Can not renew let's encrypt cert

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: thangvc91.ddns.net

I ran this command: /opt/letsencrypt/certbot-auto renew

It produced this output:


Processing /etc/letsencrypt/renewal/thangvc91.ddns.net.conf



All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)


IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: thangvc91.ddns.net
    Type: connection
    Detail: Fetching
    http://thangvc91.ddns.net/.well-known/acme-challenge/Q3TmQ2qXcr8fWMDNqGV9fE1UpWhtQ9HobWhGwzJ2I1E:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx version: nginx/1.10.3

The operating system my web server runs on is (include version): debian

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Sorry for my stupid question and my bad English, I’m a very new in Linux :frowning:

#2

hello
Could anybody look up my issue ?

#3

Yes. We can. But waiting two hours isn’t that unusual. It’s just morning here in UTC+2 and the US is still fast asleep.

Anyways, is 171.233.66.213 still your IP address?

#4

Hi @thangvc91

your port 80 is closed / blocked, doesn’t answer ( https://check-your-website.server-daten.de/?q=thangvc91.ddns.net ):

Domainname Http-Status redirect Sec. G
http://thangvc91.ddns.net/
171.233.66.213 -14 10.027 T
Timeout - The operation has timed out
https://thangvc91.ddns.net/
171.233.66.213 302 https://thangvc91.ddns.net/login 3.673 B
https://thangvc91.ddns.net/login 200 2.656 B
http://thangvc91.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
171.233.66.213 -14 10.023 T
Timeout - The operation has timed out

You must have an open port 80.

You have one older certificate.

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
783256594 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-02-26 02:16:37 2019-05-27 02:16:37 thangvc91.ddns.net
1 entries

Perhaps you have used tls-sni-01 validation (port 443), that’s not longer supported.

1 Like
#5

Thank you much for your info. let me try after open port 80.

#6

Hi Auer,
after i open port 80, it transfered to a new issue, sorry for my bothering but could you help take a look on it ?
Log as below , sorry i’m new can not upload log file in here.

pi@pi3B:~ $ sudo /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/thangvc91.ddns.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for thangvc91.ddns.net
Using default address 80 for authentication.
Waiting for verification...
Challenge failed for domain thangvc91.ddns.net
http-01 challenge for thangvc91.ddns.net
Cleaning up challenges
Attempting to renew cert (thangvc91.ddns.net) from /etc/letsencrypt/renewal/thangvc91.ddns.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: thangvc91.ddns.net
   Type:   unauthorized
   Detail: Invalid response from
   http://thangvc91.ddns.net/.well-known/acme-challenge/Rp9KA-kvDf3qmQNOnGpds4ms5QmIknek_IvvtfKJkuI
   [171.233.66.213]: "<?xml version=\"1.0\"
   encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
   XHTML 1.0 Transitional//EN\"\n         \"http://www."

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
#7

yup, what error with that ?

#8

Now it looks better:

Domainname Http-Status redirect Sec. G
http://thangvc91.ddns.net/
171.233.66.213 200 0.556 H
https://thangvc91.ddns.net/
171.233.66.213 302 https://thangvc91.ddns.net/login 2.907 B
https://thangvc91.ddns.net/login 200 2.560 B
http://thangvc91.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
171.233.66.213 404 0.563 A
Not Found

Port 80 is open, checking a file in /.well-known/acme-challenge there is the expected http status 404 - Not Found.

So find your root (root declaration in your vHost file) and use it.

certbot run -a webroot -i nginx -w yourRoot -d thangvc91.ddns.net
1 Like
#9

hi Auer,
Sorry for my bad, but could you tell me where should the vHost file locate? i use Nginx , it is in /etc/Nginx/ config file ? right ? or sth ?

i tried with :

certbot run -a webroot -i nginx -w root -d thangvc91.ddns.net -> failed
certbot run -a webroot -i nginx -w pi -d thangvc91.ddns.net -> still failed

#10

Hi Auer,
Is this the root app of Nginx ?
/etc/nginx/sites-available/ , right ?

#11

Hi There,
After i found where my root vHost file located (using nginx , i think the root of vHost file is in /etc/nginx/site-available) , i ran command as your suggest , and it show outcome as below. Could you give me any advise ?

pi@pi3B:~ $ sudo certbot run -a webroot -i nginx -w /etc/nginx/sites-available/ -d thangvc91.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/thangvc91.ddns.net.conf with version 0.28.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for thangvc91.ddns.net
Using the webroot path /etc/nginx/sites-available for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. thangvc91.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thangvc91.ddns.net/.well-known/acme-challenge/ha3NDcwrgzxQguO1BCQvBjHujMcaBdO5IgTtkoV33Jg [171.233.66.213]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”\n “http://www.”

IMPORTANT NOTES:

#12

This

is not your root. That’s the site-available - directory with your config files. There you must find the correct file, there is a root directive.

#13

hi Auer,
I really forgot the path of root directory, refer some solution on the internet, i figured out 1 comand, not sure it could use in my case, but i still tried, then it show me error as below.

pi@pi3B:~ $ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/thangvc91.ddns.net.conf


Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/thangvc91.ddns.net.conf with version 0.28.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for thangvc91.ddns.net
Using default address 80 for authentication.
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (thangvc91.ddns.net) from /etc/letsencrypt/renewal/thangvc91.ddns.net.conf produced an unexpected error: Failed authorization procedure. thangvc91.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thangvc91.ddns.net/.well-known/acme-challenge/w5-KV39wWdeVCDuJ30H0gyti_w6m6zZdtdH5WvWEQ7E [171.233.66.213]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”\n “http://www.”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Do you have any idea for my case ?

#14

Your configuration is buggy, so renew can’t work. As written: Use webroot.