Are --pre-hook and --post-hook AND /etc/letsencrypt/renewal-hooks scripts mutually exclusive?

Can I have both at the same time? – if yes, in which order are they run?

It seems that the opening and closing of ports 80 and 443 did not run by the
cronjob leading to a cert renewal failure. The renewal hook scripts did run however.
After manually opening the ports and re-running the renewal cronjob did work though.

Using certbot-auto standalone, version 0.35.1 on Debian/Jessie

Regards,
jf

The cronjob:

0 0,12 * * * python -c ‘import random; import time; time.sleep(random.random() * 3600)’ && /root/bin/certbot-auto renew --pre-hook “service aee stop” --post-hook “service aee start” --quiet

/etc/letsencrypt/renewal-hooks/post/disable_http
#!/bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -D INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
$IPTABLES -D INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT

/etc/letsencrypt/renewal-hooks/pre/enable_http
#!/bin/sh

IPTABLES=/sbin/iptables
$IPTABLES -I INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
$IPTABLES -I INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT

/etc/letsencrypt/renewal/mydomain.com.conf

renew_before_expiry = 30 days

version = 0.35.1
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = standalone
account = ******************
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = service aee start
pre_hook = service aee stop

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dow172.bic.mni.mcgill.ca

I ran this command: /root/bin/certbot-auto renew --pre-hook “service aee stop” --post-hook “service aee start” --quiet

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): Debian/Jessie

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.35.1

According to User Guide — Certbot 2.7.0.dev0 documentation

Hooks specified in the command line, configuration file, or renewal configuration files are run as usual after running all hooks in these directories.

So yes, you can have both, and the directory hooks run first. You can confirm this by putting an echo in the script files and another one in the command-line hooks; the output should be visible in the logs (and in the terminal, if you omit --quiet).

The hook files need to be executable, are they? They'll be silently ignored otherwise.

What does the log in /var/log/letsencrypt say?

1 Like

The hooks files are executable by root, which is the user running the cronjob.

The log file is long, but here it is anyway:

log

2019-06-24 12:04:47,337:DEBUG:certbot.main:certbot version: 0.35.1
2019-06-24 12:04:47,337:DEBUG:certbot.main:Arguments: [’–pre-hook’, ‘service zmc_aee stop’, ‘–post-hook’, ‘service zmc_aee start’, ‘–quiet’]
2019-06-24 12:04:47,338:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-06-24 12:04:47,344:DEBUG:certbot.plugins.util:Can’t find service, attempting PATH mitigation by adding /usr/sbin:/usr/local/bin:/usr/local/sbin
2019-06-24 12:04:47,352:DEBUG:certbot.log:Root logging level set at 30
2019-06-24 12:04:47,352:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-06-24 12:04:47,381:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f81c5058790> and installer <certbot.cli._Default object at 0x7f81c5058790>
2019-06-24 12:04:47,406:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-07-22 18:52:44 UTC.
2019-06-24 12:04:47,406:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2019-06-24 12:04:47,406:INFO:certbot.renewal:Non-interactive renewal: random delay of 261 seconds
2019-06-24 12:09:08,507:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-06-24 12:09:08,511:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f81c5061990>
Prep: True
2019-06-24 12:09:08,512:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f81c5061990> and installer None
2019-06-24 12:09:08,512:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2019-06-24 12:09:08,515:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/55758895’, new_authzr_uri=None, terms_of_service=None), efb73e26c0091d03d8b70f24dd9aaa7a, Meta(creation_host=u’dow172.bic.mni.mcgill.ca’, creation_dt=datetime.datetime(2019, 4, 23, 19, 35, 32, tzinfo=)))>
2019-06-24 12:09:08,516:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-06-24 12:09:08,518:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-06-24 12:09:08,948:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2019-06-24 12:09:08,949:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:08 GMT
Connection: keep-alive

