Lately I have been playing around with lets encrypt. Wanted to get away from self signed certs, this gives a more professional aspect to the website. Installation was pretty easy to tell the truth, I just followed the following manual from Digital Ocean. Issue came with the cert renewal process. Letsencrypt renews via http, not https, so testing the renewal was failing.
certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/mail.example.org.conf ------------------------------------------------------------------------------- Cert not due for renewal, but simulating renewal for dry run Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for mail.example.org Waiting for verification... Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/mail.example.org.conf produced an unexpected error: Failed authorization procedure. mail.example.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.example.org/.well-known/acme-challenge/CbWS7lLTfZZe-z-ctdOhaxUe9ZhDi6iuGkxMv57xDbQ: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>". Skipping. ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mail.example.org/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: mail.example.org Type: unauthorized Detail: Invalid response from http://mail.example.org/.well-known/acme-challenge/CbWS7lLTfZZe-z-ctdOhaxEe9ZhDi6iuGzxMv57xDbQ: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
In order to fix this I had to place some redirects and open port 80 too on nginx. Placing below rules in config file.
server { listen 80; server_name mail.example.org; return 301 https://$host$request_uri; } location /.well-known/acme-challenge/ { return 301 http://$host$request_uri; try_files $uri /dev/null =404; }
Now testing the renewal runs smoothly.
certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/mail.example.org.conf ------------------------------------------------------------------------------- Cert not due for renewal, but simulating renewal for dry run Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for mail.example.org Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/mail.example.org/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.)
This how-to was really helpful.