cronjob to make the renewal process automatic?

A2. Use the line from 1, just change the domain and webroot path as needed.
A3. certbot renew

I got following errors.


Processing /etc/letsencrypt/renewal/accounts.brandmojo.pw.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for accounts.brandmojo.pw
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (accounts.brandmojo.pw) from /etc/letsencrypt/renewal/accounts.brandmojo.pw.conf produced an unexpected error: Failed authorization procedure. accounts.brandmojo.pw (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://accounts.brandmojo.pw/.well-known/acme-challenge/1TY6no00WjJDWta4-D8swXNNOYbdQhwd_3PeC2P80-0 [3.213.80.151]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n
". Skipping.


You skipped A2?

That should show webroot.

Actually, we had generated SSL for this domian on 31st Jan 2021 by using Nginx. So, it has expired.
There are many domains that have same case.

I want to renew all this domains' SSL automatically. How I do that?

We are going in a circle.
I've answered that question.
You need to use an authentication method that works (like: --webroot)
OR
Fix the problem that makes --nginx authentication fail.

Then AFTER it is working, the cron job with certbot renew will renew your certs automatically.