Certbot fails to renew certificate

[gmcintire]

It looks like when nginx gets configured originally the non-ssl document root gets set to something different so the acme challenge fails. Manually running certbot renew in the container gives the following output:

Processing /etc/letsencrypt/renewal/portal.vntx.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for portal.vntx.net
Waiting for verification...
Challenge failed for domain portal.vntx.net
http-01 challenge for portal.vntx.net
Cleaning up challenges
Attempting to renew cert (portal.vntx.net) from /etc/letsencrypt/renewal/portal.vntx.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/portal.vntx.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/portal.vntx.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: portal.vntx.net
   Type:   unauthorized
   Detail: Invalid response from
   http://portal.vntx.net/.well-known/acme-challenge/Xflr_2iBKTdPWIJ4aXOi9zIsquHGqAc5tuK_MQf9Vos
   [204.110.191.205]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

[SonarSoftware]

@zulandar can you take a look at this

[gmcintire]

Is there any way to get this looked at quickly? Our portal is essentially down right now unless I want to completely re-deploy it to generate a new certificate.

[zulandar]

@gmcintire can you attempt to restart the docker containers docker-compose restart? If your portal is currently down please contact sonar support so we can resolve this issue in real time.

[gmcintire]

It's not down, it's just presenting an expired cert because of this bug.

[geneccx]

Fix is to run the following:

docker-compose run --rm \
    --entrypoint "\
      certbot certonly --webroot \
        -w /var/www/certbot \
        --force-renewal" certbot

and enter the domain name for the portal.

Then, run docker-compose exec app sv restart nginx and auto renewals should be good to go. I also updated the install script to fix this issue.

[SonarSoftware]

@gmcintire please see above, we'll also be deploying an image to fix this

[gmcintire]

Thanks, it worked!