Ok i fixed it and now nginx -t give me this:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
So this part seem good now 
Then now i needs change the way i try renew certificates?
That is good news!
Probably YES.
First let's have a look at how they were renewed last.
Please show the output of:
certbot certificates
and then the corresponding renewal config file:
/etc/letsencrypt/renewal/{your.domain}.conf
Here for the certbot certificates:
Found the following certs:
Certificate Name: alpha.sign-art.app
Domains: alpha.sign-art.app
Expiry Date: 2021-03-07 06:23:08+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/alpha.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/alpha.sign-art.app/privkey.pem
Certificate Name: api.sign-art.app
Domains: api.sign-art.app
Expiry Date: 2021-04-28 03:01:24+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/api.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api.sign-art.app/privkey.pem
Certificate Name: apitest.sign-art.app
Domains: apitest.sign-art.app
Expiry Date: 2021-02-16 05:34:55+00:00 (VALID: 11 days)
Certificate Path: /etc/letsencrypt/live/apitest.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/apitest.sign-art.app/privkey.pem
Certificate Name: beta.sign-art.app
Domains: beta.sign-art.app
Expiry Date: 2021-05-05 03:27:22+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/beta.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/beta.sign-art.app/privkey.pem
Certificate Name: faucet.sign-art.app
Domains: faucet.sign-art.app
Expiry Date: 2021-02-24 08:07:49+00:00 (VALID: 20 days)
Certificate Path: /etc/letsencrypt/live/faucet.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/faucet.sign-art.app/privkey.pem
Certificate Name: mainnet.sign-art.app
Domains: mainnet.sign-art.app
Expiry Date: 2021-03-15 09:05:10+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/mainnet.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mainnet.sign-art.app/privkey.pem
Certificate Name: preprod.sign-art.app
Domains: preprod.sign-art.app
Expiry Date: 2021-03-15 09:06:28+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/preprod.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/preprod.sign-art.app/privkey.pem
Certificate Name: sign-art.app
Domains: sign-art.app
Expiry Date: 2021-05-05 02:54:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sign-art.app/privkey.pem
Certificate Name: signer-testnet.sign-art.app
Domains: signer-testnet.sign-art.app
Expiry Date: 2021-01-03 11:38:11+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/signer-testnet.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/signer-testnet.sign-art.app/privkey.pem
Certificate Name: site.sign-art.app
Domains: site.sign-art.app
Expiry Date: 2021-03-31 05:08:30+00:00 (VALID: 54 days)
Certificate Path: /etc/letsencrypt/live/site.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/site.sign-art.app/privkey.pem
Certificate Name: www.sign-art.app-0001
Domains: www.sign-art.app
Expiry Date: 2021-05-05 02:53:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.sign-art.app-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.sign-art.app-0001/privkey.pem
Certificate Name: www.sign-art.app
Domains: sign-art.app www.sign-art.app
Expiry Date: 2021-05-05 03:00:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.sign-art.app/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.sign-art.app/privkey.pem
Expired one i don't needs anymore, probably should remove it
certbot delete --cert-name signer-testnet.sign-art.app
I put 4 of them, let me knĂ w if needs all, look like some use installer some not, not sure what i did here, can i make it all the same renwal way so it will be easier? Also i see # renew_before_expiry = 30 days does it mean if i uncomment it it will renew automatically? (up to now i do manually every 3 months)
www.sign-art.app
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/www.sign-art.app
cert = /etc/letsencrypt/live/www.sign-art.app/cert.pem
privkey = /etc/letsencrypt/live/www.sign-art.app/privkey.pem
chain = /etc/letsencrypt/live/www.sign-art.app/chain.pem
fullchain = /etc/letsencrypt/live/www.sign-art.app/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx
