Unable to renew Bigbluebutton certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ifghtyn.ddns.net

I ran this command: /usr/bin/letsencrypt renew >> /var/log/le-renew.log and /bin/systemctl reload nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ifghtyn.ddns.net
Waiting for verification…
Cleaning up challenges

Attempting to renew cert (ifghtyn.ddns.net) from /etc/letsencrypt/renewal/ifghtyn.ddns.net.conf produced an unexpected error: Failed authorization procedure. ifghtyn.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ifghtyn.ddns.net/b [116.202.15.252]: "\n\n\n \n\n BigBlueButton\n <meta property=“og:title” content=“BigBlueButton” />\n ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ifghtyn.ddns.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Nginx V1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.046 LTS

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): Yes :wink:

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0

Hi,

I have searched everywhere but have not found a specific solution to this problem…

Thank you

1 Like

Somehow, there’s a redirect from every location to /b, which results in the challenge to fail. This redirect is possibly put in place by BigBlueButton. You should modify this redirect to ignore requests for /.well-known/acme-challenge/ .

1 Like

Thanks for your help, I configured Nginx to accept this request with the directive :

location ~ /.well-known {
allow all;
}
But now I have a 404 error :

Attempting to renew cert (ifghtyn.ddns.net) from /etc/letsencrypt/renewal/ifghtyn.ddns.net.conf produced an unexpected error: Failed authorization procedure. ifghtyn.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ifghtyn.ddns.net/.well-known/acme-challenge/TbG4YPWGYJdxWsEJw_T2ZCkSlmKkbOUHS0kZiT-lKZw [116.202.15.252]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ifghtyn.ddns.net/fullchain.pem (failure)

I looked for the /.well-known/acme-challenge/ but I did not find it …

Should I create it?

No, it gets deleted if it’s empty by certbot after the challenge.

What’s the total nginx configuration for that virtual host?

Osiris, here is the Nginx configuration file for the bigbluebutton sites-enabled :

server {
listen 80;
listen [::]:80;
server_name ifghtyn.ddns.net;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/ifghtyn.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ifghtyn.ddns.net/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers “ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256”;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;

 access_log  /var/log/nginx/bigbluebutton.access.log;

 location ~ /.well-known {
    allow all;
  }

     # Handle RTMPT (RTMP Tunneling).  Forwards requests
     # to Red5 on port 5080
  location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
      proxy_pass         http://127.0.0.1:5080;
      proxy_redirect     off;
      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;

      proxy_buffering            off;
      keepalive_requests         1000000000;
  }

     # Handle desktop sharing tunneling.  Forwards
     # requests to Red5 on port 5080.
   location /deskshare {
       proxy_pass         http://127.0.0.1:5080;
       proxy_redirect     default;
       proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
       client_max_body_size       10m;
       client_body_buffer_size    128k;
       proxy_connect_timeout      90;
       proxy_send_timeout         90;
       proxy_read_timeout         90;
       proxy_buffer_size          4k;
       proxy_buffers              4 32k;
       proxy_busy_buffers_size    64k;
       proxy_temp_file_write_size 64k;
       include    fastcgi_params;
   }

    # BigBlueButton landing page.
    location / {
      root   /var/www/bigbluebutton-default;
      index  index.html index.htm;
      expires 1m;
      return 307 /b;
    }

    # Include specific rules for record and playback
    include /etc/bigbluebutton/nginx/*.nginx;

    #error_page  404  /404.html;

    # Redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
            root   /var/www/nginx-default;
    }

}

Hi

I saw in the Nginx error logs that letsencrypt was going to look for the challenge files in
/usr/share/nginx/html/.well-known/acme-challenge

I created the /.well-known/acme-challenge folders and I can find my test file.

How can I use certbot to generate the files necessary for the challenge in this place?

Thanks

I propose :
certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d ifghtyn.ddns.net -w /var/www/bigbluebutton-default -d ifghtyn.ddns.net

What do you think ?

I finally tried the command

certbot renew -a webroot --webroot-path=/usr/share/nginx/html -d ifghtyn.ddns.net -w /var/www

Always 404 error, I saw that certbot does not create the .well-known/acme-challenge folder in /usr/share/nginx/html

I tried several times and now I get the error:
Attempting to renew cert (ifghtyn.ddns.net) from /etc/letsencrypt/renewal/ifghtyn.ddns.net.conf produced an unexpected error: urn: ietf: params: acme: error: rateLimited :: There were too many re quests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:

Nobody for help me please ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.