Unable to renew lets encrypt certificate

Hi

I am trying to renew my certificate but it is giving error.
please Help.

My domain is: andiquotes.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for andiquotes.com and www.andiquotes.com
Performing the following challenges:
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Waiting for verification...
Challenge failed for domain andiquotes.com
Challenge failed for domain www.andiquotes.com
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Cleaning up challenges
Failed to renew certificate andiquotes.com with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/andiquotes.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

Hi @Prakash1

if you use nginx as authenticator and if you see a

https result, that can't work.

There is a check of your domain, more then one hour old - https://check-your-website.server-daten.de/?q=andiquotes.com

You use Cloudflare:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
andiquotes.com A 104.21.0.95 Chicago/Illinois/United States (US) - Cloudflare, Inc. No Hostname found yes 1 0
A 172.67.150.208 Chicago/Illinois/United States (US) - Cloudflare, Inc. No Hostname found yes 1 0
AAAA 2606:4700:3033::6815:5f Montreal/Quebec/Canada (CA) - Cloudflare, Inc. yes
AAAA 2606:4700:3033::ac43:96d0 Montreal/Quebec/Canada (CA) - Cloudflare, Inc. yes

So Cloudflare redirects to https.

So you have to use webroot instead of nginx as authenticator.

1 Like

Hii Thanks for Reply

I tried using webroot and tried adding webroot as given in artical but its not working.

Error:
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# certbot certonly --webroot -w /var/www/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.andiquotes.com andiquotes.com
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for www.andiquotes.com and andiquotes.com
Performing the following challenges:
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain andiquotes.com
Challenge failed for domain www.andiquotes.com
http-01 challenge for andiquotes.com
http-01 challenge for www.andiquotes.com
Cleaning up challenges
Some challenges have failed.

Then you use the wrong webroot.

Find your correct https webroot.

1 Like

The problem is that locally an HTTP challenge request is being expected and is what has been prepared for in your nginx config by certbot.
But along the way...
CloudFare CDN has heard that HTTP request and redirected it to HTTPS.
So when it reaches your system it has not been prepared for and fails to reach the proper response.

There is no way to tell certbot that there is a CDN inline and that it should expect only HTTPS requests.
So the next best thnig is using --webroot; this forces the expected location and if your HTTP and HTTPS document roots both point to the same path, then it doesn't matter if the request comes as HTTP or HTTPS.

Any questions?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.