Certbot Renewal Giving Me A Headache

Hey everyone, having some serious trouble renewing my cert with certbot, which is odd because I've done this twice before without a single issue. So I have NGINX setup on FreeBSD as a reverse proxy to a NextCloud instance, it works really well and I use certbot to grab a letsencrypt cert for it.

Now normally what I do to renew my cert is:

Login to nginx shell

Issue service nginx stop

Issue certbot renew

Renews successfully

Issue service nginx start

And from here I am good to go, I know certbot uses port 80 to renew so hence why I stop nginx.

Now this time it's saying that it can't connect to my domain, saying connection refused. Now my IP DID change recently, however I checked all DNS propogation and everything is pointing to the right IP (it's also been about 3 weeks since it changed). And I can connect to and use my NextCloud instance without any issues externally, so I've got no idea why this error is being thrown.

P.S. I know this post doesn't contain a ton of detail, that is intentional as it'd be really long and I'd rather pass of what people wanna see when they ask for it so they don't have to search through the post for something they wanna know.

4 thoughts on “Certbot Renewal Giving Me A Headache”

  1. Not really versed enough to help very well, but I’d look at acme.sh and use CloudFlare with acme.sh DNS API. Then have the script do a NGINX reload.

    Reply
  2. I’d suggest switching to webroot auth, where nginx would stay running and certbot would just serve the challenge file via nginx. That way you even don’t need to shut it down at all.

    It’s very simple, in your nginx config, you just add this location block:

    location /.well-known/acme-challenge {
    root /var/lib/letsencrypt;
    default_type “text/plain”;
    try_files $uri =404;
    }

    You should then check that it’s setup correctly, e.g. by placing a text file inside the directory and trying to request it via `http://your-domain.com/.well-known/acme-challenge/test.txt`. If that’s working, you can then run `certbot renew –webroot /var/lib/letsencrypt` and hopefully all will be well. If not, you can use nginx logs for further troubleshooting.

    Reply
  3. Hey I just wanted to update everyone here, I think I figured out the issue and I managed to get it renewed. I think there was some DNS caching issues somewhere in the world causing the wrong IP to be pointed too, or it’s also possible my Ubiquiti UDMP was causing the issue by forwarding the ports incorrectly.

    Things that have changed since I last tried renewing:

    \-Public IP changed again

    \-Discontinued my “shitty” UDMP and deployed a PFSense router instead

    I then just did a certbot renew and it seems to be working.

    Reply

Leave a Comment