{
“JPU31qFHovw”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2019-06-24 12:09:08,949:INFO:certbot.hooks:Running pre-hook command: /etc/letsencrypt/renewal-hooks/pre/enable_http
2019-06-24 12:09:08,956:INFO:certbot.hooks:Running pre-hook command: service zmc_aee stop
2019-06-24 12:09:10,036:INFO:certbot.hooks:Output from pre-hook command service:
ZMC: 20190624120908:Stopping ZMC:
ZMC: 20190624120908:Stopping ZMC Web Interface
ZMC: 20190624120908:Stopping ZMC Database …
ZMC: 20190624120908:ZMC Database Stopped.
ZMC: 20190624120908:ZMC Stopped.
[ OK ]

2019-06-24 12:09:10,036:INFO:certbot.main:Renewing an existing certificate
2019-06-24 12:09:10,145:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
2019-06-24 12:09:10,147:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0007_csr-certbot.pem
2019-06-24 12:09:10,147:DEBUG:acme.client:Requesting fresh nonce
2019-06-24 12:09:10,147:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2019-06-24 12:09:10,296:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
2019-06-24 12:09:10,296:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: RJm6w-Plaxr-2WRJih0pZGJ74P-EdJJh2ij3uj6WLnU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

2019-06-24 12:09:10,297:DEBUG:acme.client:Storing nonce: RJm6w-Plaxr-2WRJih0pZGJ74P-EdJJh2ij3uj6WLnU
2019-06-24 12:09:10,297:DEBUG:acme.client:JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
}
]
}
2019-06-24 12:09:10,299:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICJSSm02dy1QbGF4ci0yV1JKaWgwcFpHSjc0UC1FZEpKaDJpajN1ajZXTG5VIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTU3NTg4OTUiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJkb3cxNzIuYmljLm1uaS5tY2dpbGwuY2EiCiAgICB9CiAgXQp9”,
“signature”: “FIJj8M_m4ZwYJ0AV2gSCuAIF_6ANPtKlc-bnElZ_WzKtcknfOg4c355rw2t76qT6QtKUDG4VK8onXiNDFith5f5h5hNBkfEVkX3RGYqVF-3Cntk2pNbWooz7Nrx0jk2yrH0VBfUaCzPVEpfjBBElbj-FdqP8b1sATt23-aE_BCBL0CJArsHepVgQumx3gYJj2z2zZBbK-5NLKuZxCMIf2QNSjiyk2_8LduOPELR7TV6P54zjxGIK1xJXAY3gXlznXSO4n5jCJKHoQk3TWNnQF_MHSb627rlMRh9vRKp7RFYr3pluSBCDOFfp8RLmgVWsEmyzGI4J-D6mZ0-I6inZpQ”
}
2019-06-24 12:09:10,477:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 383
2019-06-24 12:09:10,478:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 383
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-v02.api.letsencrypt.org/acme/order/55758895/611579995
Replay-Nonce: WSDaIuEG62AuE52q9977Md1zxe1s-EU4JhX6Wt4KelA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

