URGENT - SSL Certificate Lets Encrypt wont renew - Site is un secure.

December 16, 2017 1.6k views
Nginx Ubuntu 16.04

Hello,

Having a little issue with Lets Encrypt. Up until now its been working fine. With no issues. It was all set up and the bot was renewing itself. Unfortunately though, at the moment its not going to renew. So my site is actually showing up with a warning sign.


root@just-venue:~# sudo certbot renew --dry-run 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.justvenue.co.uk.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.justvenue.co.uk
http-01 challenge for justvenue.co.uk
http-01 challenge for justvenue.com
http-01 challenge for www.justvenue.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.justvenue.co.uk) from /etc/letsencrypt/renewal/www.justvenue.co.uk.conf produced an unexpected error: Failed authorization procedure. www.justvenue.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.justvenue.com/.well-known/acme-challenge/KX2Flbj9TAfxAjr738kHX_u8As5pkrmCtqjUPTx5rAU: "<!DOCTYPE html>
<html lang="">
<head>
    <meta charset="UTF-8">
    <meta name="description" content="Book local Venues online ", justvenue.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://justvenue.com/.well-known/acme-challenge/ED8NnBYpViODRBHyta1OFDUNzxrH657-FQBGadk4eys: "<!DOCTYPE html>
<html lang="">
<head>
    <meta charset="UTF-8">
    <meta name="description" content="Book local Venues online ". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/justvenue.co.uk.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for justvenue.co.uk
tls-sni-01 challenge for www.justvenue.co.uk
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/justvenue.co.uk/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/justvenue.co.uk-0001.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (justvenue.co.uk-0001) from /etc/letsencrypt/renewal/justvenue.co.uk-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/www.justvenue.co.uk/fullchain.pem (failure)
  /etc/letsencrypt/live/justvenue.co.uk-0001/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/justvenue.co.uk/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/www.justvenue.co.uk/fullchain.pem (failure)
  /etc/letsencrypt/live/justvenue.co.uk-0001/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.justvenue.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.justvenue.com/.well-known/acme-challenge/KX2Flbj9TAfxAjr738kHX_u8As5pkrmCtqjUPTx5rAU:
   "<!DOCTYPE html>
   <html lang="">
   <head>
       <meta charset="UTF-8">
       <meta name="description" content="Book local Venues online "

   Domain: justvenue.com
   Type:   unauthorized
   Detail: Invalid response from
   http://justvenue.com/.well-known/acme-challenge/ED8NnBYpViODRBHyta1OFDUNzxrH657-FQBGadk4eys:
   "<!DOCTYPE html>
   <html lang="">
   <head>
       <meta charset="UTF-8">
       <meta name="description" content="Book local Venues online "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Anyone know how I can fix the above?

1 Answer

With HTTP verification, certbot stores files in the /.well-known/acme-challenge path that are used to verify that you indeed own the domain so that Let's Encrypt can issue you a certificate. However it looks like nginx isn't serving those files but is instead serving the website itself.

Does your website's root directory match the one in /etc/letsencrypt/renewal/www.justvenue.co.uk.conf? Have you changed anything in the nginx config since it last worked?

Have another answer? Share your knowledge.