When i tried to renew SSL certificate of Letsencrypt, using ” sudo letsencrypt renew ” i found caught error. It’s said “produced an unexpected error: Failed authorization procedure.”
I took me a minute and realized that letsencrypt check on authorization acme-challenge on HTTPS instead of HTTP.
Where this is because i forced all traffic into HTTPS and i haven’t setup the acme-challenge for port 443 (which i put in port 80).
Yes, the easy solution is copy the acme-challenge configuration to your port 443 in NGINX.
For full understanding, here are the logs:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | sudo letsencrypt renew ——————————————————————————- Processing /etc/letsencrypt/renewal/yodiaditya.com.conf ——————————————————————————- 2019-09-24 05:09:35,886:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/yodiaditya.com.conf produced an unexpected error: Failed authorization procedure. yodiaditya.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.yodiaditya.com/.well-known/acme-challenge/ek23rE1VgNeCCgmN25AsZvUUjUaEq4swxjX4sOyhb3k [13.228.15.1]: "<!DOCTYPE html>\n<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n <meta charset="UTF-8" />\n <meta name="viewpor". Skipping. ——————————————————————————- Processing /etc/letsencrypt/renewal/www.yodiaditya.com.conf ——————————————————————————- 2019-09-24 05:09:40,613:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/www.yodiaditya.com.conf produced an unexpected error: Failed authorization procedure. www.yodiaditya.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.yodiaditya.com/.well-known/acme-challenge/DUFLVpW6oNRiDJmS2_ctHSziTfpPn8laYb_dJCp1eUA [13.228.15.1]: "<!DOCTYPE html>\n<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n <meta charset="UTF-8" />\n <meta name="viewpor". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/yodiaditya.com/fullchain.pem (failure) /etc/letsencrypt/live/www.yodiaditya.com/fullchain.pem (failure) 2 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: server { – The following errors were reported by the server: server { Domain: www.yodiaditya.com Type: unauthorized Detail: Invalid response from https://www.yodiaditya.com/.well-known/acme-challenge/DUFLVpW6oNRiUA [13.228.15.1]: "<!DOCTYPE html>\n<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n <meta charset="UTF-8" />\n <meta name="viewpor" server { To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. server { – The following errors were reported by the server: server { Domain: yodiaditya.com server { Type: unauthorized Detail: Invalid response from https://www.yodiaditya.com/.well-known/acme-challenge/ek23rE1VgNeCOyhb3k [13.228.15.1]: "<!DOCTYPE html>\n<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">\n<head>\n <meta charset="UTF-8" />\n <meta name="viewpor" To fix these errors, please make sure that your domain name was server { entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. |
Here are the steps to fix this issue.
1. Put .well-known in SSL 443 because now it’s running via HTTPS and enforce all HTTP into HTTPS in NGINX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | server { server_name www.yodiaditya.com yodiaditya.com; listen 80; return 301 https://www.yodiaditya.com$request_uri; location ~ /\.well-known/acme-challenge/ { allow all; root /var/www/letsencrypt; try_files $uri =404; break; } } server { listen 443 ssl; listen [::]:443 ssl; server_name www.yodiaditya.com; ssl on; location ~ /\.well-known/acme-challenge/ { allow all; root /var/www/letsencrypt; try_files $uri =404; break; } |
2. Make the folder writable for letsencrypt (if the issue still exists)
3. Reload NGINX service by ” sudo service nginx reload ” and execute renew SSL letsencrypt by ” sudo letsencrypt renew ”
Now it’s done!