Trying to renew expired certficiate failing with challenge failed error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: shredderfood.com

I ran this command: certbot

It produced this output:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for shredderfood.com
Performing the following challenges:
http-01 challenge for shredderfood.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Challenge failed for domain shredderfood.com
http-01 challenge for shredderfood.com
Cleaning up challenges
Failed to renew certificate shredderfood.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/shredderfood.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
nginx 1.18.0

The operating system my web server runs on is (include version):
debian 15

My hosting provider, if applicable, is:
Self

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

1 Like
2

Welcome @ShredderFeeder

HTTP requests to your domain name are broken. My first guess is your nginx config is wrong. My second guess is your NAT or port-forwarding is setup wrong. HTTP requests are being handled by an nginx server block that requires HTTPS. You have an unusual warning message for your certbot request which makes me think nginx config is wrong.

Can you upload the config.txt file (use upload button on post menu) from this command (capital T)

sudo nginx -T >config.txt

or, copy/paste the output (which is very long) placing 3 backticks before and after the output like this
```
pasted output of: sudo nginx -T
```

This shouldn't be happening

curl  http://shredderfood.com

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
</body>
</html>
4 Likes
3

It's a mastodon instance, it ran perfectly up until the cert expiration.. Tried to do a renew and it seems to be getting stuck behind the HTTP-->HTTPS redirect but I have no idea how to undo that.

1 Like
4

config.txt (9.8 KB)

1 Like
5

It would seem that your Port 80 is expecting HTTPS connections

HTTP to Port 80

$ curl -Ii http://shredderfood.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 400 Bad Request
Server: nginx/1.18.0
Date: Thu, 30 Mar 2023 15:44:27 GMT
Content-Type: text/html
Content-Length: 255
Connection: close
Strict-Transport-Security: max-age=31536000

$ curl http://shredderfood.com/.well-known/acme-challenge/sometestfile
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.18.0</center>
</body>
</html>

And now for HTTPS to Port 80

$ curl -k -Ii https://shredderfood.com:80/.well-known/acme-challenge/sometestfile
HTTP/2 404
date: Thu, 30 Mar 2023 15:46:14 GMT
content-type: */*; charset=utf-8
server: Mastodon
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 0
permissions-policy: interest-cohort=()
referrer-policy: same-origin
vary: Accept, Origin
cache-control: no-cache
content-security-policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://shredderfood.com; img-src 'self' https: data: blob: https://shredderfood.com; style-src 'self' https://shredderfood.com 'nonce-m8aq7gqbs/HyEjQbNHInKQ=='; media-src 'self' https: data: https://shredderfood.com; frame-src 'self' https:; manifest-src 'self' https://shredderfood.com; form-action 'self'; connect-src 'self' data: blob: https://shredderfood.com https://shredderfood.com wss://shredderfood.com; script-src 'self' https://shredderfood.com 'wasm-unsafe-eval'; child-src 'self' blob: https://shredderfood.com; worker-src 'self' blob: https://shredderfood.com
x-request-id: d9838910-2feb-4096-b36d-f3b5cb0d0bb7
x-runtime: 0.004800
strict-transport-security: max-age=63072000; includeSubDomains
strict-transport-security: max-age=31536000

$ curl -k https://shredderfood.com:80/.well-known/acme-challenge/sometestfile
<!DOCTYPE html>
<html lang='en'>
<head>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'>
<meta charset='utf-8'>
<title>The page you are looking for isn&#39;t here.
 - Mastodon</title>
<meta content='width=device-width,initial-scale=1' name='viewport'>
<link rel="stylesheet" media="all" crossorigin="anonymous" href="/packs/css/common-a844dc34.css" integrity="sha256-P7jsS35wKfKZ7egDM6otdXk7d8JjmsE5i9R8SD1vD8s=" />
<link rel="stylesheet" media="all" crossorigin="anonymous" href="/packs/css/default-e386d4d4.chunk.css" integrity="sha256-wVyJsuJgYArkQMuHeSbPCvcHuKsnzolXjNW6+/FwpSc=" />
<script src="/packs/js/common-db162fb9203fc875e76d.js" crossorigin="anonymous" integrity="sha256-zbSAfm62fn+Zf2fHQbZuOudLL34SyxZMq57wU2BcIM8="></script>
<script src="/packs/js/error-d8c6552c2591d9814e28.chunk.js" crossorigin="anonymous" integrity="sha256-8HRHFWmtSgPZo2qTTCGn78kgs6hOygqL1g0sCQzYL6I="></script>
</head>
<body class='error'>
<div class='dialog'>
<div class='dialog__illustration'>
<img alt='Mastodon' src='/oops.png'>
</div>
<div class='dialog__message'>
<h1>The page you are looking for isn&#39;t here.
</h1>
</div>
</div>
</body>
</html>
2 Likes
6

Your nginx server blocks are faulty.

In /etc/nginx/conf.d/mastodon.conf

You have two lines for server_name. One is in your server block for HTTP (has listen 80;) and the other for HTTPS (listen 443 ssl http2;).

The server_name should match your domain name. Yours do not.

In HTTP server block change:
server_name mast1.dmz;
to
server_name shredderfood.com;

and in HTTPS server block change:
server_name mast1;
to
server_name shredderfood.com;

There might be something else wrong in your network routing but start with these two changes. Restart nginx after changing these lines.

4 Likes
7

Done, and done, and restarted, same exact error:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for shredderfood.com
Performing the following challenges:
http-01 challenge for shredderfood.com
Waiting for verification...
Challenge failed for domain shredderfood.com
http-01 challenge for shredderfood.com
Cleaning up challenges
Failed to renew certificate shredderfood.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/shredderfood.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

1 Like
8

Not exactly. You no longer get the message about these addresses

HTTP requests are not reaching that nginx. Does your router send HTTP (port 80) requests to that nginx server machine on port 80?

And, how does Mastodon interact with nginx? Because any HTTPS request gets a response from Mastodon even when sent to port 80 (which should fail but does not).

This should get an HTTP 400 but Mastodon returns a 200 OK

curl -Ik  https://shredderfood.com:80
HTTP/2 200
server: Mastodon

and, according to your nginx config an HTTP request should get redirected to HTTPS. Instead, it gets HTTP error 400 from an nginx server. This probably means the HTTP request was routed to the wrong nginx port by something (your router for example).

curl -I  http://shredderfood.com:80
HTTP/1.1 400 Bad Request
Server: nginx/1.18.0
3 Likes
9

Thank you, that was the hint I needed.

I had the 80-->443 configured in nginix, I ALSO had 80-->443 configured in the firewall.

I had to rebuild my PFSense last week and did so hastily, So that's on me, though the firewall redirection rules were restored from a backup so I'm not sure why it ever worked.

Reconfigured the 80-->80 and 443-->443

root@mast1:/etc/nginx/conf.d# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/shredderfood.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for shredderfood.com
Performing the following challenges:
http-01 challenge for shredderfood.com
Waiting for verification...
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/shredderfood.com/fullchain.pem

Congratulations, all renewals succeeded:
/etc/letsencrypt/live/shredderfood.com/fullchain.pem (success)

2 Likes
10

It probably was not working for HTTP requests since that backup. You just might not have known it until now if just using HTTPS requests. Some browsers (like Chrome) may even try both HTTP and HTTPS and use HTTPS if it works. Which yours would have until the cert expired.

4 Likes
11

Well I appreciate your help. 30 years in IT and there is always something new to learn. :slight_smile:

4 Likes
12

2 posts were split to a new topic: Challenge failed when renewing

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.