{
“status”: “pending”,
“expires”: “2019-07-01T16:09:10.394741716Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/55758895/611579995
}
2019-06-24 12:09:10,478:DEBUG:acme.client:Storing nonce: WSDaIuEG62AuE52q9977Md1zxe1s-EU4JhX6Wt4KelA
2019-06-24 12:09:10,478:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:10,479:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJXU0RhSXVFRzYyQXVFNTJxOTk3N01kMXp4ZTFzLUVVNEpoWDZXdDRLZWxBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “M2VgX5gniM-LxZ2_f9MQ3dYLATQFsfYOc8mEGeqYqkPwI1I4Va2GGtjo-qsajwIBTN6JtTSUYUBNF-bTMRndkzujdqHp5q3JZ8HfsSOo0cIJseqae62TD-1525C9OZNm_r0Z1A6rW3B0Ka6Gqs8d-2CWgfrPeoumy-c_o3nXHv_2-nd-DCC7iRxY2AqZk39qY0RpbEgQPARCmU6EtgjuDARpuWxEJLKiXM2Bh6zm4HK5aKgL-nn0SGR_Ia5EKU2H7iqqwv5H2nBtXbYud5XR-qgP1V45UL66FJmtFIlDo6Cl9XGou_ykz7ebxwNcLQOCrrlIsdoLR9iQ_j8_oM3LpA”
}
2019-06-24 12:09:10,622:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:10,624:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: ohmWXc9Xl_4XidisVn-ZOBd1CmwjrCFbt9jWyWIxV_w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:10,624:DEBUG:acme.client:Storing nonce: ohmWXc9Xl_4XidisVn-ZOBd1CmwjrCFbt9jWyWIxV_w
2019-06-24 12:09:10,624:INFO:certbot.auth_handler:Performing the following challenges:
2019-06-24 12:09:10,624:INFO:certbot.auth_handler:http-01 challenge for dow172.bic.mni.mcgill.ca
2019-06-24 12:09:10,625:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2019-06-24 12:09:10,625:DEBUG:acme.standalone:Certbot wasn’t able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2019-06-24 12:09:10,628:INFO:certbot.auth_handler:Waiting for verification…
2019-06-24 12:09:10,628:DEBUG:acme.client:JWS payload:
{
“type”: “http-01”,
“resource”: “challenge”
}
2019-06-24 12:09:10,629:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634:
{
“protected”: “eyJub25jZSI6ICJvaG1XWGM5WGxfNFhpZGlzVm4tWk9CZDFDbXdqckNGYnQ5ald5V0l4Vl93IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvMXc0MFdYcWlKSnhYUUR4bE5IaWs5bU5QbzVwMWNNUHl3VXhfOC03OU9nSS8xNzQ2NDI3MDYzNCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NTc1ODg5NSIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “ewogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “AUUI7YuUEYR5nyh3KYX3GOI5Rq-Rn0xUWwfx9xqIf882r45CNoaaG-R1FvAn_-SkhPUadBLMhRk2MxCNtURd2G4d35vBsrhArUEXMWrQN9qH__HqCPhSZ4W5uMX94YCg8w6p7Mjv_JnB2Z_gb5I1g6DHgUpoQ2GhFDbYMzCDWTLEb7LLBNpjhvpSasSRrcCcSDh4mBPNSxaofVpwUSqRKHt_1-2dm3H_iGlxHB7hN_J0J9xzmb4_g22-G-FAZA_B0Gh2lVqBN0PotMaBRmD-l5HMJpzS1I230T-PYS4qaq0PilWQnyFlw5XuKZB8adNB1WNZ1AfIB-ThpVezM5bPpQ”
}
2019-06-24 12:09:10,741:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634 HTTP/1.1” 200 224
2019-06-24 12:09:10,741:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 224
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634
Replay-Nonce: KSqht4LlRwgLmnbjQI5FQhFapiIw8aqr3-wo-9vQnvc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
}
2019-06-24 12:09:10,742:DEBUG:acme.client:Storing nonce: KSqht4LlRwgLmnbjQI5FQhFapiIw8aqr3-wo-9vQnvc
2019-06-24 12:09:11,743:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:11,745:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJLU3FodDRMbFJ3Z0xtbmJqUUk1RlFoRmFwaUl3OGFxcjMtd28tOXZRbnZjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “TLXhOvmOJC6txr-2FfEd6dsU8u2ykQoqC2jCRYbHYvzHIc8nUXPo4o1WaSOrBR5iM3XFbrXd7ymKizobDgvN3iLCGvQEo_Vz9ECVW-kvko-wWgYLvwuHqu60p6Buo82OjR1_bd24NVxeVexHMwqiYpbPhjPg3aNAfsasM8m6icr-oBDAA0Uy5uid-0_shT4HvjRVm_tEvfYeRy4hEdVsevelTWpf7x6agu3bHbinDMRQOMJWR4CApluRDZxZy2nONSurm7Ajdku15QP5K8kxBeu1v1hkPKjQmJdb1W5oHupAsKUt5zRzbiKsCrr7Q0ICzEt0FasJgTsHtCC_uiwG4g”
}
