Unable to renew lets encrypt certificate

Prakash1 · January 21, 2021, 9:20am

Hi

I am trying to renew my certificate but it is giving error.
please Help.

I ran this command: sudo certbot renew --dry-run

It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for andiquotes.com and www.andiquotes.com
Performing the following challenges:
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Waiting for verification...
Challenge failed for domain andiquotes.com
Challenge failed for domain www.andiquotes.com
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Cleaning up challenges
Failed to renew certificate andiquotes.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/andiquotes.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: andiquotes.com
Type: unauthorized
Detail: Invalid response from
https://www.andiquotes.com/.well-known/acme-challenge/csa9LTFzG8AfdDJh-S8T9jRNVAaKWezNli-Q7FDgfR8/
[2606:4700:3033::6815:5f]: "\n\n<html
lang="en">\n\n\n<script async
src="https://www.googletagmanager.com/gtag/js?id=UA-176704703-1"
type="b"

Domain: www.andiquotes.com
Type: unauthorized
Detail: Invalid response from
https://www.andiquotes.com/.well-known/acme-challenge/tIB294sMrBVNXUjM20wTyJHRVI-QT4FtDI471CW38I8/
[2606:4700:3033::6815:5f]: "\n\n<html
lang="en">\n\n\n<script async
src="https://www.googletagmanager.com/gtag/js?id=UA-176704703-1"
type="4"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

JuergenAuer · January 21, 2021, 9:49am

Hi @Prakash1

if you use nginx as authenticator and if you see a

https result, that can't work.

There is a check of your domain, more then one hour old - https://check-your-website.server-daten.de/?q=andiquotes.com

You use Cloudflare:

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
andiquotes.com	A	104.21.0.95 Chicago/Illinois/United States (US) - Cloudflare, Inc. No Hostname found	yes	1	0
	A	172.67.150.208 Chicago/Illinois/United States (US) - Cloudflare, Inc. No Hostname found	yes	1	0
	AAAA	2606:4700:3033::6815:5f Montreal/Quebec/Canada (CA) - Cloudflare, Inc.	yes
	AAAA	2606:4700:3033::ac43:96d0 Montreal/Quebec/Canada (CA) - Cloudflare, Inc.	yes

So Cloudflare redirects to https.

So you have to use webroot instead of nginx as authenticator.

https://certbot.eff.org/docs/using.html#webroot

Prakash1 · January 21, 2021, 10:39am

Hii Thanks for Reply

I tried using webroot and tried adding webroot as given in artical but its not working.

Error:
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# certbot certonly --webroot -w /var/www/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.andiquotes.com andiquotes.com
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for www.andiquotes.com and andiquotes.com
Performing the following challenges:
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain andiquotes.com
Challenge failed for domain www.andiquotes.com
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Cleaning up challenges
Some challenges have failed.

JuergenAuer · January 21, 2021, 11:10am

Then you use the wrong webroot.

Find your correct https webroot.

rg305 · January 21, 2021, 2:01pm

The problem is that locally an HTTP challenge request is being expected and is what has been prepared for in your nginx config by certbot.
But along the way...
CloudFare CDN has heard that HTTP request and redirected it to HTTPS.
So when it reaches your system it has not been prepared for and fails to reach the proper response.

There is no way to tell certbot that there is a CDN inline and that it should expect only HTTPS requests.
So the next best thnig is using --webroot; this forces the expected location and if your HTTP and HTTPS document roots both point to the same path, then it doesn't matter if the request comes as HTTP or HTTPS.

Any questions?

system · February 20, 2021, 2:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.