Action is required to prevent your Let's Encrypt certificate renewals from breaking


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
admin-v1.navaak.com ads.navaak.com docs.navaak.com navaak.com nvk.link publisher.navaak.com share.navaak.com
and …

I ran this command:
/usr/bin/certbot renew

It produced this output:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I have got hsts error at the brower.

I can not renew my keys and I have got an email that says “Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.”

What should I do now? it is very important and a high load site. please help me! Thanks

My web server is (include version):
nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

We’ll need to see the full output from Certbot in order to identify why your certificates are failing to renew.


#3

/usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/admin-v1.sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/farhangapp.ir.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/nvk.link.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/ads.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/docs.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/rabbit-at.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/publisher.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/admin-v1.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/share.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.farhangapp.ir.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for backlog.farhangapp.ir
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (backlog.farhangapp.ir) from /etc/letsencrypt/renewal/backlog.farhangapp.ir.conf produced an unexpected error: Failed authorization procedure. backlog.farhangapp.ir (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://backlog.farhangapp.ir/.well-known/acme-challenge/tQfAFw3SYRpa5thbFPj85qF7LfTCaZxgPHEEhGAq7r4: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.

Processing /etc/letsencrypt/renewal/admin-v2.navaak.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin-v2.navaak.com
http-01 challenge for admin.navaak.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (admin-v2.navaak.com) from /etc/letsencrypt/renewal/admin-v2.navaak.com.conf produced an unexpected error: Failed authorization procedure. admin.navaak.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://admin.navaak.com/.well-known/acme-challenge/OW69AK-iJjwGtvYCxe-YwW_5dxftfpoejEV4o7RKBT0 [188.0.240.90]: 404, admin-v2.navaak.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://admin-v2.navaak.com/.well-known/acme-challenge/GytQgU5QK9crLRf0_cJBlI7qLOk5EUQJ-ofZWvEvCM8 [188.0.240.90]: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem (failure)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/admin-v1.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/farhangapp.ir/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/nvk.link/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/ads.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/www.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/docs.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/rabbit-at.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/publisher.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin-v1.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/share.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem (failure)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#4

Thanks!

So, those renewal failures are not related to the TLS-SNI email in any way.

The problem is that the webroot you have specified for those two domains in Certbot, does not seem to actually correlate to the directory that is used to serve files when visiting the domain.

One option is to fix the webroot path for each of those domains so the files that Certbot writes can actually be accessed when visiting the domain.

Another option is to try to renew the domains automatically using the nginx authenticator. For example:

certbot renew --cert-name admin-v2.navaak.com -a nginx --dry-run
certbot renew --cert-name backlog.farhangapp.ir -a nginx --dry-run

#5

Thank you so much. I’ve solved this problem.
Now what should I do about TLS-SNI email?


#6

Three things.

  1. Confirm your Certbot version is 0.28 or higher:

    certbot --version
    
  2. Once (1) is resolved, ensure that you do not have any explicit references to TLS-SNI in your configuration:

    grep -Ri pref_challs /etc/letsencrypt/renewal/
    
  3. Do a full renewal dry run:

    certbot renew --dry-run

#7
  1. certbot --version
    certbot 0.26.1

  2. grep -Ri pref_challs /etc/letsencrypt/renewal/
    return nothing

Thanks for your on time help. Now, what should I do?


#8

You need to upgrade by installing Certbot from the official Certbot Ubuntu PPA: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

Once that’s done, do the renewal dry-run. If there are no errors there, you’re all set.


#9

After I install certbot from official, my version is old!
What should I do?

root@navaak-app# sudo apt-get install python-certbot-nginx
Reading package lists… Done
Building dependency tree
Reading state information… Done
python-certbot-nginx is already the newest version (0.28.0-1+ubuntu18.04.1+certbot+3).
0 upgraded, 0 newly installed, 0 to remove and 121 not upgraded.
root@navaak-app# certbot --version
certbot 0.26.1


#10

I have the same problem. I run the commands from: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx , and afterwards my version is still 0.22.2


#11

Then you may have missed a step…
Please open a separate topic/ticket for this problem.


#12

Hello,
@_az, what should I check in output of “certbot renew --dry-run” ?
Success only or other message ?

