We know letsencrypt well but having issue recently (hit limit?)

I ran this command: certbot --nginx -d siobhan-miller.-d www.siobhan-miller. --redirect --force-renewal

It produced this output: Complete output is attached in this link PrivateBin

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Debian GNU/Linux 9 (stretch) Kernel: Linux 4.9.0-17-amd64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

Welcome @ttt6543

I did not look at your private bin website data as I don't follow links to unknown sites (using a browser).

But you are asking about limits and it is possible you are reaching one. The apex domain floristtouch.com is shared by a large number of sites. See the recent history here

I would not be surprised if you got an error saying too many certificates already issued. Was that the message? Rate Limit info and the request form to override limits are here:

1 Like

This is the error. It's not too many certificates.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: siobhan-miller.
    Type: unauthorized
    Detail: Invalid response from
    http://siobhan-miller./.well-known/acme-challenge/uidaTCguKQQS4SANhYPbcZWjOCCzbw-IALFTfCd_cIo
    [178.79.159.104]: "\r\n404 Not
    Found\r\n\r\n

    404 Not
    Found

    \r\n
    nginx\r\n"

    Domain: www.siobhan-miller.f
    Type: unauthorized
    Detail: Invalid response from
    http://www.siobhan-miller..well-known/acme-challenge/_p5vdZYQEENUi4W_j3qhnx4sh0zgb1NoMc6nafaGelE
    [178.79.159.104]: "\r\n404 Not
    Found\r\n\r\n

    404 Not
    Found

    \r\n
    nginx\r\n"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

1 Like

Please note that --force-renewal does not help at all in this situation. As there has not been any other certificates for this certificate, it's not even a renewal.. You can't just magically force Let's Encrypt to issue a certificate for you, if they aren't able to validate the hostname. That would be weird!

2 Likes

I think we need to see the log for this. The temp changes made by the --nginx plug-in are not working right.

Can you upload the log to this forum?

/var/log/letsencrypt/letsencrypt.log
1 Like

That could use an update.

1 Like

Yeah, good catch that is nearly 4 years old. Lots of 'edge cases' on nginx configs fixed since then.

Probably worth updating first and trying again. But, if you want to upload log I would still take a look before that.

1 Like

Just to be clear, it has been working for about 3 years now, and not working now.

Yeah, I am still not touching that website with a browser. The html looks to be full of spam - pukka sweaters, hot-deals, ... Sorry, your page got merged with a prior in my sandbox. It was prior site with the spam.

Still, could you provide the URL directly to the log file or use the upload icon in this forum to upload it?

I believe you when you say you know letsencrypt well. At the same time this domain name has never gotten a cert.

1 Like

Sorry I wasn't aware privatebin site was spam. Thanks for your help.

Here is another link
https://paste.ofcode.org/F2dDABTaywHmZUWcpCdFWp

> I believe you when you say you know letsencrypt well. At the same time this domain name has never gotten a cert.
I personally don't know letsencrypt, I'm not a developer, but the current developers are having an issue fixing it. We have over 100 subdomains using ssl so that's not been an issue until recently.

Well, I do not have a definitive answer but I have a possible, even likely, solution. I think you need to update your Certbot version so that you can use this option on the certbot command:

  --nginx-sleep-seconds NGINX_SLEEP_SECONDS
                        Number of seconds to wait for nginx configuration
                        changes to apply when reloading. (default: 1)

For nginx configs that have a lot of server blocks (which yours does) it sometimes takes longer to reload nginx to effect the temp changes it makes for the http challenges.

Setting this value to 10 or 20 should be enough. That said, I am not certain this will help but it is the best explanation for your description.

You need to update to use this option as it was added in certbot for Jul 2020. See this github item for details

OTHER ERRATA

In the log were other errors which your team should fix. It is (probably not) affecting this error but could be causing other problems.

Item 1 - Damaged renewal conf file for christina-brady

2022-01-28 14:03:18,264:DEBUG:certbot.cert_manager:Renewal conf file 
/etc/letsencrypt/renewal/christina-brady.floristtouch.com.conf is broken. Skipping.

certbot.errors.CertStorageError: renewal config file {} is missing a required file reference

Item 2 - Broken symlinks for wildhedgerow

2022-01-28 14:03:18,274:DEBUG:certbot.cert_manager:Renewal conf file 
/etc/letsencrypt/renewal/wildhedgerowflorist.co.uk.conf is broken. Skipping.

/etc/letsencrypt/live/wildhedgerowflorist.co.uk/cert.pem to be a symlink
2 Likes

Thanks.

Updated certbot.

Same certbot version and command worked on test server but not live, so maybe it's a server related issue.

here's log file.
https://paste.ofcode.org/4bLq2WgdZEXZPXYk2yrWSK

1 Like

That is not the whole log file. Can you recheck. Near the top should have something like:

2022-01-28 13:11:10,195:DEBUG:certbot._internal.main:certbot version: 1.22.0
2 Likes

Also:
The previous paste is on production and the last is on staging.
[not sure if that makes much difference - just pointing it out]

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.