For further certainty, I also disabled PHP from the main server block, to ensure Wordpress could not apply any https rewriting. I verified that curl -v http://friendsofvalledeoro.org retrieved a static page with no redirection headers or meta refresh redirects. The dry-run against the root still fails, but now the error message lists http:// on the challenge URL rather than https://
By the way, thank you for stepping through this with me!
# certbot renew --dry-run --cert-name friendsofvalledeoro.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/friendsofvalledeoro.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for friendsofvalledeoro.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (friendsofvalledeoro.org) from /etc/letsencrypt/renewal/friendsofvalledeoro.org.conf produced an unexpected error: Failed authorization procedure. friendsofvalledeoro.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://friendsofvalledeoro.org/.well-known/acme-challenge/9a-yWnyNmiegLF-T3UaJ8wiNIVpsZ0EjsovC10u3UTE [138.197.233.49]: "<?php\n/**\n * Front to the WordPress application. This file doesn't do anything, but loads\n * wp-blog-header.php which does and t". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/friendsofvalledeoro.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/friendsofvalledeoro.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: friendsofvalledeoro.org
Type: unauthorized
Detail: Invalid response from
http://friendsofvalledeoro.org/.well-known/acme-challenge/9a-yWnyNmiegLF-T3UaJ8wiNIVpsZ0EjsovC10u3UTE
[138.197.233.49]: "<?php\n/**\n * Front to the WordPress
application. This file doesn't do anything, but loads\n *
wp-blog-header.php which does and t"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
curl http verification output:
$ curl -v http://friendsofvalledeoro.org
* Rebuilt URL to: http://friendsofvalledeoro.org/
* Trying 138.197.233.49...
* TCP_NODELAY set
* Connected to friendsofvalledeoro.org (138.197.233.49) port 80 (#0)
> GET / HTTP/1.1
> Host: friendsofvalledeoro.org
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 25 Sep 2019 23:26:53 GMT
< Content-Type: application/octet-stream
< Content-Length: 420
< Last-Modified: Wed, 15 May 2019 22:02:29 GMT
< Connection: keep-alive
< ETag: "5cdc8c75-1a4"
< X-XSS-Protection: 1; mode=block
< Accept-Ranges: none
<
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
* Connection #0 to host friendsofvalledeoro.org left intact