I was able to renew this certificate (with the nginx plugin) just now by using certbot -d www.friendsofvalledeoro.org
but renewals keep failing recently. I’ve also experienced this with other sites on this same VPS and hosting setup, but I think one test case it probably the best place to start.
I tried earlier earlier renewals with and without dry-run and staging, and dry-run attempts after I made the new cert. All of them fail with similar errors, as it appears nginx is not being reloaded to apply the challenge info.
The server block (part of larger site config for www. and the root domain) as applied during an earlier --debug-challenges test:
server{rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot
listen 80;
listen 443 ssl http2;
server_name www.friendsofvalledeoro.org;
return 301 $scheme://friendsofvalledeoro.org$request_uri;
ssl_certificate /etc/letsencrypt/live/www.friendsofvalledeoro.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.friendsofvalledeoro.org/privkey.pem; # managed by Certbot
location = /.well-known/acme-challenge/n1dYB0Zqon81WNhNEAoWIMTawF65HjNXkXuPR4gJK6Q{default_type text/plain;return 200 n1dYB0Zqon81WNhNEAoWIMTawF65HjNXkXuPR4gJK6Q.hy--gdyqV-OaRa9DxNUfXNuD5i6WFpFIGC7GYszOTog;} # managed by Certbot
}
When I added that block to the config (after the test-run had been completed) and reloaded nginx, I was able to get a valid plaintext response. I have since removed that again for testing.
My domain is: www.friendsofvalledeoro.org
Let’s Debug lists no issues.
I ran this command as root: certbot renew --dry-run --cert-name www.friendsofvalledeoro.org
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.friendsofvalledeoro.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.friendsofvalledeoro.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.friendsofvalledeoro.org) from /etc/letsencrypt/renewal/www.friendsofvalledeoro.org.conf produced an unexpected error: Failed authorization procedure. www.friendsofvalledeoro.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://friendsofvalledeoro.org/.well-known/acme-challenge/FxncpvICAGchcCBQIqlotqyC1GMkg4Wcf-n_WDAtm_4 [138.197.233.49]: "<!DOCTYPE html>\n\n<html class=\"no-js\" lang=\"en-US\">\n\n<head>\n \n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.friendsofvalledeoro.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.friendsofvalledeoro.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.friendsofvalledeoro.org
Type: unauthorized
Detail: Invalid response from
https://friendsofvalledeoro.org/.well-known/acme-challenge/FxncpvICAGchcCBQIqlotqyC1GMkg4Wcf-n_WDAtm_4
[138.197.233.49]: "<!DOCTYPE html>\n\n<html class=\"no-js\"
lang=\"en-US\">\n\n<head>\n \n<meta charset=\"UTF-8\">\n<meta
name=\"viewport\" content=\"width=device"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
nginx version: nginx/1.16.1
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
The operating system my web server runs on is (include version): Ubuntu Xenial 16.04 - fully patched (per repositories)
My hosting provider, if applicable, is: DigitalOcean VPS, no overlaying load balancers or DNS/Let’s Encrypt integration.
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.31.0