Are --pre-hook and --post-hook AND /etc/letsencrypt/renewal-hooks scripts mutually exclusive?

jfmalouin · June 24, 2019, 7:11pm

The hooks files are executable by root, which is the user running the cronjob.

The log file is long, but here it is anyway:

log

2019-06-24 12:04:47,337:DEBUG:certbot.main:certbot version: 0.35.1
2019-06-24 12:04:47,337:DEBUG:certbot.main:Arguments: [’–pre-hook’, ‘service zmc_aee stop’, ‘–post-hook’, ‘service zmc_aee start’, ‘–quiet’]
2019-06-24 12:04:47,338:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-06-24 12:04:47,344:DEBUG:certbot.plugins.util:Can’t find service, attempting PATH mitigation by adding /usr/sbin:/usr/local/bin:/usr/local/sbin
2019-06-24 12:04:47,352:DEBUG:certbot.log:Root logging level set at 30
2019-06-24 12:04:47,352:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-06-24 12:04:47,381:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f81c5058790> and installer <certbot.cli._Default object at 0x7f81c5058790>
2019-06-24 12:04:47,406:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-07-22 18:52:44 UTC.
2019-06-24 12:04:47,406:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2019-06-24 12:04:47,406:INFO:certbot.renewal:Non-interactive renewal: random delay of 261 seconds
2019-06-24 12:09:08,507:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-06-24 12:09:08,511:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f81c5061990>
Prep: True
2019-06-24 12:09:08,512:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f81c5061990> and installer None
2019-06-24 12:09:08,512:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2019-06-24 12:09:08,515:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/55758895’, new_authzr_uri=None, terms_of_service=None), efb73e26c0091d03d8b70f24dd9aaa7a, Meta(creation_host=u’dow172.bic.mni.mcgill.ca’, creation_dt=datetime.datetime(2019, 4, 23, 19, 35, 32, tzinfo=)))>
2019-06-24 12:09:08,516:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-06-24 12:09:08,518:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-06-24 12:09:08,948:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2019-06-24 12:09:08,949:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:08 GMT
Connection: keep-alive

{
“JPU31qFHovw”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}
2019-06-24 12:09:08,949:INFO:certbot.hooks:Running pre-hook command: /etc/letsencrypt/renewal-hooks/pre/enable_http
2019-06-24 12:09:08,956:INFO:certbot.hooks:Running pre-hook command: service zmc_aee stop
2019-06-24 12:09:10,036:INFO:certbot.hooks:Output from pre-hook command service:
ZMC: 20190624120908:Stopping ZMC:
ZMC: 20190624120908:Stopping ZMC Web Interface
ZMC: 20190624120908:Stopping ZMC Database …
ZMC: 20190624120908:ZMC Database Stopped.
ZMC: 20190624120908:ZMC Stopped.
[ OK ]

2019-06-24 12:09:10,036:INFO:certbot.main:Renewing an existing certificate
2019-06-24 12:09:10,145:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
2019-06-24 12:09:10,147:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0007_csr-certbot.pem
2019-06-24 12:09:10,147:DEBUG:acme.client:Requesting fresh nonce
2019-06-24 12:09:10,147:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2019-06-24 12:09:10,296:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
2019-06-24 12:09:10,296:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: RJm6w-Plaxr-2WRJih0pZGJ74P-EdJJh2ij3uj6WLnU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

2019-06-24 12:09:10,297:DEBUG:acme.client:Storing nonce: RJm6w-Plaxr-2WRJih0pZGJ74P-EdJJh2ij3uj6WLnU
2019-06-24 12:09:10,297:DEBUG:acme.client:JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
}
]
}
2019-06-24 12:09:10,299:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICJSSm02dy1QbGF4ci0yV1JKaWgwcFpHSjc0UC1FZEpKaDJpajN1ajZXTG5VIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTU3NTg4OTUiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJkb3cxNzIuYmljLm1uaS5tY2dpbGwuY2EiCiAgICB9CiAgXQp9”,
“signature”: “FIJj8M_m4ZwYJ0AV2gSCuAIF_6ANPtKlc-bnElZ_WzKtcknfOg4c355rw2t76qT6QtKUDG4VK8onXiNDFith5f5h5hNBkfEVkX3RGYqVF-3Cntk2pNbWooz7Nrx0jk2yrH0VBfUaCzPVEpfjBBElbj-FdqP8b1sATt23-aE_BCBL0CJArsHepVgQumx3gYJj2z2zZBbK-5NLKuZxCMIf2QNSjiyk2_8LduOPELR7TV6P54zjxGIK1xJXAY3gXlznXSO4n5jCJKHoQk3TWNnQF_MHSb627rlMRh9vRKp7RFYr3pluSBCDOFfp8RLmgVWsEmyzGI4J-D6mZ0-I6inZpQ”
}
2019-06-24 12:09:10,477:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 383
2019-06-24 12:09:10,478:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 383
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-v02.api.letsencrypt.org/acme/order/55758895/611579995
Replay-Nonce: WSDaIuEG62AuE52q9977Md1zxe1s-EU4JhX6Wt4KelA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

