Unable to renew my certificates

My domain is: lagrange.cloud

I ran this command: certbot renew

It produced this output:


Processing /etc/letsencrypt/renewal/www.lagrange.cloud.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.lagrange.cloud
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.lagrange.cloud) from /etc/letsencrypt/renewal/www.lagrange.cloud.conf produced an unexpected error: Failed authorization procedure. www.lagrange.cloud (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.lagrange.cloud/.well-known/acme-challenge/tTKNm9auueRkLXQDJzuHmrYfjoFftkIR3tWSMmwOvq4 [2606:4700:30::681b:978b]: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lagrange.cloud-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.lagrange.cloud/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/lagrange.cloud/fullchain.pem expires on 2020-03-08 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lagrange.cloud-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.lagrange.cloud/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): custom backend with nginx as proxy

The operating system my web server runs on is (include version): latest debian

I can login to a root shell on my machine

The version of my client is: certbot 0.31.0

I am attempting to update a cert as i got an email saying it was going to expire in 30 days. I ran certbot renew and got the above error. I looked through other questions similar to this, however all of those seemed to revolve around .well-known hosts being present, however i have searched the file system for this folder and have not been able to find it. As far as I am aware it was not created when i first installed my certificate with certbot.

1 Like

Hi @natekomodo

checking your domain you use Cloudflare. So your real server is invisible - see https://check-your-website.server-daten.de/?q=lagrange.cloud

But you have a new certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-12-09 2020-03-08 lagrange.cloud - 1 entries
CloudFlare Inc ECC CA-2 2019-12-04 2020-10-09 *.lagrange.cloud, lagrange.cloud, sni.cloudflaressl.com - 3 entries
Let's Encrypt Authority X3 2019-10-10 2020-01-08 *.lagrange.cloud - 1 entries
Let's Encrypt Authority X3 2019-10-09 2020-01-07 www.lagrange.cloud - 1 entries

Looks like the renew of the www certificate (created 2019-10-09) doesn't work.

But do you need that certificate if you use Cloudflare?

If a user uses the www version: Connects Cloudflare your www or your non-www version? If your non-www version is connected, you don't need the www certificate.

1 Like

Yes, for compliance reasons i have to use the full (strict) encryption mode, where my server must have a valid CA signed certificate

I am using cloudflare for ddos, caching, and CDN purposes, as a proxy per se. I use both the www and non-www versions

1 Like

Probably as a simpler solution, you can use a Cloudflare origin certificate, These certificates are only valid for Cloudflare and can be used with strict mode.

You can also create them with long expiration dates for free.

1 Like

Yeah, im probably going to end up using that

1 Like

What went wrong with that one?

ACME HTTP validation makes the initial request using HTTP. As you can see, it will follow a redirect to HTTPS.

Certbot's nginx plugin only configures the HTTP virtual host to pass validation.

Your site has Cloudfare configured to redirect all HTTP requests to HTTPS. That's a good thing! In general. But it also means validation can't possibly work. :grimacing:

(There's an open Certbot issue about having the nginx plugin modify HTTPS virtual hosts too.)

You have a number of options:

  • Stop using Let's Encrypt and use a Cloudflare origin certificate instead.

  • Install Certbot's Cloudflare DNS plugin (sudo apt install python3-certbot-dns-cloudflare, if you're using the Certbot apt package), set it up and use DNS validation to issue your certificates. (This introduces the risk of your Cloudflare API keys being compromised if your web server is.)

  • Ensure that Nginx can serve static files from https://www.lagrange.cloud/.well-known/acme-challenge/ and use Certbot's webroot plugin for validation. For example with "sudo certbot -a webroot -i nginx -w /srv/www/something -d www.lagrange.cloud".

  • Stop the requests from being redirected to HTTPS. For example, completely turn the redirect off in Cloudflare, and set up more granular redirects in Nginx. (This would have a negative effect on redirect performance and security.) Or use Cloudflare page rules or workers to manage more granular redirects on their end.

  • Stop using Cloudflare. (Just to be complete.)

2 Likes

And maybe there is one more “workaround”:

  • redirect challenge requests through a different name; Such that, it bypasses Cloudflare and reaches the exact same (backend) server (directly) and serves the challenges from the same folder as the initial FQDN requested.
1 Like

You could even do something mindbending like have Nginx reverse proxy one virtual host to another.

Oooo… That could introduce ALPN validations…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.