Unable to renew automatically

My domain is: https://obeclean.ca

I ran this command: sudo certbot renew --dry run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/obeclean.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for obeclean.ca
nginx: [warn] conflicting server name "obeclean.ca" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "obeclean.ca" on 0.0.0.0:80, ignored
Waiting for verification...
Cleaning up challenges
nginx: [warn] conflicting server name "obeclean.ca" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "obeclean.ca" on 0.0.0.0:80, ignored
Attempting to renew cert (obeclean.ca) from /etc/letsencrypt/renewal/obeclean.ca.conf produced an unexpected error: Failed authorization procedure. obeclean.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://obeclean.ca/.well-known/acme-challenge/60FlraF15P6apSI-aRi3uhJt8zhVVBlg_4WTGYKTUyU [54.148.122.147]: "<!DOCTYPE html>\n<html>\n<head>\n  <title>The page you were looking for doesn't exist (404)</title>\n  <meta name=\"viewport\" content". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/obeclean.ca/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/obeclean.ca/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: obeclean.ca
   Type:   unauthorized
   Detail: Invalid response from
   https://obeclean.ca/.well-known/acme-challenge/60FlraF15P6apSI-aRi3uhJt8zhVVBlg_4WTGYKTUyU
   [54.148.122.147]: "<!DOCTYPE html>\n<html>\n<head>\n  <title>The
   page you were looking for doesn't exist (404)</title>\n  <meta
   name=\"viewport\" content"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): ubuntu 18

My hosting provider, if applicable, is: Rebel.ca

I can login to a root shell on my machine (yes or no, or I don't know): yes

Can any one please resolve the issue why I am unable to renew the ssl certificate.

1 Like

It's probably because of this.

In your nginx configuration, obeclean.ca should only appear as a server_name in a single HTTP and HTTPS server block/virtualhost, each.

When you have duplicate server_names, it can confuse Certbot's nginx plugin. It's also just an invalid nginx configuration more broadly.

Fixing that is going to involve identifying the duplicate virtualhosts in your nginx configuration, and then removing them. A place to start looking is /etc/nginx/sites-available/, /etc/nginx/conf.d.

1 Like
server {
    server_name obeclean.ca;
    root /var/www/company/code/public;

    # Turn on Passenger
    passenger_enabled on;
    passenger_ruby /usr/local/rvm/gems/ruby-2.5.1/wrappers/ruby;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/obeclean.ca/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/obeclean.ca/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot }

server{
    listen 80;
    server_name obeclean.ca;
    return 301 https://obeclean.ca$request_uri;
}

This is my config file in /etc/nginx/sites-enabled. Can you please let me know is this configuration
preventing it from renewal?

1 Like

According to the output in your original post, there are more virtualhosts than just those two.

This command should show them all:

sudo nginx -T
1 Like

Configuration file /etc/nginx/sites-enabled/aspenclean.conf:

server {
    server_name obeclean.ca;

    #rails_env production;
    #passenger_app_root /var/www/aspenclean/code;
    # Tell Nginx and Passenger where your app's 'public' directory is
    root /var/www/aspenclean/code/public;

    # Turn on Passenger
    passenger_enabled on;
    passenger_ruby /usr/local/rvm/gems/ruby-2.5.1/wrappers/ruby;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/obeclean.ca/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/obeclean.ca/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server{
    listen 80;
    server_name obeclean.ca;
    return 301 https://obeclean.ca$request_uri;
}

Configuration file /etc/nginx/sites-enabled/aspenclean.conf.save:

server {
    server_name obeclean.ca;

    #rails_env production;
    #passenger_app_root /var/www/aspenclean/code;
    # Tell Nginx and Passenger where your app's 'public' directory is
    root /var/www/aspenclean/code/public;

    # Turn on Passenger
    passenger_enabled on;
    passenger_ruby /usr/local/rvm/gems/ruby-2.5.1/wrappers/ruby;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/obeclean.ca/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/obeclean.ca/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server{
    listen 80;
    server_name obeclean.ca;
    return 301 https://obeclean.ca$request_uri;
}

I got the above log

1 Like

Thanks.

It appears to be this /etc/nginx/sites-enabled/aspenclean.conf.save file.

Try moving it outside of /etc/nginx and see whether that helps.

3 Likes

Excellent. It worked. Thanks a lot :smile:

2 Likes

![success|690x359]

Even though the cert-bot renewal was successful, why I am seeing the expiry date still December?
(Restarted the Nginx twice and cleared the cookies)

2 Likes

Did you manage to solve this already?

From what I can see, the certificate on obeclean.ca expires on March 15 2021.

Sorry it is working fine. :slight_smile:
I really appreciate your quick response.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.