Unable to renew certificate

Hi Gyus!
I’ve been banging my head against the keyboard for the last week but couldn’t figure it out, I know I’m close and I really apprecieate your feedback, thanks in advance!

My domain is:
synnect.co
I ran this command:
sudo certbot certonly --webroot -w /var/lib/letsencrypt/ -d synnect.co -d www.synnect.co --dry-run

It produced this output:
http-01 challenge for synnect.co
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. synnect.co (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://synnect.co/.well-known/acme-challenge/6wSy3hna3UMR9x0EgTD-b8m5dqvyOosEDhUQotz4zFU [35.192.127.223]: “\n \n \n \n \n \n <html lang=“en-US” data-website-id=“1” data-oe-company-name”, www.synnect.co (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.synnect.co/.well-known/acme-challenge/pQkT_J2npFq2BQI7TYe4h9pVnYCsjDswQ4LUX9r68Qw [35.192.127.223]: “\n \n \n \n \n \n <html lang=“en-US” data-website-id=“1” data-oe-company-name”

IMPORTANT NOTES:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I can succesffuly access a test file on https://synnect.co/.well-known/acme-challenge/test1.txt, but it only works on HTTPS, I beileve the HTTP request sent by the ACME server is getting routed to the Odoo server and not working, I tried to configure Nginx to look for the file in all sorts of different ways but couldn’t make it work.

Thank you for reading!

1 Like

Here’s the site config of nginx

#odoo server
upstream odoo {
 server 127.0.0.1:8069;
}
upstream odoochat {
 server 127.0.0.1:8072;
}

upstream colibri {
 server 35.193.248.203;
}


server {
      listen 80;
        server_name colibri.synnect.co;
        ssl_certificate /etc/letsencrypt/live/synnect.co/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/synnect.co/privkey.pem;
	include snippets/letsencrypt.conf;
	access_log /var/log/nginx/colibri.access.log;
	error_log /var/log/nginx/colibri.error.log;

	location / {
	   proxy_redirect off;
	   proxy_pass http://colibri;
	 }
        #include snippets/letsencrypt.conf;
        #return 301 http://35.193.248.203/$request_uri$;
}


# http -> https
server {
	listen 80;

	server_name synnect.co www.synnect.co;

 	access_log /var/log/nginx/odoo.access_80.log;
 	error_log /var/log/nginx/odoo.error_80.log;

	location ^~ /.well-known/acme-challenge/ {

	access_log /var/log/nginx/acme.access.log;
 	error_log /var/log/nginx/acme.error.log;

	allow all;
	root /var/lib/letsencrypt/;
	default_type "text/plain";
	try_files $uri $uri/ =404;
	}
	location ~ /.well-known {
	  allow all;
	}

}

server {
 listen 443;
 server_name synnect.co www.synnect.co;

 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s;

 # Add Headers for odoo proxy mode
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;

 # SSL parameters
	ssl on;
	ssl_certificate /etc/letsencrypt/live/synnect.co/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/synnect.co/privkey.pem;
 ssl_session_timeout 30m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;

 # log
 access_log /var/log/nginx/odoo.access.log;
 error_log /var/log/nginx/odoo.error.log;

 # Redirect longpoll requests to odoo longpolling port
# location /longpolling {
# proxy_pass http://odoochat;
# }

location ^~ /.well-known/ {

	access_log /var/log/nginx/acme.access.log;
 	error_log /var/log/nginx/acme.error.log;
	allow all;
	root /var/lib/letsencrypt/;
	default_type "text/plain";
	try_files $uri $uri/ =404;
}

 # Redirect requests to odoo backend server
 location / {
   proxy_redirect off;
   proxy_pass http://odoo;
 }

 # common gzip
 gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
 gzip on;
}

The code posted is near to impossible to read correctly.
Please edit that post and insert a line above and below the code section as follows:

```
YOUR CODE
```

1 Like

The HTTP server and the HTTPS server do NOT show the same “signature”:

curl -Iki http://synnect.co/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: frontend_lang=en_US; Path=/
Set-Cookie: visitor_uuid=50e4b57300974baf879a7ba3d2f869de; Expires=Mon, 12-Jul-2021 23:09:14 GMT; Path=/
Set-Cookie: session_id=089a82078c97099f4c1bf896c6589cfac479972c; Expires=Sat, 10-Oct-2020 23:09:14 GMT; Max-Age=7776000; HttpOnly; Path=/
Content-Length: 12186
Server: Werkzeug/0.14.1 Python/3.7.3
Date: Sun, 12 Jul 2020 23:09:14 GMT

curl -Iki https://synnect.co/
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 12 Jul 2020 23:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12186
Connection: keep-alive
Set-Cookie: frontend_lang=en_US; Path=/
Set-Cookie: visitor_uuid=cea848e5492c4fbdb03328c2855b09b4; Expires=Mon, 12-Jul-2021 23:09:24 GMT; Path=/
Set-Cookie: session_id=993f1a453b0572836dc585d28c179ef3aeac5c70; Expires=Sat, 10-Oct-2020 23:09:24 GMT; Max-Age=7776000; HttpOnly; Path=/
Server: Werkzeug/0.14.1 Python/3.7.3
Server: nginx/1.14.2
1 Like

Thans for the response, I edited to help the readibility.

Would you care to elaborate on the signatures? How do I fix that?
I plan to have all HTTP traffic “converted” to HTTPS and routed according to the subdomains that exist. Is that a good idea? Could the ACME challenge be completed this way?

Sorry for the rookie questions, I’m still learning my ways around servers :stuck_out_tongue:

1 Like

The different signatures could be a sign that they are being handled by different systems/services.
ACME challenges will follow simple HTTP to HTTPS redirection.
But I’m not sure you are in control of the HTTP - or at least not in the way you think.