Apache Running at 100% - Certbot Unable To Renew Certificate


#1

Hi,

I am using LetEncrypt on my mail server and have been for almost a month now.

I am now no longer able to access my webmail website as the certificate needs to be renewed.

When I try to renew using certbot the process fails with:

“Attempting to renew cert from /etc/letsencrypt/renewal/mail.mydomain.com.conf produced an unexpected error: Failed authorization procedure. mail.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ... for tls-sni-01 challenge. Skipping.”

I have confirmed by IP is correct and 443 is forwarded to my mail server correctly.

Help…


#2

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

My domain is:
(not for public)

I ran this command:
certbot renew

It produced this output:
certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.mydomain.com.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.mydomain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mail.mydomain.com.conf produced an unexpected error: Failed authorization procedure. mail.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 180.181.172.135:443 for tls-sni-01 challenge. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.mydomain.com
    Type: connection
    Detail: Failed to connect to ?.?.?.?:443 for tls-sni-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):
Debian GNU/Linux 8

My web server is (include version):
Server version: Apache/2.4.10 (Debian)

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#4

Fixed.

Apache was hung at 100% and I was unable to stop it.

I disabled the service from starting at boot and restarted the server.

Upon restart Apache was not running and the “certbot renew” command worked.

After reenabling apache at startup and rebooting the server all the children are playing nicely again.

I suspect that Apache @ 100% was due to the certificate being expired and I do wonder why the cron job failed to renew it. Running the cron command manually works…

Guess I just need to see what happens in 90 days.


#5

I suspect that Apache @ 100% was due to the certificate being expired

explain reasoning?

When you restarted Apache you still had an expired certificate however the usage was not at 100%?

Sorry it’s just that too many people on this forum assume the certificate are the root cause of their issues without investigation

Andrei


#6

Highly unlikely–Apache will happily serve an expired certificate (as it doesn’t have any concept of certificate validity anyway). Look for the problem elsewhere on your server, if you care to troubleshoot further. But yes, Apache being stuck at 100% would likely prevent or delay it from responding to connection requests, which would cause validation to fail.

…or probably closer to 60 days, which is when the renewal would run by default.


#7

Yes.
With cert expired when Apache restarted it hung at 100%.
With Apache @ 100% the cert renewal failed.
Upon restart Apache returned to 100%
Disabled Apache and rebooted.
With Apache disabled I was able to renew cert
With cert renewed upon restart Apache did not hang at 100%
All working.


#8

root@mail:~# service apache2 stop
root@mail:~# service apache2 start

top shows apache running normally.

root@mail:~# service apache2 stop
root@mail:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.mydomain.com.au.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.mydomain.com.au
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mail.mydomain.com.au/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
root@mail:~# service apache2 start
Job for apache2.service failed. See ‘systemctl status apache2.service’ and ‘journalctl -xn’ for details.

top shows apache hung at 100%.

root@mail:~# reboot


#9

Why are you stopping apache before running the renewal?


#10

top shows apache running normally

root@mail:~# service apache2 stop
root@mail:~# service apache2 start
root@mail:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.mydomain.com.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.mydomain.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

top shows apache hung at 100%

root@mail:~# reboot


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.