{
“status”: “pending”,
“expires”: “2019-07-01T16:09:10.394741716Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
}
],
“authorizations”: [
“https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI”
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/55758895/611579995”
}
2019-06-24 12:09:10,478:DEBUG:acme.client:Storing nonce: WSDaIuEG62AuE52q9977Md1zxe1s-EU4JhX6Wt4KelA
2019-06-24 12:09:10,478:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:10,479:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJXU0RhSXVFRzYyQXVFNTJxOTk3N01kMXp4ZTFzLUVVNEpoWDZXdDRLZWxBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “M2VgX5gniM-LxZ2_f9MQ3dYLATQFsfYOc8mEGeqYqkPwI1I4Va2GGtjo-qsajwIBTN6JtTSUYUBNF-bTMRndkzujdqHp5q3JZ8HfsSOo0cIJseqae62TD-1525C9OZNm_r0Z1A6rW3B0Ka6Gqs8d-2CWgfrPeoumy-c_o3nXHv_2-nd-DCC7iRxY2AqZk39qY0RpbEgQPARCmU6EtgjuDARpuWxEJLKiXM2Bh6zm4HK5aKgL-nn0SGR_Ia5EKU2H7iqqwv5H2nBtXbYud5XR-qgP1V45UL66FJmtFIlDo6Cl9XGou_ykz7ebxwNcLQOCrrlIsdoLR9iQ_j8_oM3LpA”
}
2019-06-24 12:09:10,622:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:10,624:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: ohmWXc9Xl_4XidisVn-ZOBd1CmwjrCFbt9jWyWIxV_w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:10,624:DEBUG:acme.client:Storing nonce: ohmWXc9Xl_4XidisVn-ZOBd1CmwjrCFbt9jWyWIxV_w
2019-06-24 12:09:10,624:INFO:certbot.auth_handler:Performing the following challenges:
2019-06-24 12:09:10,624:INFO:certbot.auth_handler:http-01 challenge for dow172.bic.mni.mcgill.ca
2019-06-24 12:09:10,625:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2019-06-24 12:09:10,625:DEBUG:acme.standalone:Certbot wasn’t able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2019-06-24 12:09:10,628:INFO:certbot.auth_handler:Waiting for verification…
2019-06-24 12:09:10,628:DEBUG:acme.client:JWS payload:
{
“type”: “http-01”,
“resource”: “challenge”
}
2019-06-24 12:09:10,629:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634:
{
“protected”: “eyJub25jZSI6ICJvaG1XWGM5WGxfNFhpZGlzVm4tWk9CZDFDbXdqckNGYnQ5ald5V0l4Vl93IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvMXc0MFdYcWlKSnhYUUR4bE5IaWs5bU5QbzVwMWNNUHl3VXhfOC03OU9nSS8xNzQ2NDI3MDYzNCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81NTc1ODg5NSIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “ewogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “AUUI7YuUEYR5nyh3KYX3GOI5Rq-Rn0xUWwfx9xqIf882r45CNoaaG-R1FvAn_-SkhPUadBLMhRk2MxCNtURd2G4d35vBsrhArUEXMWrQN9qH__HqCPhSZ4W5uMX94YCg8w6p7Mjv_JnB2Z_gb5I1g6DHgUpoQ2GhFDbYMzCDWTLEb7LLBNpjhvpSasSRrcCcSDh4mBPNSxaofVpwUSqRKHt_1-2dm3H_iGlxHB7hN_J0J9xzmb4_g22-G-FAZA_B0Gh2lVqBN0PotMaBRmD-l5HMJpzS1I230T-PYS4qaq0PilWQnyFlw5XuKZB8adNB1WNZ1AfIB-ThpVezM5bPpQ”
}
2019-06-24 12:09:10,741:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634 HTTP/1.1” 200 224
2019-06-24 12:09:10,741:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 224
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634
Replay-Nonce: KSqht4LlRwgLmnbjQI5FQhFapiIw8aqr3-wo-9vQnvc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:10 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
}
2019-06-24 12:09:10,742:DEBUG:acme.client:Storing nonce: KSqht4LlRwgLmnbjQI5FQhFapiIw8aqr3-wo-9vQnvc
