All but one of my certs renew

My domain is: https://mail.westcoasttechnology.net/

I ran this command: sudo certbot renew

It produced this output:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.westcoasttechnology.net
Cleaning up challenges
Attempting to renew cert (mail.westcoasttechnology.net) from /etc/letsencrypt/renewal/mail.westcoasttechnology.net.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for mail.westcoasttechnology.net:. Skipping.

My web server is: nginx/1.14.2

The operating system my web server runs on is: Raspbian GNU/Linux 10 (buster)

My hosting provider is: n/a

I can login to a root shell on my machine: Yes

I'm using a control panel to manage my site: No

The version of my client is: certbot 0.31.0

More info:

I have seven domain names, all currently running on the same home server. Six of them renew fine, one doesn't. A few weeks back when it was about to expire I tried a bunch of stuff (can't remember what), but all I got was different errors. I know that when I first set it all up I issued a certificate for *.westcoasttechnology.net, I then decided that I only wanted the certificate for the mail subdomain, so reissued that, and everything seemed to work. I think it's even renewed once without issue, but not now. The other odd thing is that the certificate for *.westcoasttechnology.net HAS been reissued, but I can't find anywhere in my setup where that should happen.

If I run:

sudo certbot certonly --webroot --webroot-path /var/www/mail.westcoasttechnology.net/ --renew-by-default --email REMOVED --agree-tos -d mail.westcoasttechnology.net

I get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.westcoasttechnology.net
Using the webroot path /var/www/mail.westcoasttechnology.net for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.westcoasttechnology.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mail.westcoasttechnology.net/.well-known/acme-challenge/6WYSpdd-oaN6lcCh10LxLXjUOw-b9FZx5KV91queO3A [2606:4700:3032::6815:23e0]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mail.westcoasttechnology.net
   Type:   unauthorized
   Detail: Invalid response from
   https://mail.westcoasttechnology.net/.well-known/acme-challenge/6WYSpdd-oaN6lcCh10LxLXjUOw-b9FZx5KV91queO3A
   [2606:4700:3032::6815:23e0]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
   <html class=\"no-js ie6 oldie\" lang=\"en-US\">
   <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I'm pretty new to all this, so any pointers would be great! :slight_smile:

2 Likes

@MyHeadHertz Welcome to the community.

I am not overly familiar with Cloudflare although I do use the AWS CDN so understand the concepts.

I also see you are following one of the Cloudflare 'recipes' for getting a cert.

I only have time to make a couple notes. Perhaps someone else will be able to assist more thoroughly. No one had responded in 4H so I thought I'd at least reply. Without further adieu:

I am guessing your Cloudflare account is the one renewing the wildcard cert. CF has a number of options for cert setup but it terminates the connection to the client and needs a cert for that. Here it describes those modes:

My second note is that the instructions you are following from CF are for sites already working. But, I cannot reach your site.

From a browser I receive Error 526 Invalid SSL certificate. It is a Cloudflare error page with several suggestions if you are the owner of the site. Try contacting your site from a browser for these:
http://mail.westcoasttechnology.net

One idea to resolve this that I can suggest is to use the Flexible SSL model in Cloudflare to not require a cert on your mail domain server until you get a valid cert. Refer to the above link I provided.

I am sorry that is all I have time for at the moment. Hope this helps.

3 Likes

Have a look at the output of:
certbot certificates

And also have a look at any certs managed by CloudFlare (on your behalf).

3 Likes

Thank you, the certificate for *.westcoasttechnology.net is being reissued by CloudFlare as a "Edge Certificate". They used Let's Encrypt, which confused me for a bit.

3 Likes

Thanks for the reply. :slight_smile:

My second note is that the instructions you are following from CF are for sites already working. But, I cannot reach your site.

Yes, the site was working a few months ago when I first set this all up.

One idea to resolve this that I can suggest is to use the Flexible SSL model in Cloudflare to not require a cert on your mail domain server until you get a valid cert.

Now that I've done that I get "Error 522 Connection timed out" instead.

I was able to issue a new certificate using the DNS challenge, but that's not a good long term solution for me, and anyway I still can't access my site because of the time out. I'm guessing the reason why it wouldn't renew in the first place was because the site was timing out.

So, probably not a letsencrypt issue, but a cloudflare or nginx issue. I just have to work out why a site that was working suddenly starts to time out, when all the other sites on the same server work fine.

:crying_cat_face:

3 Likes

I think you have something fundamentally wrong between Cloudflare and your origin server. You said you were not that familiar so I suggest starting at the beginning and review each config step. Something must have changed to cause the breakdown.

You might try following the advice from Lets Debug.

Especially note the items on the bottom of that page. Which is fully explained by the topic I linked to in my earlier post.

That is the static results from my test. To run a new test use:
https://letsdebug.net/

3 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Understanding the basics helps greatly:

In particular, you want to use the Full SSL option, not the Full (strict) SSL option.

You might want to consider using Cloudflare Origin CA certificates rather than Let's Encrypt certificates.

This should help with understanding Cloudflare's error messages:

3 Likes

:scream:

Note that the Flexible SSL option can be dangerous as it can deceive visitors into believing their connections have end-to-end encryption when they do not.

Please realize that I'm being overly dramatic here to encourage caution about the Flexible SSL option. @MikeMcQ has the right idea about using it for testing. Please though, for the love of God, don't leave it set permanently.

2 Likes

Thanks for the links. I'm going to go step by step till I work out what I've messed up.

3 Likes

Thank you. I think you're right. I'm working for the next few days, but then I'm going to start from the beginning and try to work it out. I'll post an update if I fix it. :slight_smile:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.