2019-06-24 12:09:11,895:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:11,895:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: eckVLAcTOFyKyNaDIRijIv0j4Jnqu74WK9qtLBOE5JY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:11 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:11,896:DEBUG:acme.client:Storing nonce: eckVLAcTOFyKyNaDIRijIv0j4Jnqu74WK9qtLBOE5JY
2019-06-24 12:09:14,899:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:14,901:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJlY2tWTEFjVE9GeUt5TmFESVJpakl2MGo0Sm5xdTc0V0s5cXRMQk9FNUpZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “gJ6V5g5JlQe2h1xGeaqG3R0td4-6RoyLcVGaUekwwvOlNqNoMZiab4NTREkAxnvkU8TXkdH43h8J-nm0WXCb9VrFyesKXXUGLI6sr_hzpIIiEDQitENzFqXmVMcyMKRqwFYVSwiRmDEbOfwFd1zJz3Xg4TpLdWSpqJoHMBx61-xhsQ33Bi4D0iG51Me8ga-qRlA42uWSxTjCNXAbN7Iu48O7xjt_ozjW41jlaEwhgFrLq-29OpYdJSHilSDATR8PcX1RIxE6uC6uS8E5MKU2-lrLGzRSravXDEKI9zW_W8LOdImKfB3b8C-0HMPmZPHQXfB9SB1k25R_doKk93p1xQ”
}
2019-06-24 12:09:14,998:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:14,999:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: YwveQJDzi5XGc0dP74PP1QBSG2ZmzOiddKDz7GkT0JE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:14 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:14,999:DEBUG:acme.client:Storing nonce: YwveQJDzi5XGc0dP74PP1QBSG2ZmzOiddKDz7GkT0JE
2019-06-24 12:09:18,003:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:18,004:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJZd3ZlUUpEemk1WEdjMGRQNzRQUDFRQlNHMlptek9pZGRLRHo3R2tUMEpFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “MfP8tBrxzAuNvmfElB7frfz0-Ko2t94aXRVUFDUvMKJe4oBiYxd33fn9NScPtkQDaOek9ZDXiM54XJ6uHXZm05QWKY858d7AdeBXRXHrJ_AJuS-XV-IzGSmUn-xp9gdqwaDerX9Uo2GfrVW7Kc_vBqy_U98tGKiNOA7XDvShoS4moZmAT8JNIGuLmC7uHM5FvMxuSHxGRPwrNVpFo8mGfU4KtG-aGghrVfH1vfJu9pQEETjJASQphDqe3QrGws0IQZC4HObCuyRlgymo_WQngvpUWN-EXCaTju0yrNKFQ2QUCQxFr3X6h3HOsD6lAbvpKBOQBHFH-aJ4CH-lYifVGw”
}
2019-06-24 12:09:18,192:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:18,193:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: qXYD8ml_sZpxd5aqi1b2foo9Et3AU1JdOFisuwIs1hI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:18 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:18,193:DEBUG:acme.client:Storing nonce: qXYD8ml_sZpxd5aqi1b2foo9Et3AU1JdOFisuwIs1hI
2019-06-24 12:09:21,197:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:21,198:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJxWFlEOG1sX3NacHhkNWFxaTFiMmZvbzlFdDNBVTFKZE9GaXN1d0lzMWhJIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “ExtS1RvGdGcVFzAE7W7UlwsaONgFXgXX98xg2a5khcvLGC47I2YATaWvgMmut0rqfYkT_g_g8pWHuipX3k-asplBxRSf5S90rYy_xVxpd4qer_49lTeu5xGKxyD-w3SZjJ3NBC1eN8W0IQwfD5xgJZOh2yBEcXg59hfyC9Oxu1uVHpAW7-SBcG7G4A3IfsVcC1Ab6UrwCGklAUI_kQrRguecsRXKvidcz9rHRdP0Xhk6A3seLzL5kTY72Nn8JxpzjgHlwbdG11SZiAaViXvTevetm0rT0gKCUkT6-JDI3dlUDPEVtN0S2hwpIb4f4LKLj3WfchS5Vn2gxtv7mRaFLQ”
}
2019-06-24 12:09:21,332:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 1576
2019-06-24 12:09:21,333:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1576
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: a-rx0mASwAoEsa09uNPkVwnnT6Kc3ujrkAkg0U4B-Gk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:21 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “invalid”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://dow172.bic.mni.mcgill.ca/.well-known/acme-challenge/qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”,
“validationRecord”: [
{
“url”: “http://dow172.bic.mni.mcgill.ca/.well-known/acme-challenge/qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”,
