Problem renewing Let's Encrypt

[ashfurrow]

Hello there! I'm getting a problem similar to the one described here when trying to renew my Let's Encrypt certs:

Error Details

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mastodon.technology/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mastodon.technology
   Type:   unauthorized
   Detail: Invalid response from http://mastodon.technology/.well-
   known/acme-challenge/jUUcHFPAa7zKgsHOZEDk_RhjlIhi6zwwtcOg8nf-pFA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

It looks like an nginx error maybe? Not sure. Nothing of note in the nginx log.

I've hit the rate limit for attempts to renew so I'm trying to make sure that test files are accessible from the standard webroot. I originally got the Mastodon "The page you were looking for doesn't exist" error when I try creating a test file in /var/www/html/.well-known/acme-challenge/, but since was able to retrieve the file okay when I added root /var/www/html; to my nginx config:

server {
  listen 80;
  listen [::]:80 ipv6only=on;
  server_name mastodon.technology;

  root /var/www/html;

  # Useful for Let's Encrypt
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }
}

Anyone seen this? I'm thinking it's an nginx config but it's hard to troubleshoot. It'll be another week before I can try again but wanted to see if anyone else had the problem.

---

• I searched or browsed the repo’s other issues to ensure this is not a duplicate.
• This bug happens on a tagged release and not on master (If you're a user, don't worry about this).

[ashfurrow]

Yeah, that did it!

Processing /etc/letsencrypt/renewal/mastodon.technology.conf
new certificate deployed without reload, fullchain is /etc/letsencrypt/live/mastodon.technology/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/mastodon.technology/fullchain.pem (success)

Before I close the issue, should this be documented somewhere? Happy to send a PR.

[nolanlawson]

What did it? And yeah maybe there should just be general documentation for LetsEncrypt over at https://github.com/tootsuite/documentation?

[ashfurrow]

That's a good idea – I'll open a PR this weekend describing my setup.

EDIT: The root /var/www/html; did it.

[nightpool]

Closed because it's moving to the documentation repo.

[ashfurrow]

I've looked around for what others have written about using SSL/Let's Encrypt on instances, and it seems like I'm doing something a bit wonky, so I doubt others will hit this problem. This article specifically has instructions on getting/automatically renewing SSL certs in a way that works with the documentation, so I don't think a PR will be needed. If we start to see others running into this problem, we can revisit the discussion 👍