kosmos.social cert renewal failed due to auth error #110

Closed
opened 2019-10-26 16:56:29 +00:00 by raucao · 2 comments
Owner

systemd alert email:

certbot.service - Certbot
   Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2019-10-26 08:07:28 UTC; 54ms ago
     Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
           https://letsencrypt.readthedocs.io/en/latest/
  Process: 7615 ExecStart=/usr/bin/certbot -q renew (code=exited, status=1/FAILURE)
 Main PID: 7615 (code=exited, status=1/FAILURE)

Oct 26 08:01:24 andromeda systemd[1]: Starting Certbot...
Oct 26 08:07:28 andromeda certbot[7615]: Attempting to renew cert (kosmos.social) from /etc/letsencrypt/renewal/kosmos.social.conf produced an unexpected error: Failed authorization procedure. kosmos.social (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://kosmos.social/.well-known/acme-challenge/Yx3D1DpgmOdjfXciBhkkn4jdMUNi7l7TisNZ1foobar [2a01:4f8:221:39c1::2]: 404. Skipping.
Oct 26 08:07:28 andromeda certbot[7615]: All renewal attempts failed. The following certs could not be renewed:
Oct 26 08:07:28 andromeda certbot[7615]:   /etc/letsencrypt/live/kosmos.social/fullchain.pem (failure)
Oct 26 08:07:28 andromeda certbot[7615]: 1 renew failure(s), 0 parse failure(s)
Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Failed with result 'exit-code'.
Oct 26 08:07:28 andromeda systemd[1]: Failed to start Certbot.
Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Triggering OnFailure= dependencies.
systemd alert email: ```text certbot.service - Certbot Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2019-10-26 08:07:28 UTC; 54ms ago Docs: file:///usr/share/doc/python-certbot-doc/html/index.html https://letsencrypt.readthedocs.io/en/latest/ Process: 7615 ExecStart=/usr/bin/certbot -q renew (code=exited, status=1/FAILURE) Main PID: 7615 (code=exited, status=1/FAILURE) Oct 26 08:01:24 andromeda systemd[1]: Starting Certbot... Oct 26 08:07:28 andromeda certbot[7615]: Attempting to renew cert (kosmos.social) from /etc/letsencrypt/renewal/kosmos.social.conf produced an unexpected error: Failed authorization procedure. kosmos.social (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://kosmos.social/.well-known/acme-challenge/Yx3D1DpgmOdjfXciBhkkn4jdMUNi7l7TisNZ1foobar [2a01:4f8:221:39c1::2]: 404. Skipping. Oct 26 08:07:28 andromeda certbot[7615]: All renewal attempts failed. The following certs could not be renewed: Oct 26 08:07:28 andromeda certbot[7615]: /etc/letsencrypt/live/kosmos.social/fullchain.pem (failure) Oct 26 08:07:28 andromeda certbot[7615]: 1 renew failure(s), 0 parse failure(s) Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Failed with result 'exit-code'. Oct 26 08:07:28 andromeda systemd[1]: Failed to start Certbot. Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Triggering OnFailure= dependencies. ```
Author
Owner

Current cert is valid until November 24.

Current cert is valid until November 24.
greg self-assigned this 2019-10-28 10:09:34 +00:00
Owner

I found the issue, it was caused by this addition: 10b6f63

+server {
+  listen 80;
+  server_name <%= @server_name %>;
+  return 301 https://$server_name$request_uri;
+}

The certbot vhost (https://gitea.kosmos.org/kosmos/chef/src/branch/master/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb) takes care of pointing requests to .well-known to the static dir where certbot creates the validation file, as well as redirecting to HTTPS. The added lines make every HTTP request redirect to HTTPS. I'm creating a PR now

I found the issue, it was caused by this addition: 10b6f63 ```diff +server { + listen 80; + server_name <%= @server_name %>; + return 301 https://$server_name$request_uri; +} ``` The certbot vhost (https://gitea.kosmos.org/kosmos/chef/src/branch/master/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb) takes care of pointing requests to .well-known to the static dir where certbot creates the validation file, as well as redirecting to HTTPS. The added lines make every HTTP request redirect to HTTPS. I'm creating a PR now
greg closed this issue 2019-10-30 11:29:59 +00:00
Sign in to join this conversation.
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: kosmos/chef#110
No description provided.