“hostname”: “dow172.bic.mni.mcgill.ca”,
“port”: “80”,
“addressesResolved”: [
“132.206.201.3”
],
“addressUsed”: “132.206.201.3”
}
]
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:21,333:DEBUG:acme.client:Storing nonce: a-rx0mASwAoEsa09uNPkVwnnT6Kc3ujrkAkg0U4B-Gk
2019-06-24 12:09:21,333:WARNING:certbot.auth_handler:Challenge failed for domain dow172.bic.mni.mcgill.ca
2019-06-24 12:09:21,334:INFO:certbot.auth_handler:http-01 challenge for dow172.bic.mni.mcgill.ca
2019-06-24 12:09:21,334:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: dow172.bic.mni.mcgill.ca
Type: connection
Detail: Fetching http://dow172.bic.mni.mcgill.ca/.well-known/acme-challenge/qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-06-24 12:09:21,334:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2019-06-24 12:09:21,334:DEBUG:certbot.error_handler:Calling registered functions
2019-06-24 12:09:21,334:INFO:certbot.auth_handler:Cleaning up challenges
2019-06-24 12:09:21,335:DEBUG:certbot.plugins.standalone:Stopping server at :::80…
2019-06-24 12:09:21,638:WARNING:certbot.renewal:Attempting to renew cert (dow172.bic.mni.mcgill.ca) from /etc/letsencrypt/renewal/dow172.bic.mni.mcgill.ca.conf produced an unexpected error: Some challenges have failed… Skipping.
2019-06-24 12:09:21,639:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 449, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1205, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 307, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 349, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 385, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2019-06-24 12:09:21,640:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-06-24 12:09:21,640:ERROR:certbot.renewal: /etc/letsencrypt/live/dow172.bic.mni.mcgill.ca/fullchain.pem (failure)
2019-06-24 12:09:21,641:INFO:certbot.hooks:Running post-hook command: /etc/letsencrypt/renewal-hooks/post/disable_http
2019-06-24 12:09:21,649:INFO:certbot.hooks:Running post-hook command: service zmc_aee start
2019-06-24 12:09:24,259:INFO:certbot.hooks:Output from post-hook command service:
ZMC: 20190624120921:Starting ZMC 3.3.47637:
ZMC: 20190624120921:Checking ZMC Installation:
ZMC: 20190624120921:ZMC Installation OK
ZMC: 20190624120921:Initializing ZMC
ZMC: 20190624120921:Starting ZMC Database …
ZMC: 20190624120921:ZMC Database Started.
ZMC: 20190624120921:ZMC amreport_wrapper.sh started
ZMC: 20190624120924:Running ZMC report update tool for all backup sets as low-priority, background job.
ZMC: 20190624120921:Starting ZMC Web Interface
ZMC: 20190624120921:ZMC Started.
[ OK ]

2019-06-24 12:09:24,259:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1379, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1284, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 474, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

regards,
jf

Hi @jfmalouin

these

are different commands.

1 Like

OK, I edited the output before sending it for a slight obfuscation. You caught it.
It’s really ‘service zmc_aee’ start and stop.

regards,
jf

1 Like

Seems the hooks are indeed running, in the expected order.

Do you mean you manually ran the enable_http script? Or did you manually open the ports some other way?

1 Like

Well, that’s rather very embarassing!
The pre and post scripts didcontain an error: they had the wrong network interfaces hard-coded in them!
I would have assume that running ‘cerbot-auto renew --dry-run’ would have catch that.

Anyways, sorry to have wasted your time on an obvious mistake from my part!
Thanks, jf

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.