Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I have got hsts error at the brower.
I can not renew my keys and I have got an email that says “Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.”
What should I do now? it is very important and a high load site. please help me! Thanks
My web server is (include version):
nginx/1.14.0 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for backlog.farhangapp.ir
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (backlog.farhangapp.ir) from /etc/letsencrypt/renewal/backlog.farhangapp.ir.conf produced an unexpected error: Failed authorization procedure. backlog.farhangapp.ir (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://backlog.farhangapp.ir/.well-known/acme-challenge/tQfAFw3SYRpa5thbFPj85qF7LfTCaZxgPHEEhGAq7r4: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin-v2.navaak.com
http-01 challenge for admin.navaak.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (admin-v2.navaak.com) from /etc/letsencrypt/renewal/admin-v2.navaak.com.conf produced an unexpected error: Failed authorization procedure. admin.navaak.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://admin.navaak.com/.well-known/acme-challenge/OW69AK-iJjwGtvYCxe-YwW_5dxftfpoejEV4o7RKBT0 [188.0.240.90]: 404, admin-v2.navaak.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://admin-v2.navaak.com/.well-known/acme-challenge/GytQgU5QK9crLRf0_cJBlI7qLOk5EUQJ-ofZWvEvCM8 [188.0.240.90]: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem (failure)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem (failure)
The following certs are not due for renewal yet:
/etc/letsencrypt/live/admin-v1.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/farhangapp.ir/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/nvk.link/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/ads.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/www.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/docs.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/rabbit-at.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/publisher.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin-v1.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/share.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem (failure)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem (failure)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
So, those renewal failures are not related to the TLS-SNI email in any way.
The problem is that the webroot you have specified for those two domains in Certbot, does not seem to actually correlate to the directory that is used to serve files when visiting the domain.
One option is to fix the webroot path for each of those domains so the files that Certbot writes can actually be accessed when visiting the domain.
Another option is to try to renew the domains automatically using the nginx authenticator. For example:
certbot renew --cert-name admin-v2.navaak.com -a nginx --dry-run
certbot renew --cert-name backlog.farhangapp.ir -a nginx --dry-run
After I install certbot from official, my version is old!
What should I do?
root@navaak-app# sudo apt-get install python-certbot-nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-certbot-nginx is already the newest version (0.28.0-1+ubuntu18.04.1+certbot+3).
0 upgraded, 0 newly installed, 0 to remove and 121 not upgraded.
root@navaak-app# certbot --version
certbot 0.26.1
Hello,
@_az, what should I check in output of “certbot renew --dry-run” ?
Success only or other message ?
...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxxxxx.net
Waiting for verification...
Cleaning up challenges
...
Congratulations, all renewals succeeded.
My guess would be that you have the version of Certbot installed from your default repos, as well as the one from the PPA. It should be a matter of just removing the one from your default repos.
You should be able to identify it with:
dpkg --list | grep -Ei "(certbot|letsencrypt)"
and removing the one that matches the version 0.26.1. Uninstalling the old Certbot will keep your data in-tact, as long as you remove it using your package manager.
Hi, Thank you so much for your help.
This is my output:
dpkg --list | grep -Ei "(certbot|letsencrypt)"
ii certbot 0.26.1-1+ubuntu18.04.1+certbot+2 all automatically configure HTTPS using Let's Encrypt
ii letsencrypt 0.26.1-1+ubuntu18.04.1+certbot+2 all transitional dummy package
ii python-certbot-nginx 0.28.0-1+ubuntu18.04.1+certbot+3 all transitional dummy package
ii python3-acme 0.26.0-1+ubuntu18.04.1+certbot+1 all ACME protocol library for Python 3
ii python3-certbot 0.26.1-1+ubuntu18.04.1+certbot+2 all main library for certbot
ii python3-certbot-nginx 0.25.0-2+ubuntu18.04.1+certbot+1 all Nginx plugin for Certbot
ii python3-future 0.15.2-4+ubuntu18.04.1+certbot+3 all Clean single-source support for Python 3 and 2 - Python 3.x
ii python3-parsedatetime 2.4-3+ubuntu18.04.1+certbot+3 all Python 3 module to parse human-readable date/time expressions
ii python3-requests-toolbelt 0.8.0-1+ubuntu18.04.1+certbot+1 all Utility belt for advanced users of python3-requests
ii python3-zope.component 4.3.0-1+ubuntu18.04.1+certbot+3 all Zope Component Architecture
ii python3-zope.hookable 4.0.4-4+ubuntu18.04.1+certbot+1 amd64 Hookable object support
The following certs are not due for renewal yet:
/etc/letsencrypt/live/admin-v1.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/farhangapp.ir/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/nvk.link/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/ads.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/www.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/docs.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/rabbit-at.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/publisher.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin-v1.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/share.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
No renewals were attempted.
I have run update and upgrade. This is the output:
apt-get update && apt-get upgrade
Hit:1 Index of /ubuntu bionic InRelease
Hit:2 Index of /certbot/certbot/ubuntu bionic InRelease
Get:3 Index of /ubuntu bionic-updates InRelease [88.7 kB]
Get:4 Index of /ubuntu bionic-security InRelease [83.2 kB]
Get:5 Index of /ubuntu bionic-backports InRelease [74.6 kB]
Fetched 247 kB in 2s (149 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
certbot python3-certbot
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
The following certs are not due for renewal yet:
/etc/letsencrypt/live/admin-v1.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/farhangapp.ir/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/nvk.link/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/ads.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/www.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/docs.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/rabbit-at.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/backlog.sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/publisher.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin-v1.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/sarirapp.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/share.navaak.com/fullchain.pem expires on 2019-03-19 (skipped)
/etc/letsencrypt/live/admin.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/backlog.farhangapp.ir/fullchain.pem expires on 2019-04-18 (skipped)
/etc/letsencrypt/live/admin-v2.navaak.com/fullchain.pem expires on 2019-04-18 (skipped)
No renewals were attempted.
So the questions are:
1- Is everything ok with our lets encrypt?
2- Have we solved the " Action is required to prevent your Let's Encrypt certificate renewals from breaking." problem?
A1. It is now up-to-date; should not be part of any remaining problem.
A2. This is unclear; it seems none of the certs were due for renewal - so it essentially checked but "did" nothing.
You would need to either force a renewal or change the names (by adding or removing a name or combining cert names) included in one of the certs to generate an actual renewal attempt.
Then we can "see" if it encounters any problems.