Since I upgraded my Certbot from version 1.7.0 to 1.11.0, I was getting different errors with different domain names when executing certbot renew command.
When renewing webfoobar.com:
certbot renew --cert-name webfoobar.com --dry-run
I get Invalid response AuthorizationError:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/webfoobar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Running pre-hook command: service nginx stop
Error output from pre-hook command service:
Redirecting to /bin/systemctl stop nginx.service
Simulating renewal of an existing certificate for webfoobar.com and www.webfoobar.com
Performing the following challenges:
http-01 challenge for webfoobar.com
http-01 challenge for www.webfoobar.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain webfoobar.com
Challenge failed for domain www.webfoobar.com
http-01 challenge for webfoobar.com
http-01 challenge for www.webfoobar.com
Cleaning up challenges
Failed to renew certificate webfoobar.com with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/webfoobar.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: service nginx start
Error output from post-hook command service:
Redirecting to /bin/systemctl start nginx.service
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: webfoobar.com
Type: unauthorized
Detail: Invalid response from
http://webfoobar.com/.well-known/acme-challenge/sW1cig3OCrgDtMPN9Hh3J8ziTzdwJP-SqrHuQGY4hMY
[2606:4700:3037::6815:18db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
Domain: www.webfoobar.com
Type: unauthorized
Detail: Invalid response from
http://www.webfoobar.com/.well-known/acme-challenge/-Mvi36amf9RAOBionDe-A8Jz7JPoNlTnE6Ae58yAvZw
[2606:4700:3036::ac43:dcdb]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
And when renewing the other domain test8.webfoobar.com:
certbot renew --cert-name test8.webfoobar.com --dry-run
I get Connection refused AuthorizationError:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test8.webfoobar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Running pre-hook command: service nginx stop
Error output from pre-hook command service:
Redirecting to /bin/systemctl stop nginx.service
Simulating renewal of an existing certificate for test8.webfoobar.com
Performing the following challenges:
http-01 challenge for test8.webfoobar.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain test8.webfoobar.com
http-01 challenge for test8.webfoobar.com
Cleaning up challenges
Failed to renew certificate test8.webfoobar.com with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/test8.webfoobar.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: service nginx start
Error output from post-hook command service:
Redirecting to /bin/systemctl start nginx.service
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: test8.webfoobar.com
Type: connection
Detail: Fetching
http://test8.webfoobar.com/.well-known/acme-challenge/Zf2mCUBxHaTPQt_agLIwK69ftt3jvBfaEqJmWpYRDOc:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My Nginx script for handling Let's Encrypt requests is unchanged:
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/letsencrypt;
default_type "text/plain";
try_files $uri =404;
}
I did the basic tests like as follows but no issues found.
The IPv4 test file access:
curl -IkL4 http://webfoobar.com/.well-known/acme-challenge/test.htm
Returns that there's no issue accessing /.well-known/acme-challenge path:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 27 Aug 2021 14:38:58 GMT
Content-Type: text/plain
Content-Length: 3
Last-Modified: Mon, 30 Mar 2020 16:25:22 GMT
Connection: keep-alive
Keep-Alive: timeout=75
ETag: "8a821d72-3"
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Options: nosniff
Cache-Control: s-maxage=10
Accept-Ranges: bytes
As well as the IPv6 test file access:
curl -IkL6 http://webfoobar.com/.well-known/acme-challenge/test.htm
Returns that there's no issue accessing /.well-known/acme-challenge path also:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 27 Aug 2021 14:39:19 GMT
Content-Type: text/plain
Content-Length: 3
Last-Modified: Mon, 30 Mar 2020 16:25:22 GMT
Connection: keep-alive
Keep-Alive: timeout=75
ETag: "8a821d72-3"
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Options: nosniff
Cache-Control: s-maxage=10
Accept-Ranges: bytes
Checked if the port 80 and 443 are not blocking by the firewallfor IPv4:
iptables -L | grep http
The port 80 and 443 are open.
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Checked if the port 80 and 443 are not blocking by the firewallfor IPv6:
ip6tables -L | grep http
The port 80 and 443 are open as well.
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Checked if Nginx is listening to port 80 and 443:
netstat -pant | grep -i nginx
No issue in Nginx as well as it is listening to port 80 and 443:
tcp 0 0 104.21.24.219:80 0.0.0.0:* LISTEN 18309/nginx: master
tcp 0 0 104.21.24.219:443 0.0.0.0:* LISTEN 18309/nginx: master
tcp6 0 0 2606:4700:3037:0:0::80 :::* LISTEN 18309/nginx: master
tcp6 0 0 2606:4700:3037:0:0:443 :::* LISTEN 18309/nginx: master
There were no issues found in every common tests for these Connection refused and Invalid response Authorization Errors. Analyzing it, the certbot renewal was working for several months and the only change that happened was the certbot upgraded from version 1.7.0 to 1.11.0. I setup a new server and installed Let's Encrypt certbot for Nginx and investigate the changes from version 1.7.0 to 1.11.0. I found out that in version 1.7.0 the lines that contain "post_hook" and "pre_hook" was removed in renewal configuration script.
To fix this issue, open the renewal configuration script:
vi /etc/letsencrypt/renewal/webfoobar.com.conf
Then remove or comment the lines that contains "post_hook" and "pre_hook":
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/webfoobar.com
cert = /etc/letsencrypt/live/webfoobar.com/cert.pem
privkey = /etc/letsencrypt/live/webfoobar.com/privkey.pem
chain = /etc/letsencrypt/live/webfoobar.com/chain.pem
fullchain = /etc/letsencrypt/live/webfoobar.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 8a62c56d679110288d8aeb17cbc597ed
webroot_path = /var/www/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
#post_hook = service nginx start
#pre_hook = service nginx stop
manual_public_ip_logging_ok = None
[[webroot_map]]
webfoobar.com = /var/www/letsencrypt
www.webfoobar.com = /var/www/letsencrypt
Do this with other domains. And test again:
certbot renew --cert-name webfoobar.com --dry-run
The output now says it is successful:
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/test8.webfoobar.com
cert = /etc/letsencrypt/live/test8.webfoobar.com/cert.pem
privkey = /etc/letsencrypt/live/test8.webfoobar.com/privkey.pem
chain = /etc/letsencrypt/live/test8.webfoobar.com/chain.pem
fullchain = /etc/letsencrypt/live/test8.webfoobar.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 8a62c56d679110288d8aeb17cbc597ed
webroot_path = /var/www/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
#post_hook = service nginx start
#pre_hook = service nginx stop
manual_public_ip_logging_ok = None
[[webroot_map]]
test8.webfoobar.com = /var/www/letsencrypt