ACME 0.22.2 fails to renew certificate issued with TLS-SNI-01


#1

Hi,

I use letsencrypt to issue a certificate for a domain and I received the e-mail about the deprecated TLS-SNI-01 domain validation. So, I tried the recommended --dry-run test but it fails. The ACME client is certbot 0.22.2.

I need help to overcome this issue.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vm1361.kaj.pouta.csc.fi

I ran this command: sudo certbot renew --dry-run --preferred-challenges http-01,dns-01

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
_-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/vm1361.kaj.pouta.csc.fi.conf
_-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vm1361.kaj.pouta.csc.fi
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (vm1361.kaj.pouta.csc.fi) from /etc/letsencrypt/renewal/vm1361.kaj.pouta.csc.fi.conf produced an unexpected error: Failed authorization procedure. vm1361.kaj.pouta.csc.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://vm1361.kaj.pouta.csc.fi/.well-known/acme-challenge/Eg7C5WkgxjcbY3OvPXy3MXiFcuOA3dU3DyhyPTSvm8c: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vm1361.kaj.pouta.csc.fi/fullchain.pem (failure)
_-------------------------------------------------------------------------------
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vm1361.kaj.pouta.csc.fi/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
_-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.22.2


#2

Hi @inscara

your main configuration is ok ( https://check-your-website.server-daten.de/?q=vm1361.kaj.pouta.csc.fi ):

A redirect http -> https, then a http status 404. Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks this file.

So check your webserver config to find your webroot. Find your correct vHost, there should be a “DocumentRoot”, this is your webroot.

Then try

certbot run -a webroot --dry-run -w yourWebRoot -d vm1361.kaj.pouta.csc.fi

#3

Can you upgrade Certbot? The PPA currently has version 0.28.0. It might not help this issue, but it’s a good idea.

Can you also post “sudo apache2ctl -t -D DUMP_VHOSTS”?


#4

Hi, thanks for the answer. But when I run that command I get the error: “–dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)”. So, I ran the following command:

sudo certbot certonly --dry-run -w /var/www/html -d vm1361.kaj.pouta.csc.fi --preferred-challenges http-01,dns-01

and I got this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
_-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
_-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vm1361.kaj.pouta.csc.fi
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. vm1361.kaj.pouta.csc.fi (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for pouta.csc.fi

IMPORTANT NOTES:


#5

This may have something to do with the version:

Can you update it?


#6

This is a completely different error. Looks like Letsencrypt has confirmed your challenge but can’t check your CAA entry.

I don’t see an error with your CAA:

CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
vm1361.kaj.pouta.csc.fi 0 no CAA entry found 1 0
kaj.pouta.csc.fi 0 no CAA entry found 1 0
pouta.csc.fi 0 no CAA entry found 1 0
csc.fi 0 no CAA entry found 1 0
fi 0 no CAA entry found 1 0

Same with Unboundtest:

https://unboundtest.com/m/CAA/pouta.csc.fi/DINH2EPO

NoError, NoData.

But checking your complete domain with Unboundtest there is an error:

https://unboundtest.com/m/CAA/vm1361.kaj.pouta.csc.fi/7HYFF2BD

wrong 0x20-ID in reply qname.

But checking it again - it works:

https://unboundtest.com/m/CAA/vm1361.kaj.pouta.csc.fi/NPS7P6RL

So sometimes the nameserver sends wrong answers, sometimes it works.

Two checks, two different results - this is bad.