apitest.sign-art.app
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/apitest.sign-art.app
cert = /etc/letsencrypt/live/apitest.sign-art.app/cert.pem
privkey = /etc/letsencrypt/live/apitest.sign-art.app/privkey.pem
chain = /etc/letsencrypt/live/apitest.sign-art.app/chain.pem
fullchain = /etc/letsencrypt/live/apitest.sign-art.app/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
api.sign-art.app
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/api.sign-art.app
cert = /etc/letsencrypt/live/api.sign-art.app/cert.pem
privkey = /etc/letsencrypt/live/api.sign-art.app/privkey.pem
chain = /etc/letsencrypt/live/api.sign-art.app/chain.pem
fullchain = /etc/letsencrypt/live/api.sign-art.app/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
server = https://acme-v02.api.letsencrypt.org/directory
mainnet.sign-art.app
# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/mainnet.sign-art.app
cert = /etc/letsencrypt/live/mainnet.sign-art.app/cert.pem
privkey = /etc/letsencrypt/live/mainnet.sign-art.app/privkey.pem
chain = /etc/letsencrypt/live/mainnet.sign-art.app/chain.pem
fullchain = /etc/letsencrypt/live/mainnet.sign-art.app/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = fd7f3c9aafe669c533299cd899585305
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directoryOK so there are currently only two that have fallen under 30 days and are NOT renewing:
Certificate Name: faucet.sign-art.app
Domains: faucet.sign-art.app
Expiry Date: 2021-02-24 08:07:49+00:00 (VALID: 20 days)
Certificate Name: apitest.sign-art.app
Domains: apitest.sign-art.app
Expiry Date: 2021-02-16 05:34:55+00:00 (VALID: 11 days)
Let's try to (test) renew those.
[now that we fixed the the nginx config]
Let's start of as simple as possible:
certbot renew --dry-run -v
I don't see how that makes things any easier.
Automating the entire process makes it easier.
Piling all your certs to renew at the exact same time actually creates an unnecessary traffic jam - LOL
30 days is the default; So commented or not the result is the same.
That line has nothing to do with if it renews automatically or not.
That whole config is used whenever a renewal is attempted.
How renewals are triggered is through scheduled tasks (cron jobs or systemd timers).
Ok i see, i don't mind do it manually every 3 months, as long as it works 
Should i desable the cloudflare proxy before attempt to renew again?
Doing it manually would defeat the greatest benefit of LE's goal 
Let's get you fully automated.
No, that step is not likely to be automated.
We have to work within the constraints - and win!
Try the dry run renewal.
Ok i see, thanks a lot for doing all this, really huge help.
Here the result after certbot renew --dry-run -v:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: alpha.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://alpha.sign-art.app/.well-known/acme-challenge/FAX8bVrE_BeMB8Pqyorfzo1u0y7LkPugK8sc_ZOaPYY
[2606:4700:3034::ac43:d83f]: "<!DOCTYPE html><html prefix=\"og:
http://ogp.me/ns#\"><head><meta charset=UTF-8><meta name=viewport
content=\"width=device-width,in"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: api.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://api.sign-art.app/.well-known/acme-challenge/7yXJhEHsUgecHbmtytKO4yF06XIzwLy8BuJEWsT1xng
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: apitest.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://apitest.sign-art.app/.well-known/acme-challenge/gPcrsfAC6-9unYRy74vEQ684rW7VFDcdLfreX40cFA0
[2606:4700:3034::ac43:d83f]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: beta.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://beta.sign-art.app/.well-known/acme-challenge/wgZ5QIMMjzjNcL7a8222GPBfR10U9iOzd5iwmyTTOsg
[2606:4700:3034::ac43:d83f]: "<!DOCTYPE html><html prefix=\"og:
http://ogp.me/ns#\"><head><meta charset=UTF-8><meta name=viewport
content=\"width=device-width,in"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: faucet.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://faucet.sign-art.app/.well-known/acme-challenge/xgN8zkeRPWxab1lEERgOV71fgbRXmiflfOMS_Hi-crk