2019-06-24 12:09:11,743:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:11,745:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJLU3FodDRMbFJ3Z0xtbmJqUUk1RlFoRmFwaUl3OGFxcjMtd28tOXZRbnZjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “TLXhOvmOJC6txr-2FfEd6dsU8u2ykQoqC2jCRYbHYvzHIc8nUXPo4o1WaSOrBR5iM3XFbrXd7ymKizobDgvN3iLCGvQEo_Vz9ECVW-kvko-wWgYLvwuHqu60p6Buo82OjR1_bd24NVxeVexHMwqiYpbPhjPg3aNAfsasM8m6icr-oBDAA0Uy5uid-0_shT4HvjRVm_tEvfYeRy4hEdVsevelTWpf7x6agu3bHbinDMRQOMJWR4CApluRDZxZy2nONSurm7Ajdku15QP5K8kxBeu1v1hkPKjQmJdb1W5oHupAsKUt5zRzbiKsCrr7Q0ICzEt0FasJgTsHtCC_uiwG4g”
}
2019-06-24 12:09:11,895:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:11,895:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: eckVLAcTOFyKyNaDIRijIv0j4Jnqu74WK9qtLBOE5JY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:11 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:11,896:DEBUG:acme.client:Storing nonce: eckVLAcTOFyKyNaDIRijIv0j4Jnqu74WK9qtLBOE5JY
2019-06-24 12:09:14,899:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:14,901:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJlY2tWTEFjVE9GeUt5TmFESVJpakl2MGo0Sm5xdTc0V0s5cXRMQk9FNUpZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “gJ6V5g5JlQe2h1xGeaqG3R0td4-6RoyLcVGaUekwwvOlNqNoMZiab4NTREkAxnvkU8TXkdH43h8J-nm0WXCb9VrFyesKXXUGLI6sr_hzpIIiEDQitENzFqXmVMcyMKRqwFYVSwiRmDEbOfwFd1zJz3Xg4TpLdWSpqJoHMBx61-xhsQ33Bi4D0iG51Me8ga-qRlA42uWSxTjCNXAbN7Iu48O7xjt_ozjW41jlaEwhgFrLq-29OpYdJSHilSDATR8PcX1RIxE6uC6uS8E5MKU2-lrLGzRSravXDEKI9zW_W8LOdImKfB3b8C-0HMPmZPHQXfB9SB1k25R_doKk93p1xQ”
}
2019-06-24 12:09:14,998:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:14,999:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: YwveQJDzi5XGc0dP74PP1QBSG2ZmzOiddKDz7GkT0JE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:14 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:14,999:DEBUG:acme.client:Storing nonce: YwveQJDzi5XGc0dP74PP1QBSG2ZmzOiddKDz7GkT0JE
2019-06-24 12:09:18,003:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:18,004:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJZd3ZlUUpEemk1WEdjMGRQNzRQUDFRQlNHMlptek9pZGRLRHo3R2tUMEpFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “MfP8tBrxzAuNvmfElB7frfz0-Ko2t94aXRVUFDUvMKJe4oBiYxd33fn9NScPtkQDaOek9ZDXiM54XJ6uHXZm05QWKY858d7AdeBXRXHrJ_AJuS-XV-IzGSmUn-xp9gdqwaDerX9Uo2GfrVW7Kc_vBqy_U98tGKiNOA7XDvShoS4moZmAT8JNIGuLmC7uHM5FvMxuSHxGRPwrNVpFo8mGfU4KtG-aGghrVfH1vfJu9pQEETjJASQphDqe3QrGws0IQZC4HObCuyRlgymo_WQngvpUWN-EXCaTju0yrNKFQ2QUCQxFr3X6h3HOsD6lAbvpKBOQBHFH-aJ4CH-lYifVGw”
}
2019-06-24 12:09:18,192:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 919
2019-06-24 12:09:18,193:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 919
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: qXYD8ml_sZpxd5aqi1b2foo9Et3AU1JdOFisuwIs1hI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:18 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “pending”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:18,193:DEBUG:acme.client:Storing nonce: qXYD8ml_sZpxd5aqi1b2foo9Et3AU1JdOFisuwIs1hI
2019-06-24 12:09:21,197:DEBUG:acme.client:JWS payload:

