How to renew an SSL certificate?

A

Anatoly2018-11-28 16:15:59

Nginx

Anatoly, 2018-11-28 16:15:59

Debian/Nginx 1.12.2
How to solve the letsencrypt certificate renewal issue if it checks the validity not of the domain name, but of the ip address

certbot certonly --dry-run

[email protected]:~$certbot certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mysite.vom
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running post-hook command: service nginx reload
Failed authorization procedure. mysite.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 123.123.123.123:443/.well-known/acme-challenge/fxs... [123.123.123.123]: "\r\n400 The plain HTTP request was sent to HTTPS port\r\n\r\n400 B"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mysite.com
Type: unauthorized
Detail: Invalid response from
123.123.123.123:443/.well-known/acme-challenge/fxs...
[123.123.123.123]: "\r\n400 The plain HTTP request
was sent to HTTPS port\r\n\r\n400 B"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

The call is made by ip:

http://123.123.123.123:443/.well-known/acme-challenge/fxsFCP9Kn71b-afO53dj91sbRJw7mDt_Sq2jaUiHBG4

If I place a file in the .well-known/acme-challenge folder, then when I access it, I get an error 400: Bad Request
and not a name, like:

http://mysite.com:443/.well-known/acme-challenge/fxsFCP9Kn71b-afO53dj91sbRJw7mDt_Sq2jaUiHBG4

When a file is accessed, the file is opened.
The domains are:

spoiler

location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        rewrite /.well-know/acme-challenge/(.*) /$1 break;
        allow all;
        root /var/www;
}

location = /.well-known/acme-challenge/ {
    return 404;
}

Handling requests to the ip-address:

spoiler

server {
  listen 80 default;
  server_name _;
  access_log /dev/null;
  error_log /dev/null;
  location / {
     return 444;
  }
}

server {
  listen 443 ssl default;
  server_name _;
  ssl_stapling off;
  ssl on;
  ssl_certificate_key /etc/ssl/private/debian-webhost.key;
  ssl_certificate /etc/ssl/certs/debian-webhost.crt;

  location / {
     return 444;
   }
}

PS. Domain and ip - replaced with fake ones!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Anatoly, 2018-11-29
@Tolly

apt update
apt upgrade
reboot
and it seems to work again, I didn’t change anything in the configs, the cause of the error is not clear, and it may appear tomorrow, I’m closing the question for now

V

Viktor Taran, 2018-11-28
@shambler81

Why do you think he needs a way to the site? -w /var/www/webroot
you at least read the mana, everything is written there,
well, if you really want to read it in Russian.
https://losst.ru/kak-poluchit-sertifikat-let-s-encrypt#