Question

HELP!! Unable to renew the LetsEncrypt SSL cert of my Wordpress Website running on Ngnix and Ubuntu 18.04.3 (LTS) x64.

Posted July 23, 2020 482 views
NginxWordPressLet's EncryptUbuntu 18.04

My domain is: siddharthshukla.net
This domain is provided by Google Domains.

My website is a wordpress website which I found to be located at the folder:
/var/lib/docker/volumes/siddharthshuklanethtdocs/data/htdocs/

My 90 days free LetsEncrypt SSL certificate has expired and I’m trying to renew it as suggested by the email I got from LetsEncrypt.

I’ve followed way too many tutorials and discussions on this topic but I’m not able to renew my certificate.

All the methods and commands that I’ve tried I always get the errors like “No certs found”, “No Renewals were attempted”, “invalid response from 404”, etc. Since not being an expert at renewing certificates I do not what else to do here to resolve this problem.

The support from digitalocean have yet to reply to my ticket and I’m convinced I wouldn’t get a response from them. Therefore I’ve come to seek the guidelines and expertise from the community.

Please help me sort this problem out so that I can run my website normally 🙂.

Thanks & Regards

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi @SiddharthShukla,

You can use certbot to install Let’s Encrypt on your website.

Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.

First, add the repository:

sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER to accept.

Install Certbot’s Nginx package with apt:

sudo apt install python-certbot-nginx

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

sudo certbot --nginx -d example.com -d www.example.com

Regards,
KFSys

  • Hi,

    Thanks for your response.

    But after running the above mentioned steps I ran into the below listed error:

    Failed authorization procedure. siddharthshukla.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://siddharthshukla.net/.well-known/acme-challenge/SyP86tu4zW8ZO5oX9REXXuxFuuBCH-nCsmNTWNh5NNc [159.89.164.247]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>openresty</cente", www.siddharthshukla.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://siddharthshukla.net/.well-known/acme-challenge/rrG48-woQJ32JFpIZ7qMurfotWDR11_xpPJ2p3kLPCw [159.89.164.247]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>openresty</cente"
    
    IMPORTANT NOTES:
     - The following errors were reported by the server:
    
       Domain: siddharthshukla.net
       Type:   unauthorized
       Detail: Invalid response from
       https://siddharthshukla.net/.well-known/acme-challenge/SyP86tu4zW8ZO5oX9REXXuxFuuBCH-nCsmNTWNh5NNc
       [159.89.164.247]: "<html>\r\n<head><title>404 Not
       Found</title></head>\r\n<body>\r\n<center><h1>404 Not
       Found</h1></center>\r\n<hr><center>openresty</cente"
    
       Domain: www.siddharthshukla.net
       Type:   unauthorized
       Detail: Invalid response from
       https://siddharthshukla.net/.well-known/acme-challenge/rrG48-woQJ32JFpIZ7qMurfotWDR11_xpPJ2p3kLPCw
       [159.89.164.247]: "<html>\r\n<head><title>404 Not
       Found</title></head>\r\n<body>\r\n<center><h1>404 Not
       Found</h1></center>\r\n<hr><center>openresty</cente"
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
    

    This is the type of error I keep getting after following any/all steps. Not sure what to do beyond this.

    edited by MattIPv4
    • Hi @SiddharthShukla,

      I see, it’s the 301 redirect you have for https that’s preventing LE to be reinstalled. Please remove the redirect and you should be good to restart the process and issue your certificate.

      • Look I’m not an expert in renewing or installing certs. When I setup my website I just followed a few steps from online. Can you please give me an idea how to do that removal of redirect?

        Also, when I run the command certbot certificates, the response is that “there are no certificates found”, when I know I installed the certificate.

        Thanks & Regards,
        Siddharth

        • Looking at the provided output

             Domain: www.siddharthshukla.net
             Type:   unauthorized
             Detail: Invalid response from
             https://siddharthshukla.net/.well-known/acme-challenge/rrG48-woQJ32JFpIZ7qMurfotWDR11_xpPJ2p3kLPCw
          

          I can see it’s trying https. As for your redirect. Most probably it’s placed in the Nginx configuration file of your domain siddharthshukla.net.

          In there you would have something like the following server_block

          server {
              listen 80 default_server;
          
              server_name _;
          
              return 301 https://$host$request_uri;
          }
          

          Regards,
          KFSys

          • Hi,

            I did some searching through FileZilla and found that the certs and probably conf file is located in this path:

            /var/lib/docker/volumes/

            (Also attached the screenshot of the folder and path).