...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxxxxx.net
Waiting for verification...
Cleaning up challenges
...
Congratulations, all renewals succeeded.

#13

If none failed, then you are good to go.


#14

Hi Shiva,

My guess would be that you have the version of Certbot installed from your default repos, as well as the one from the PPA. It should be a matter of just removing the one from your default repos.

You should be able to identify it with:

dpkg --list | grep -Ei "(certbot|letsencrypt)"

and removing the one that matches the version 0.26.1. Uninstalling the old Certbot will keep your data in-tact, as long as you remove it using your package manager.


#15

Hi, Thank you so much for your help.
This is my output:

dpkg --list | grep -Ei “(certbot|letsencrypt)”
ii certbot 0.26.1-1+ubuntu18.04.1+certbot+2 all automatically configure HTTPS using Let’s Encrypt
ii letsencrypt 0.26.1-1+ubuntu18.04.1+certbot+2 all transitional dummy package
ii python-certbot-nginx 0.28.0-1+ubuntu18.04.1+certbot+3 all transitional dummy package
ii python3-acme 0.26.0-1+ubuntu18.04.1+certbot+1 all ACME protocol library for Python 3
ii python3-certbot 0.26.1-1+ubuntu18.04.1+certbot+2 all main library for certbot
ii python3-certbot-nginx 0.25.0-2+ubuntu18.04.1+certbot+1 all Nginx plugin for Certbot
ii python3-future 0.15.2-4+ubuntu18.04.1+certbot+3 all Clean single-source support for Python 3 and 2 - Python 3.x
ii python3-parsedatetime 2.4-3+ubuntu18.04.1+certbot+3 all Python 3 module to parse human-readable date/time expressions
ii python3-requests-toolbelt 0.8.0-1+ubuntu18.04.1+certbot+1 all Utility belt for advanced users of python3-requests
ii python3-zope.component 4.3.0-1+ubuntu18.04.1+certbot+3 all Zope Component Architecture
ii python3-zope.hookable 4.0.4-4+ubuntu18.04.1+certbot+1 amd64 Hookable object support


#16

That’s a lot of out-of-date packages.

Can you run “sudo apt-get update && sudo apt-get upgrade”?


#17

Allright, Let me check it.
This may help you also:

/usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/admin-v1.sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/farhangapp.ir.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/nvk.link.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/ads.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/docs.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/rabbit-at.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/publisher.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/admin-v1.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/share.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/admin.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.farhangapp.ir.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/admin-v2.navaak.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/admin-v1.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/farhangapp.ir/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/nvk.link/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/ads.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/www.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/docs.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/rabbit-at.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/publisher.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin-v1.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/share.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
No renewals were attempted.



#18

I have run update and upgrade. This is the output:

apt-get update && apt-get upgrade
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://ppa.launchpad.net/certbot/certbot/ubuntu bionic InRelease
Get:3 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Fetched 247 kB in 2s (149 kB/s)
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
The following packages have been kept back:
certbot python3-certbot
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.


#19

I also run this:
apt-get upgrade certbot

now the version is higher:
certbot --version
certbot 0.28.0

and I also run this again:
/usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/admin-v1.sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/farhangapp.ir.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/nvk.link.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/ads.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/docs.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/rabbit-at.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/publisher.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/admin-v1.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/sarirapp.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/share.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/admin.navaak.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/backlog.farhangapp.ir.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/admin-v2.navaak.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/admin-v1.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/farhangapp.ir/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/nvk.link/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/ads.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/www.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/docs.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/rabbit-at.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/publisher.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin-v1.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/share.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
No renewals were attempted.


So the questions are:
1- Is everything ok with our lets encrypt?
2- Have we solved the " Action is required to prevent your Let’s Encrypt certificate renewals from breaking." problem?

Thanks a lot for your great support,


#20

A1. It is now up-to-date; should not be part of any remaining problem.
A2. This is unclear; it seems none of the certs were due for renewal - so it essentially checked but “did” nothing.

You would need to either force a renewal or change the names (by adding or removing a name or combining cert names) included in one of the certs to generate an actual renewal attempt.
Then we can “see” if it encounters any problems.