Help templete
My domain is: https://qbt.rsb.sparvojo.pw
I ran this command: certbot renew
It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for qbt.rsb.sparvojo.pw
Cleaning up challenges
Attempting to renew cert (qbt.rsb.sparvojo.pw) from /etc/letsencrypt/renewal/qbt.rsb.sparvojo.pw.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/qbt.rsb.sparvojo.pw/fullchain.pem (failure)
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/qbt.rsb.sparvojo.pw/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/10haproxy.sh
1 renew failure(s), 0 parse failure(s)
I ran this command: certbot renew --tls-sni-01-port 54321
It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for qbt.rsb.sparvojo.pw
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (qbt.rsb.sparvojo.pw) from /etc/letsencrypt/renewal/qbt.rsb.sparvojo.pw.conf produced an unexpected error: Failed authorization procedure. qbt.rsb.sparvojo.pw (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b937035686cb5daff5ed7df5ff502e5a.a6b05e085e321fc31847d0888bd6cd14.acme.invalid from 54.38.167.31:443. Received 2 certificate(s), first certificate had names "qbt.rsb.sparvojo.pw". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/qbt.rsb.sparvojo.pw/fullchain.pem (failure)
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/qbt.rsb.sparvojo.pw/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/10haproxy.sh
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: qbt.rsb.sparvojo.pw
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b937035686cb5daff5ed7df5ff502e5a.a6b05e085e321fc31847d0888bd6cd14.acme.invalid
from 54.38.167.31:443. Received 2 certificate(s), first certificate
had names "qbt.rsb.sparvojo.pw"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I ran this command: certbot renew --preferred-challenges http --http-01-port 54321
It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for qbt.rsb.sparvojo.pw
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/qbt.rsb.sparvojo.pw/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/qbt.rsb.sparvojo.pw/fullchain.pem (success)
-------------------------------------------------------------------------------
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/10haproxy.sh
My web server is (include version): HAProxy 1.8.4
The operating system my web server runs on is (include version): Ubuntu 16.04 LTS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Additional config/log
HAProxy config (Partial):
global
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
frontend qbt-http
bind :80
reqadd X-Forwarded-Proto:\ http
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
default_backend qbt-backend
frontend qbt-https
bind :443 ssl crt /etc/haproxy/certs/qbt.rsb.sparvojo.pw.pem alpn h2,http/1.1 ecdhe secp384r1
reqadd X-Forwarded-Proto:\ https
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
default_backend qbt-backend
# CSP
http-response set-header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';"
# Referrer Policy
http-response set-header Referrer-Policy no-referrer-when-downgrade
# HSTS
http-response set-header Strict-Transport-Security max-age=15768000
backend qbt-backend
redirect scheme https if !{ ssl_fc }
server qbt 127.0.0.1:8080 check
backend letsencrypt-backend
server letencrypt 127.0.0.1:54321
renewal config:
# renew_before_expiry = 30 days
version = 0.21.1
archive_dir = /etc/letsencrypt/archive/qbt.rsb.sparvojo.pw
cert = /etc/letsencrypt/live/qbt.rsb.sparvojo.pw/cert.pem
privkey = /etc/letsencrypt/live/qbt.rsb.sparvojo.pw/privkey.pem
chain = /etc/letsencrypt/live/qbt.rsb.sparvojo.pw/chain.pem
fullchain = /etc/letsencrypt/live/qbt.rsb.sparvojo.pw/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
must_staple = True
http01_port = 54321
installer = None
account = fc131284e7942e6382a51ecd1f8467cc
rsa_key_size = 4096
pref_challs = http-01, # Not sure about this line, it may added by certbot after the successful renewal since I used different parameters in manual renew process
My Problem
Today I check the syslog and discovered that certbot unable to renew while it works (dry run) few months ago when I set it up. I searched the forum and seems many other have this problem before. I tried to follow the solutions but all failed. In a manual renew with forcing to use HTTP challenge, it have no problem. Then I discovered that I did enforce it in my config but the renew process didn’t respect it, thus cause the renewal failed. How can I make the renew process respect the config file?