2019-06-24 12:09:21,198:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI:
{
“protected”: “eyJub25jZSI6ICJxWFlEOG1sX3NacHhkNWFxaTFiMmZvbzlFdDNBVTFKZE9GaXN1d0lzMWhJIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8xdzQwV1hxaUpKeFhRRHhsTkhpazltTlBvNXAxY01QeXdVeF84LTc5T2dJIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzU1NzU4ODk1IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “ExtS1RvGdGcVFzAE7W7UlwsaONgFXgXX98xg2a5khcvLGC47I2YATaWvgMmut0rqfYkT_g_g8pWHuipX3k-asplBxRSf5S90rYy_xVxpd4qer_49lTeu5xGKxyD-w3SZjJ3NBC1eN8W0IQwfD5xgJZOh2yBEcXg59hfyC9Oxu1uVHpAW7-SBcG7G4A3IfsVcC1Ab6UrwCGklAUI_kQrRguecsRXKvidcz9rHRdP0Xhk6A3seLzL5kTY72Nn8JxpzjgHlwbdG11SZiAaViXvTevetm0rT0gKCUkT6-JDI3dlUDPEVtN0S2hwpIb4f4LKLj3WfchS5Vn2gxtv7mRaFLQ”
}
2019-06-24 12:09:21,332:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI HTTP/1.1” 200 1576
2019-06-24 12:09:21,333:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1576
Boulder-Requester: 55758895
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: a-rx0mASwAoEsa09uNPkVwnnT6Kc3ujrkAkg0U4B-Gk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 24 Jun 2019 16:09:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 24 Jun 2019 16:09:21 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “dow172.bic.mni.mcgill.ca”
},
“status”: “invalid”,
“expires”: “2019-07-01T16:09:10Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270633”,
“token”: “FVv8yBNKlV2eWKqwxdeAC4UUqP-v4yNudmcglp3kGlM”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://dow172.bic.mni.mcgill.ca/.well-known/acme-challenge/qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270634”,
“token”: “qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”,
“validationRecord”: [
{
“url”: “http://dow172.bic.mni.mcgill.ca/.well-known/acme-challenge/qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc”,
“hostname”: “dow172.bic.mni.mcgill.ca”,
“port”: “80”,
“addressesResolved”: [
“132.206.201.3”
],
“addressUsed”: “132.206.201.3”
}
]
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/1w40WXqiJJxXQDxlNHik9mNPo5p1cMPywUx_8-79OgI/17464270635”,
“token”: “WnN8fiEh0tNerSTLylYlez4mYxOIHCSh-N4iod1zaaE”
}
]
}
2019-06-24 12:09:21,333:DEBUG:acme.client:Storing nonce: a-rx0mASwAoEsa09uNPkVwnnT6Kc3ujrkAkg0U4B-Gk
2019-06-24 12:09:21,333:WARNING:certbot.auth_handler:Challenge failed for domain dow172.bic.mni.mcgill.ca
2019-06-24 12:09:21,334:INFO:certbot.auth_handler:http-01 challenge for dow172.bic.mni.mcgill.ca
2019-06-24 12:09:21,334:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: dow172.bic.mni.mcgill.ca
Type: connection
Detail: Fetching http://dow172.bic.mni.mcgill.ca/.well-known/acme-challenge/qgCBX988LQH_GYzeQ10TFnNQo1EHh_YU9546iMxb-Dc: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-06-24 12:09:21,334:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2019-06-24 12:09:21,334:DEBUG:certbot.error_handler:Calling registered functions
2019-06-24 12:09:21,334:INFO:certbot.auth_handler:Cleaning up challenges
2019-06-24 12:09:21,335:DEBUG:certbot.plugins.standalone:Stopping server at :::80…
2019-06-24 12:09:21,638:WARNING:certbot.renewal:Attempting to renew cert (dow172.bic.mni.mcgill.ca) from /etc/letsencrypt/renewal/dow172.bic.mni.mcgill.ca.conf produced an unexpected error: Some challenges have failed… Skipping.
2019-06-24 12:09:21,639:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 449, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1205, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 307, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 349, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 385, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2019-06-24 12:09:21,640:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-06-24 12:09:21,640:ERROR:certbot.renewal: /etc/letsencrypt/live/dow172.bic.mni.mcgill.ca/fullchain.pem (failure)
2019-06-24 12:09:21,641:INFO:certbot.hooks:Running post-hook command: /etc/letsencrypt/renewal-hooks/post/disable_http
2019-06-24 12:09:21,649:INFO:certbot.hooks:Running post-hook command: service zmc_aee start
2019-06-24 12:09:24,259:INFO:certbot.hooks:Output from post-hook command service:
ZMC: 20190624120921:Starting ZMC 3.3.47637:
ZMC: 20190624120921:Checking ZMC Installation:
ZMC: 20190624120921:ZMC Installation OK
ZMC: 20190624120921:Initializing ZMC
ZMC: 20190624120921:Starting ZMC Database …
ZMC: 20190624120921:ZMC Database Started.
ZMC: 20190624120921:ZMC amreport_wrapper.sh started
ZMC: 20190624120924:Running ZMC report update tool for all backup sets as low-priority, background job.
ZMC: 20190624120921:Starting ZMC Web Interface
ZMC: 20190624120921:ZMC Started.
[ OK ]

2019-06-24 12:09:24,259:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1379, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1284, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 474, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

regards,
jf