Let's Encrypt won't renew with offline page


(EW 👌) #1

Dear @fefrei and friends,

I’ve a problem need to be fixed as soon as possible. (it’s expiring today :weary:)

I’ve my set up running as its explained in the main post. I did configured the system when my droplet OS Ubuntu 14.04, later on I did upgrade to Ubuntu 16.04 and everything is working fine.

But now I’m not able to renew my certificate :frowning:

When I enter :
letsencrypt renew

I’m getting the following error:

2017-01-09 20:19:03,767:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/community.example.com.conf produced an unexpected error: 'server'. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/community.example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

I’d tried before to run:

letencrypt-auto renew
letencrypt-auto certonly

The error were:

Attempting to renew cert from /etc/letsencrypt/renewal/community.example.com.conf produced an unexpected error:
Failed authorization procedure. community.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://community.example.com/.well-known/acme-challenge/-CzlTNr1h1L_RxZlHeLP3BcO3egE358HjbybTLPVXCw:
        "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
        <html><head>
        <title>404 Not Found</title>
        </head><body>
        <h1>Not Found</h1>
        <p", www.community.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.community.example.com/.well-known/acme-challenge/Erk5KC4WOAwjc7G_cc22I4uUho-KC-SCFy0YkP1xl3A: "<htm                    l>
        <head><title>404 Not Found</title></head>
        <body bgcolor="white">
        <center><h1>404 Not Found</h1></center>
        <hr><center>". Skipping.

Adding an offline page when rebuilding
(Felix Freiberger) #2

Try running this (remember to insert your domain name):

service nginx reload
letsencrypt certonly --webroot -w /var/www -d discourse.example.com

If this also fails with the same error, post the contents of your /etc/nginx/sites-available/default here.


(EW 👌) #3

Thanks Felix,

I did as follow;

root@community:~# service nginx reload
root@community:~# letsencrypt certonly --webroot -w /var/www -d community.example.com                                                                                                      Failed authorization procedure. community.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://community.example.com/.well-known/acme-challenge/LCkMP0IvsX-dlQjTx9PoXySsgYBJwXsPQT5HshHuQzg: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: community.example.com
   Type:   unauthorized
   Detail: Invalid response from http://community.example.com/.well-
   known/acme-challenge/LCkMP0IvsX-dlQjTx9PoXySsgYBJwXsPQT5HshHuQzg:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
indent preformatted text by 4 spaces

/etc/nginx/sites-available/default contents as follow:

server {
        listen 80; listen [::]:80;
        server_name community.example.com;  # <-- change this

        location /.well-known/acme-challenge/ {
                root /var/www;
        }

        location / {
                return 301 https://$host$request_uri;
        }
}

server {
  listen 443 ssl http2;  listen [::]:443 ssl http2;
  server_name community.example.com;  # <-- change this

  ssl on;
  ssl_certificate      /etc/letsencrypt/live/community.example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/community.example.com/privkey.pem;

  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  add_header Strict-Transport-Security "max-age=63072000;";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  ssl_stapling on;
  ssl_stapling_verify on;

  client_max_body_size 0;

  location / {
    proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
    proxy_set_header Host $http_host;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    error_page 502 =502 /errorpages/offline.html;
    proxy_intercept_errors on;
  }
        
  location /errorpages/ {
    alias /var/www/errorpages/;
  }
}

(Felix Freiberger) #4

Looks like you didn’t change this.


(EW 👌) #5

No, I did changed it to my domain.


(Felix Freiberger) #6

In that case, can you post the actual contents of your /etc/nginx/sites-available/default?


(EW 👌) #7

I did in PM.

I’d noticed that @codinghorror just split the post. But my site is not offline!


(Jeff Atwood) #8

That’s not what it says. Read the words. “With offline page”


(Felix Freiberger) #9

Thanks for sending me the file in a private message, @ewanly. I’ll continue replying here to keep the steps public.

Try running touch /var/www/.well-known/acme-challenge/test, we’ll then check whether the file is available at http://your.domain.com/.well-known/acme-challenge/test.


(EW 👌) #10
root@community:/# touch /var/www/.well-known/acme-challenge/test
touch: cannot touch '/var/www/.well-known/acme-challenge/test': No such file or directory

/var/www/.well-known dir is available but nothing under it!

Edit: I did created acme-challenge under /var/www/.well-known and did touch again. I’d checked the test file is there but I’m not able reach it from browser. (https broke due to the certificate exp.)

Edit: I think I may need to stop SSL redirection while renewal?


(Felix Freiberger) #11

No, there is no redirection, just your browser remembering HSTS. Try a private window.

The file is not there (404). This may be a stupid question, but… are you on the right server? Is nginx really running? Try running service nginx stop, does your site go down? (Restart with service nginx start.)


(Felix Freiberger) #12

Oh wait, the response is served by Apache! You’re not running the Offline page setup according to my howto. Can you describe your setup, please?


(EW 👌) #13

No in my droplet there is no Apache (and my setup have nothing special. 2GB 14.04 Droplet 1-Click install, then external Nginx and LetsEncrypt installed. But later on upgraded to 16.04).

But the domain is served from GoDaddy (subdomain A(Host) poited to the droplet IP) and I noticed that I had the same used subdomain has been created there (@ cPanel). So I did removed it now.

I did stop the Nginx service but I couldn’t test it even at a private window. I’m getting the SSL error directly.


(Felix Freiberger) #14

There clearly is an Apache responding to this URL:

I have no idea what you’re doing, but traffic isn’t reaching nginx.


(EW 👌) #15

Could you try again please. After I removed the subdomain from GoDaddy. Is it still the same?


(Felix Freiberger) #16

Yes, served by Apache/2.4.23.

Is 166.62.27.177 the IP of your Droplet? I assume the answer is “No”.


(EW 👌) #17

No this is the GoDaddy address of the main domain. I just noticed that community. subdomain is pointed back to GoDaddy. I fixed now, DNS is pointing to the Droplet IP. But need some time to populate again.

Edit: I’ll keep checking and I’ll inform you as soon as its populated.


(Felix Freiberger) #18

The change already propagated to me, and I can confirm you have an empty file named test there :tada:

Try running letsencrypt again.


(EW 👌) #19

I did it now:

root@community:/var/letsencrypt# letsencrypt certonly --webroot -w /var/www -d community.example.com -d www.community.example.com
An unexpected error occurred:
KeyError: 'server'
Please see the logfiles in /var/log/letsencrypt for more details.

(Felix Freiberger) #20

Are you on a recent version of letsencrypt? Try apt-get update && apt-get upgrade. If you got an upgrade for letsencrypt, try running it again. If not, how did you install letsencrypt?