Unable to renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: abenteuerleben.net

I ran this command: certbot --nginx renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.abenteuerleben.net.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for www.abenteuerleben.net and abenteuerleben.net
Performing the following challenges:
http-01 challenge for abenteuerleben.net
http-01 challenge for www.abenteuerleben.net
Waiting for verification...
Challenge failed for domain abenteuerleben.net
Challenge failed for domain www.abenteuerleben.net
http-01 challenge for abenteuerleben.net
http-01 challenge for www.abenteuerleben.net
Cleaning up challenges
Failed to renew certificate www.abenteuerleben.net with error: Some challenges have failed.


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.abenteuerleben.net/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx v1.16.1

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

1 Like

Hi @mboeker ,

Does this help:

sudo certbot renew --cert-name www.abenteuerleben.net \
--nginx-sleep-seconds 10 --dry-run
1 Like

Hi @mboeker

if that command doesn't work, Certbot doesn't understand your configuration.

What says

nginx -T
2 Likes

Hi az,

that did not work, same output.

1 Like

Hi Juergen,

Output of nginx -T:

nginx: [warn] conflicting server name "www.abenteuerleben.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "abenteuerleben.net" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

For more information on configuration, see:

* Official English Documentation: nginx documentation

* Official Russian Documentation: nginx: документация

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }

    # Handle php requests
    location ~ \.php$ {
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/php-fpm/www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
    }

    client_max_body_size 8M;
}

}

configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:

load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";

configuration file /usr/share/nginx/modules/mod-http-perl.conf:

load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";

configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:

load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";

configuration file /usr/share/nginx/modules/mod-mail.conf:

load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";

configuration file /usr/share/nginx/modules/mod-stream.conf:

load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /etc/nginx/conf.d/abenteuerleben.net-nossl.conf:

server {
listen 80;
server_name www.abenteuerleben.net abenteuerleben.net;

root /var/www/html/abenteuerleben;
index index.php;

location / {
    try_files $uri $uri/ /index.php?$args;
}

location ~ /.well-known {
    allow all;
}

# Handle php requests
location ~ \.php$ {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/php-fpm/www.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}

location ~ /\. {
    deny all;
}
client_max_body_size 8M;

}

configuration file /etc/nginx/fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

configuration file /etc/nginx/conf.d/abenteuerleben.net-ssl.conf:

server {
#listen [::]:443 ssl;
#listen [::]:443 ipv6only=on;
server_name www.abenteuerleben.net abenteuerleben.net;

root /var/www/html/abenteuerleben;
index index.php;

location / {
    try_files $uri $uri/ /index.php?$args;
}

location ~ /.well-known {
    allow all;
}

# Handle php requests
location ~ \.php$ {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/php-fpm/www.sock;
    fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}

location ~ /\. {
    deny all;
}
client_max_body_size 8M;

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.abenteuerleben.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.abenteuerleben.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = abenteuerleben.net) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = www.abenteuerleben.net) {
    return 301 https://$host$request_uri;
} # managed by Certbot


listen 80;
server_name www.abenteuerleben.net abenteuerleben.net;
return 404; # managed by Certbot

}

configuration file /etc/letsencrypt/options-ssl-nginx.conf:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

1 Like

There you go.

You have a duplicate port 80 virtualhost for abenteuerleben.net in both abenteuerleben.net-nossl.conf and abenteuerleben.net-ssl.conf.

The first:

The second:

Depending on what you want nginx to do, get rid of one of them.

If you want port 80 to redirect to HTTPS, then I'd get rid of abenteuerleben.net-nossl.conf.

2 Likes

That did it, thank you so much!

2 Likes

There

is your job. Every combination of port and server name must be unique.

Merge duplicated entries in one entry, remove the other, then again nginx -T.

PS: Too late - but happy to read you have fixed that buggy configuration :+1:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.