Unable to renew Bigbluebutton certificate

M457 · June 27, 2020, 8:08am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ifghtyn.ddns.net

I ran this command: /usr/bin/letsencrypt renew >> /var/log/le-renew.log and /bin/systemctl reload nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ifghtyn.ddns.net
Waiting for verification…
Cleaning up challenges

Attempting to renew cert (ifghtyn.ddns.net) from /etc/letsencrypt/renewal/ifghtyn.ddns.net.conf produced an unexpected error: Failed authorization procedure. ifghtyn.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ifghtyn.ddns.net/b [116.202.15.252]: "\n\n\n \n\n BigBlueButton\n <meta property=“og:title” content=“BigBlueButton” />\n ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ifghtyn.ddns.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Nginx V1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.046 LTS

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0

Hi,

I have searched everywhere but have not found a specific solution to this problem…

Thank you

Osiris · June 27, 2020, 8:38am

Somehow, there’s a redirect from every location to /b, which results in the challenge to fail. This redirect is possibly put in place by BigBlueButton. You should modify this redirect to ignore requests for /.well-known/acme-challenge/ .

M457 · June 27, 2020, 9:51pm

Thanks for your help, I configured Nginx to accept this request with the directive :

location ~ /.well-known {
allow all;
}
But now I have a 404 error :

Attempting to renew cert (ifghtyn.ddns.net) from /etc/letsencrypt/renewal/ifghtyn.ddns.net.conf produced an unexpected error: Failed authorization procedure. ifghtyn.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ifghtyn.ddns.net/.well-known/acme-challenge/TbG4YPWGYJdxWsEJw_T2ZCkSlmKkbOUHS0kZiT-lKZw [116.202.15.252]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n

”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ifghtyn.ddns.net/fullchain.pem (failure)

I looked for the /.well-known/acme-challenge/ but I did not find it …

Should I create it?

Osiris · June 28, 2020, 9:22am

No, it gets deleted if it’s empty by certbot after the challenge.

What’s the total nginx configuration for that virtual host?

M457 · June 28, 2020, 8:56pm

Osiris, here is the Nginx configuration file for the bigbluebutton sites-enabled :

server {
listen 80;
listen [::]:80;
server_name ifghtyn.ddns.net;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/ifghtyn.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ifghtyn.ddns.net/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers “ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256”;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;

 access_log  /var/log/nginx/bigbluebutton.access.log;

 location ~ /.well-known {
    allow all;
  }

     # Handle RTMPT (RTMP Tunneling).  Forwards requests
     # to Red5 on port 5080
  location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
      proxy_pass         http://127.0.0.1:5080;
      proxy_redirect     off;
      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;

      proxy_buffering            off;
      keepalive_requests         1000000000;
  }

     # Handle desktop sharing tunneling.  Forwards
     # requests to Red5 on port 5080.
   location /deskshare {
       proxy_pass         http://127.0.0.1:5080;
       proxy_redirect     default;
       proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
       client_max_body_size       10m;
       client_body_buffer_size    128k;
       proxy_connect_timeout      90;
       proxy_send_timeout         90;
       proxy_read_timeout         90;
       proxy_buffer_size          4k;
       proxy_buffers              4 32k;
       proxy_busy_buffers_size    64k;
       proxy_temp_file_write_size 64k;
       include    fastcgi_params;
   }

    # BigBlueButton landing page.
    location / {
      root   /var/www/bigbluebutton-default;
      index  index.html index.htm;
      expires 1m;
      return 307 /b;
    }

    # Include specific rules for record and playback
    include /etc/bigbluebutton/nginx/*.nginx;

    #error_page  404  /404.html;

    # Redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
            root   /var/www/nginx-default;
    }

}

M457 · June 29, 2020, 8:39pm

Hi

I saw in the Nginx error logs that letsencrypt was going to look for the challenge files in
/usr/share/nginx/html/.well-known/acme-challenge

I created the /.well-known/acme-challenge folders and I can find my test file.

How can I use certbot to generate the files necessary for the challenge in this place?

Thanks

M457 · June 29, 2020, 8:52pm

I propose :
certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d ifghtyn.ddns.net -w /var/www/bigbluebutton-default -d ifghtyn.ddns.net

What do you think ?

M457 · June 30, 2020, 8:59pm

I finally tried the command

certbot renew -a webroot --webroot-path=/usr/share/nginx/html -d ifghtyn.ddns.net -w /var/www

Always 404 error, I saw that certbot does not create the .well-known/acme-challenge folder in /usr/share/nginx/html

I tried several times and now I get the error:
Attempting to renew cert (ifghtyn.ddns.net) from /etc/letsencrypt/renewal/ifghtyn.ddns.net.conf produced an unexpected error: urn: ietf: params: acme: error: rateLimited :: There were too many re quests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:

Nobody for help me please ?