            I found there are 2 conf files: default.conf and siddharthshukla.net-redirect.conf.

            The contents of default.conf are:

            # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
            # scheme used to connect to this server
            map $http_x_forwarded_proto $proxy_x_forwarded_proto {
              default $http_x_forwarded_proto;
              ''      $scheme;
            }
            # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
            # server port the client connected to
            map $http_x_forwarded_port $proxy_x_forwarded_port {
              default $http_x_forwarded_port;
              ''      $server_port;
            }
            # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
            # Connection header that may have been passed to this server
            map $http_upgrade $proxy_connection {
              default upgrade;
              '' close;
            }
            # Apply fix for very long server names
            server_names_hash_bucket_size 128;
            # Default dhparam
            ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
            # Set appropriate X-Forwarded-Ssl header
            map $scheme $proxy_x_forwarded_ssl {
              default off;
              https on;
            }
            gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
            log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                             '"$request" $status $body_bytes_sent '
                             '"$http_referer" "$http_user_agent"';
            resolver 127.0.0.11;
            # HTTP 1.1 support
            proxy_http_version 1.1;
            proxy_buffering off;
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $proxy_connection;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
            proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
            proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
            proxy_set_header X-Original-URI $request_uri;
            # Mitigate httpoxy attack (see README for details)
            proxy_set_header Proxy "";
            server {
                server_name _; # This is just an invalid value which will never trigger on a real hostname.
                listen 80;
                return 503;
            }
            # siddharthshukla.net/
            upstream siddharthshukla.net-42099b4af021e53fd8fd4e056c2568d7c2e3ffa8 {
                # Cannot connect to network of this container
                server 127.0.0.1 down;
                ## Can be connected with "ee-global-frontend-network" network
                # siddharthshuklanet_nginx_1
                server 172.19.0.3:80;
                # Cannot connect to network of this container
                server 127.0.0.1 down;
            }
            server {
                server_name siddharthshukla.net;
                listen 80 ;
                return 301 https://$host$request_uri;
            }
            server {
                server_name siddharthshukla.net;
                listen 443 ssl http2 ;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers '<key here>';
                ssl_prefer_server_ciphers on;
                ssl_session_timeout 5m;
                ssl_session_cache shared:SSL:50m;
                ssl_session_tickets off;
                ssl_certificate /etc/nginx/certs/siddharthshukla.net.crt;
                ssl_certificate_key /etc/nginx/certs/siddharthshukla.net.key;
                ssl_stapling on;
                ssl_stapling_verify on;
                ssl_trusted_certificate /etc/nginx/certs/siddharthshukla.net.chain.pem;
                location / {
                    proxy_pass http://siddharthshukla.net-42099b4af021e53fd8fd4e056c2568d7c2e3ffa8/;
                }
                location /ee-admin/ {
                    proxy_pass http://siddharthshukla.net-42099b4af021e53fd8fd4e056c2568d7c2e3ffa8;
                    auth_basic      "Restricted siddharthshukla.net  Admin Tools";
                    auth_basic_user_file    /etc/nginx/htpasswd/default_admin_tools;
                    include /etc/nginx/vhost.d/default_acl;
                }
            }
            

            and the contents of siddharthshukla.net-redirect.conf are:

            server {
                listen  80;
                server_name  www.siddharthshukla.net;
                return  301 https://siddharthshukla.net$request_uri;
            }
            server {
                listen  443;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers '<key here>';
                ssl_prefer_server_ciphers on;
                ssl_session_timeout 5m;
                ssl_session_cache shared:SSL:50m;
                ssl_session_tickets off;
                ssl_certificate /etc/nginx/certs/siddharthshukla.net.crt;
                ssl_certificate_key /etc/nginx/certs/siddharthshukla.net.key;
                server_name  www.siddharthshukla.net;
                return  301 https://siddharthshukla.net$request_uri;
            }
            

            Now my question to you is: Are these the correct ngnix conf files and out of these in which one should I comment that redirect line?

            Also I want to know that in most cases the certs and conf files are located in /etc/nginx/ file path. Why is it that mine are located in a different folder and should we not try to target that different folder when trying to renew the certs?

            Best,
            Siddharth

Hi,

Looking at the files, they both contain redirection rules for your domain siddharthshukla.net. Having said that, I’ll recommend commenting them both out to see if you’ll be able reniewyour certificate afterwards.

Submit an Answer