I recently faced an issue when attempting to update my Let’s Encrypt SSL certificates. Here is how I resolved it.
Background
All of my websites are set up with HTTPS with SSL on port 443 provided by Let’s Encrypt.
Every site also has a 301 ‘Moved Permanently’ server-side redirect on port 80 pointing to the HTTPS version of the site. So everything on the site is forced to SSL.
For example anyone going to http://caseydris.co/the-blugold-bird-mascot will automatically be redirected to https://caseydris.co/the-blugold-bird-mascot, and the URI stays intact.
Previously this was set up with a ‘catch-all’ solution.
Every 90 days these certificates need to be updated with a simple command through certbot-auto. I like to do this manually as it assures I’m logging in to check the server at least every three months.
Ideally I’d be able to enter sudo certbot-auto renew on the command line and all expiring certificates would auto-update, but it wasn’t working this time around. (and truthfully, I’m not sure how it was working before)
Problem
When certbot runs the update it has to publicly verify the site and the certificate through the /.well-known directory.
This directory has to be publicly available through HTTP on port 80. When all HTTP requests are automatically sent to HTTPS on port 443, it can never check the /.well-known directory.
This returns an error to certbot that says ‘produced an unexpected error: Failed authorization procedure.’ like in the featured image above. The client can’t authorize, because it is getting a 403 Forbidden Error.
Solution
The solution is to redirect all location requests except the ones to /.well-known.
Here is a file I saved as /etc/nginx/global/redirect.conf.
Then I place a new root line in the configuration along with an include to the new global/redirect.conf file.