Let's encrypt renewal fails
186 views
Skip to first unread message
her...@gmail.com
Aug 31, 2020, 7:37:19 AM8/31/20
to bigbluebutton-users
Hi guys,
I'm quite new to linux
I set up a big blue button server on Ubuntu 16.04 for my company some time a go and used this tutorial for reference. Also set up the crontab file the way I'm supposed to be, but unfortunately it doesn't renew it every week as supposed to to. There wasn't even a log file created.
Now I have the problem that the SSL certificate expired and as a consequence the website isn't working anymore. First, I tried to renew it by using "certbot certonly --force-renew --cert-name example.com" (surely with my domain name in it instead of example.com), but that didn't work either.
Also I tried to delete all certificates and create a new one from scratch.
Result of all trying is this error:
Failed authorization procedure. mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/I7RHwkUhjF752rLAvCO_oWQG1AsKpS5Qf3k2HE864UE [2a02:c207:3005:4560::1]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
I already checked some stuff from other people who obviously had the same issue (as in e.g. here), but nothing works for me.
What I don't get at all (additionally to the rest of that stuff
I put an html-file in the .well-known/acme-challenge folder and I can access it, also I put in a dummychallengefile into the folder and I can't access it?!? It returns a 404 error.
I'm really helpful and we need that server quite a lot, so I'd appreciate some help.
Thx in advance
toni.f...@gmail.com
Aug 31, 2020, 8:30:24 AM8/31/20
to bigbluebutton-users
Are you using nginx, as your webbrowser? Have you installed the nginx plugin for certbot?
If yes, then add the --nginx option to the certbot command. If that does not help, stop the webserver and execute the certbot with the --standalone option.
her...@gmail.com
Aug 31, 2020, 9:24:22 AM8/31/20
to bigbluebutton-users
Hey toni,
that helped a lot, I managed to create a certificate with the standalone option. All seems to be working well again. Still, I'm wondering, why it wouldn't work to automatically renew the certificate. Also, how do I setup a cronjob for automatically creating a standalone version?
Thx a lot for your help
toni.f...@gmail.com
Aug 31, 2020, 9:57:11 AM8/31/20
to bigbluebutton-users
Remove your current crontab and use systemd-timers instead.
Add a file called certbot.timer to /etc/systemd/system with this content:
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target
And a file called certbot.service to /etc/systemd/system with this content:
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStartPre=/bin/systemctl stop nginx.service
ExecStart=/usr/bin/certbot -q renew --standalone
ExecStartPost=/bin/systemctl start nginx.service
PrivateTmp=true
Then enable the timer with:
sudo systemctl enable certbot.timer
Add a file called certbot.timer to /etc/systemd/system with this content:
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target
And a file called certbot.service to /etc/systemd/system with this content:
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStartPre=/bin/systemctl stop nginx.service
ExecStart=/usr/bin/certbot -q renew --standalone
ExecStartPost=/bin/systemctl start nginx.service
PrivateTmp=true
Then enable the timer with:
sudo systemctl enable certbot.timer
Reply all
Reply to author
Forward
0 new messages