I am using LetEncrypt on my mail server and have been for almost a month now.
I am now no longer able to access my webmail website as the certificate needs to be renewed.
When I try to renew using certbot the process fails with:
“Attempting to renew cert from /etc/letsencrypt/renewal/mail.mydomain.com.conf produced an unexpected error: Failed authorization procedure. mail.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ... for tls-sni-01 challenge. Skipping.”
I have confirmed by IP is correct and 443 is forwarded to my mail server correctly.
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.mydomain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mail.mydomain.com.conf produced an unexpected error: Failed authorization procedure. mail.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 180.181.172.135:443 for tls-sni-01 challenge. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mail.mydomain.com
Type: connection
Detail: Failed to connect to ?.?.?.?:443 for tls-sni-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My operating system is (include version):
Debian GNU/Linux 8
My web server is (include version):
Server version: Apache/2.4.10 (Debian)
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
Apache was hung at 100% and I was unable to stop it.
I disabled the service from starting at boot and restarted the server.
Upon restart Apache was not running and the “certbot renew” command worked.
After reenabling apache at startup and rebooting the server all the children are playing nicely again.
I suspect that Apache @ 100% was due to the certificate being expired and I do wonder why the cron job failed to renew it. Running the cron command manually works…
Highly unlikely--Apache will happily serve an expired certificate (as it doesn't have any concept of certificate validity anyway). Look for the problem elsewhere on your server, if you care to troubleshoot further. But yes, Apache being stuck at 100% would likely prevent or delay it from responding to connection requests, which would cause validation to fail.
...or probably closer to 60 days, which is when the renewal would run by default.
Yes.
With cert expired when Apache restarted it hung at 100%.
With Apache @ 100% the cert renewal failed.
Upon restart Apache returned to 100%
Disabled Apache and rebooted.
With Apache disabled I was able to renew cert
With cert renewed upon restart Apache did not hang at 100%
All working.
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.mydomain.com.au
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mail.mydomain.com.au/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
root@mail:~# service apache2 start
Job for apache2.service failed. See ‘systemctl status apache2.service’ and ‘journalctl -xn’ for details.
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.mydomain.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)