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: mainnet.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://mainnet.sign-art.app/.well-known/acme-challenge/qZNzRIRAWdWbLtRDwkb4dSpSHo2zQ6ii77y4SMbIQIk
[2606:4700:3034::ac43:d83f]: "<!DOCTYPE html><html prefix=\"og:
http://ogp.me/ns#\"><head><meta charset=UTF-8><meta name=viewport
content=\"width=device-width,in"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: preprod.sign-art.app
Type: unauthorized
Detail: Invalid response from
http://preprod.sign-art.app/.well-known/acme-challenge/dY3ygAPWzI4fbdIx13Yz8dLiEZpM07gNsw_IQ4DErIk
[2606:4700:3032::6815:10db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: sign-art.app
Type: unauthorized
Detail: Invalid response from
https://sign-art.app/.well-known/acme-challenge/q_eZ8XHbnfOyD56PN6r_zTct_RXHiG0kEV_WhbIXDVk
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
Domain: www.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://www.sign-art.app/.well-known/acme-challenge/LuA6eW9kameshxwvlh3bOaRpH2Z3NFnPHHx5Flf_EQk
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: sign-art.app
Type: unauthorized
Detail: Invalid response from
https://sign-art.app/.well-known/acme-challenge/wIdVtV4u1mDjOcBxMhOBcBVTUx9j0nwXX8K_P0vN82g
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: site.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://site.sign-art.app/.well-known/acme-challenge/JXaqianEn8hHC5aiQgAypW9QmeRErCsUFRbz6MmVQGM
[2606:4700:3032::6815:10db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: www.sign-art.app
Type: unauthorized
Detail: Invalid response from
https://www.sign-art.app/.well-known/acme-challenge/vcHOUjJtpHdpwpXB-P1DkSksVpUnN678EfUAQPqcHEw
[2606:4700:3032::6815:10db]: "<html>\n<head><title>404 Not
Found</title></head>\n<body>\n<center><h1>404 Not
Found</h1></center>\n<hr><center>nginx/1.17.10 (Ubunt"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.OK this is still a problem:
server {
# root /home/user/webapp;
server_name api.sign-art.app;
location / {
if ($request_method = 'OPTIONS') {
return 204;
}
add_header 'Access-Control-Allow-Origin' $allow_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,signature,timestamp' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:3250;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 25M;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/api.sign-art.app/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/api.sign-art.app/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
There is no declared root path for the challenge files to be processed locally.
So i still do have to put a root path even if its a reverve proxy for a nodejs app?
If certbot runs on this box, yes.
You might be able to put it in the well-known location block.
Re-re-reviewing the whole config, it is now obvious: that is the main difference.
The ones that work all have roots.
The ones without roots (using proxy) are all failing (or going to fail on next renewal attempt).
The trick it to do both:
Hum yes this make sens now, the working one are vuejs serving regular html and have the root path defined.
I'll try by adding the path to the folder of the nodejs app then.
Add the root path in the block:
[and modify it to]
location ~ /.well-known/acme-challenge {
root /your/root/path/folder/location; # LOL
allow all;
}
Added it like this:
location ~ /.well-known {
root /home/user/apitest.sign-art.app
allow all;
}
Will do same on others.
Is there a way to test renew only for one domain btw or we always do for all with certbot renew?
That may not be a good secure location.
[unless that directory is empty or has nothing critical stored there - or further down that path]
It is highly recommended that you create a new and dedicated challenge path.
Yes, we will get to that.
Hold the line!
I currently have all the web app associated to each subdomain in /home/user/, do you mean i should not have my projects stored in this folder?
No.
I'm only talking about how to properly/securely handle requests like:
https://your.domain/.well-known/acme-challenge/test-file-1234
Everything else gets proxied as before.
Ah ok i see, it doesnt have to be the path to my app, just a path to where the well-know test file will be.
So i can do /home/letsencrypt/challenge for example its ok?