Let's encrypt certificate renewal failing

Greetings,

Using jitsi-meet (updated to latest stable from repo) with nginx. Attempting to renew Let’s Encrypt ssl certificates by running /usr/local/sbin/certbot-auto renew gives error:

Processing /etc/letsencrypt/renewal/xxxx.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxx
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification...
Challenge failed for domain xxxx
http-01 challenge for xxxx
Cleaning up challenges
Attempting to renew cert (xxxx) from /etc/letsencrypt/renewal/xxxx.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxxx/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxxx/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxxx
   Type:   connection
   Detail: Fetching
   https://xxxx/.well-known/acme-challenge/UU6c4hrog4gA_0o81r2MoPE3sSxy8mcqGyRCwishPuw:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Webroot seems correct. Manually creating files under .well-known and getting with curl and browser works (for http - following redirect to https)

At the point of failure, in nginx’s error log I see series of entries like this:
2020/05/01 15:05:54 [error] 3039#3039: *123 connect() failed (111: Connection refused) while connecting to upstream, client: 95.87.204.109, server: 0.0.0.0:443, upstream: "127.0.0.1:4445", bytes from/to client:0/0, bytes from/to upstream:0/0

Any advice?

Thanks,
Dimitri

1 Like

Do you have these under your http host before the redirect: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example#L8

1 Like

I was missing them. Probably used an older template back when I was setting it up. Adding them solves the issue.

Many thanks!

Hello,
@damencho and @dkaparis I have exactly same issue but I’m not sure what I have to do with "jitsi-meet.exemple files?
I have it and it has the same config than on github. But I guess is only an exemple file…
What is the real file I have to check/configure?
thanks a lot for your help

It goes to your nginx site configuration, that would typically be at /etc/nginx/sties-enabled/<your-domain>.conf

Hello,

Nice it’s work.
But for me is under /etc/nginx/sites-available/<your-domain>.conf

Tank you for your help