I recently faced an issue when attempting to update my Let’s Encrypt SSL certificates. Here is how I resolved it.
Background
All of my websites are set up with HTTPS with SSL on port 443 provided by Let’s Encrypt.
Every site also has a 301 ‘Moved Permanently’ server-side redirect on port 80 pointing to the HTTPS version of the site. So everything on the site is forced to SSL.
For example anyone going to http://caseydris.co/the-blugold-bird-mascot
will automatically be redirected to https://caseydris.co/the-blugold-bird-mascot
, and the URI stays intact.
Previously this was set up with a ‘catch-all’ solution.
Every 90 days these certificates need to be updated with a simple command through certbot-auto
. I like to do this manually as it assures I’m logging in to check the server at least every three months.
Ideally I’d be able to enter sudo certbot-auto renew
on the command line and all expiring certificates would auto-update, but it wasn’t working this time around. (and truthfully, I’m not sure how it was working before)
Problem
When certbot
runs the update it has to publicly verify the site and the certificate through the /.well-known
directory.
This directory has to be publicly available through HTTP on port 80. When all HTTP requests are automatically sent to HTTPS on port 443, it can never check the /.well-known
directory.
This returns an error to certbot
that says ‘produced an unexpected error: Failed authorization procedure.’ like in the featured image above. The client can’t authorize, because it is getting a 403 Forbidden Error.
Solution
The solution is to redirect all location requests except the ones to /.well-known
.
Here is a file I saved as /etc/nginx/global/redirect.conf
.
Then I place a new root
line in the configuration along with an include
to the new global/redirect.conf
file.