By Ros110
I received this email from Let’s Encrypt Team:
"Your certificate (or certificates) for the names listed below will expire in 0 days (on 15 Sep 21 13:50 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
eloo-api.hoofdindewolken.nl eloo.hoofdindewolken.nl
I tried to renew the SSL certificates, but there are errors:
root@dokku-ubuntu-s-1vcpu-1gb-ams3-01:~# dokku letsencrypt:auto-renew eloo-backend
eloo-backend
=====> Auto-renew eloo-backend...
=====> Enabling letsencrypt for eloo-backend
-----> Enabling ACME proxy for eloo-backend...
Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for eloo-backend...
- Domain 'eloo.hoofdindewolken.nl'
- Domain 'eloo-api.hoofdindewolken.nl'
2021/09/15 19:05:41 No key found for account richard@hoofdindewolken.nl. Generating a P256 key.
2021/09/15 19:05:41 Saved key to /certs/accounts/acme-v02.api.letsencrypt.org/richard@hoofdindewolken.nl/keys/richard@hoofdindewolken.nl.key
2021/09/15 19:05:42 [INFO] acme: Registering account for richard@hoofdindewolken.nl
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/certs/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2021/09/15 19:05:42 [INFO] [eloo.hoofdindewolken.nl, eloo-api.hoofdindewolken.nl] acme: Obtaining bundled SAN certificate
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342400
2021/09/15 19:05:43 [INFO] [eloo.hoofdindewolken.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342410
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] acme: Could not find solver for: tls-alpn-01
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] acme: use http-01 solver
2021/09/15 19:05:43 [INFO] [eloo.hoofdindewolken.nl] acme: Could not find solver for: tls-alpn-01
2021/09/15 19:05:43 [INFO] [eloo.hoofdindewolken.nl] acme: use http-01 solver
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] acme: Trying to solve HTTP-01
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:44 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:44 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:45 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:49 [INFO] [eloo-api.hoofdindewolken.nl] The server validated our request
2021/09/15 19:05:49 [INFO] [eloo.hoofdindewolken.nl] acme: Trying to solve HTTP-01
2021/09/15 19:05:57 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342400
2021/09/15 19:05:57 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342410
2021/09/15 19:05:57 Could not obtain certificates:
error: one or more domains had a problem:
[eloo.hoofdindewolken.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://eloo.hoofdindewolken.nl/.well-known/acme-challenge/LnZdHab96VAV4fvIhnNBicce7rKPH7IVXjvTT5-mjms [76.76.21.21]: 404
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for eloo-backend...
Reloading nginx configuration (via systemctl): nginx.service.
! Failed to setup letsencrypt
Check log output for further information on failure
As a result my site can’t be loaded because:
POST https://eloo-api.hoofdindewolken.nl/api/graphql gives net::ERR_CERT_DATE_INVALID.
I tried some things, and as a result the error at https://eloo.hoofdindewolken.nl/ changed to net::ERR_CONNECTION_REFUSED. Still, I am unable to renew the certificates.
Also status nginx gives:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-06-09 15:24:54 UTC; 3 months 8 days ago
Docs: man:nginx(8)
Process: 192440 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 1705882 (nginx)
Tasks: 2 (limit: 1137)
Memory: 5.9M
CGroup: /system.slice/nginx.service
├─ 192441 nginx: worker process
└─1705882 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
Sep 16 08:12:20 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192062]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignored
Sep 16 08:12:20 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloading A high performance web server and a reverse proxy server.
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192241]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on [::]:80, ignored
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192241]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignored
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloading A high performance web server and a reverse proxy server.
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192440]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on [::]:80, ignored
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192440]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignored
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello,
The error messages you’re encountering indicate a couple of issues with renewing Let’s Encrypt certificates and your Nginx configuration. Let’s break down the issues and potential solutions:
1. Let’s Encrypt Renewal Issue
The main problem seems to be with renewing the Let’s Encrypt certificates for your domains eloo.hoofdindewolken.nl and eloo-api.hoofdindewolken.nl. The error acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://eloo.hoofdindewolken.nl/.well-known/acme-challenge/... [76.76.21.21]: 404 suggests that the ACME challenge requests by Let’s Encrypt to your server are not being served correctly, resulting in a 404 Not Found error.
Possible Solutions:
-
Verify Domain Configuration: Ensure that both domains
eloo.hoofdindewolken.nlandeloo-api.hoofdindewolken.nlare correctly pointing to your server’s IP address in DNS settings. -
Check Nginx Configuration: Ensure that Nginx is correctly configured to serve files from the
/.well-known/acme-challenge/directory. This is where Let’s Encrypt expects to find the files for the HTTP-01 challenge. -
Firewall Settings: Check if any firewall settings might be blocking access to the
/.well-known/acme-challenge/directory. -
Manual Test: You can test this by placing a test file in the
/.well-known/acme-challenge/directory and trying to access it via your browser.
2. Nginx Configuration Warning
The Nginx warning conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignored suggests that there are multiple server blocks or configurations for the same domain name. This could be causing some of the issues you’re experiencing.
Possible Solutions:
-
Review Nginx Configs: Check all your Nginx configuration files for duplicate server blocks or listen directives for the same domain. This includes checking sites-enabled, conf.d directory, and the nginx.conf file.
-
Remove Duplicates: If you find duplicate configurations for the same domain, consolidate them into a single server block or remove the unnecessary duplicates.
-
Reload Nginx: After making changes, don’t forget to reload Nginx to apply the changes (
sudo nginx -tto test configuration andsudo systemctl reload nginxto apply changes).
3. Connection Refused Error
The net::ERR_CONNECTION_REFUSED error indicates that the browser is unable to establish a connection to your server. This could be due to Nginx not running or not being properly configured to accept connections for your domain.
Possible Solutions:
-
Check Nginx Service: Ensure Nginx is running (
sudo systemctl status nginx). -
Server Block Configuration: Ensure the server block for your domain is correctly configured to listen on the right port and has the correct server_name.
-
SSL/TLS Configuration: Since your SSL certificate is expired, consider temporarily disabling HTTPS redirection (if any) to troubleshoot the issue without SSL complications.
Best,
Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.