LetsEncrypt renewal fails

Creating a bug report/issue

Required Information

  • DietPi version | 8.11.2
  • Distro version | bullseye 0
  • Kernel version | Linux houtje 5.15.76-v8+ #1597 SMP PREEMPT Fri Nov 4 12:16:41 GMT 2022 aarch64 GNU/Linux
  • SBC model | RPi 4 Model B (aarch64)
  • Power supply used | ooriginal (2.5 or 3A)
  • SD card used | external SSD on USB3

Additional Information (if applicable)

  • Software title | LetsEncrypt
  • Was the software title installed freshly or updated/migrated? freshly (earlier this year)
  • Can this issue be replicated on a fresh installation of DietPi? I don’t know

Steps to reproduce

  1. run dietpi-letsencrypt
  2. choose Apply

Expected behaviour

  • proper LE renewal

Actual behaviour

  • error: Challenge failed for domain jeelabs.org
  • … the other domains are also not renewed

Extra details

  • I have four domains listed, all need to be renewed as a single certificate IIUC

I have made manual changes to serve a few static domains alongside the dietpi-installed Nextcloud and BitWarden domains. My question is: should I manually disable all the domain files in Nginx for now, to let dietpi-letsencrypt or certbot do its thing? All the domains resolve to this same machine, i.e. it’s a single public IP address (77.x.x.x).

are you sure all failed domains are pointing to your public IP address correctly? Port forwarding was set correctly?

The four domains all work right now. I’ve been getting warnings from LE which led me to investigate the status of the renewals, and that generated the errors I mentioned. Two examples: jeelabs.org and git.jeelabs.org - you can probably check this from your end.

I might have messed up my nginx setup somehow w.r.t. LE renewal, but the sites have all been working fine for the past months. I’m hesitant making changes (am not a sysadmin …). If there is a way to termporarily get all the nginx settings in a state which lets LE renewal proceed, then that’d help - at least for the time being.

One thing I don’t understand is where the .well-known/acme-challenge/... redirect for certbot is defined. Just guessing on my part, it looks like this special URL is set up while validating the domain … I had to re-enable HTTP (it was redirecting to HTTPS in the dietpi menu setting).

PS. Yes, ports 80 and 443 are both forwarded to this RasPi4 server. With wget, I get the same homepage for both protocols.

Solved! I disabled the jeelabs.org nginx config (not the others, apparently that’s ok):

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers all 4 domains. So in short: to get renewal going in my case, I had to disable the extra (static) domain listed as 1st one in dietpi-letsencrypt, and then the renewal went through. Then I re-enabled (i.e. ln -s ../sites-available/...) and all is back to normal.

It’s not 100% automatic, but at least this renews for 2-3 months of HTTPS-enabled service.

1 Like

you could use certbot / let’sencrypt –pre-hook and –post-hook function to disable the configuration before and enable after certificate renewal

1 Like