Cannot renew certificates


#1

My domain is: ljm.name
My web server is (include version):
Server version: Apache/2.2.22 (Debian)
Server built: Mar 10 2013 05:18:18
The operating system my web server runs on is (include version):
2017-06-21-raspbian-jessie
I can login to a root shell on my machine: yes

Renewing certificates does not work, so I read a number of topics here and tried if I could see what is wrong with debug options.
/etc/letsencrypt/certbot-auto renew --debug-challenges -v
This produces a lot of messages, finally resulting in

Calling registered functions
Cleaning up challenges
Removing /links/www/.well-known/acme-challenge/GN3ESw_dN0A78KDwGeuU2RBRxkvhkhUUF8PrR_vnphc
All challenges cleaned up
Attempting to renew cert (ljm.name) from /etc/letsencrypt/renewal/ljm.name.conf produced an unexpected error: Failed authorization procedure. ljm.name (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ljm.name/.well-known/acme-challenge/GN3ESw_dN0A78KDwGeuU2RBRxkvhkhUUF8PrR_vnphc: "<!doctype html><html lang=\"nl\"><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, user-scalable=no". Skipping.

So I tried to renew manually, using
./certbot-auto renew --email my_email@provider -a manual

Which gave me a dialog:
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): ljm.name

Are you OK with your IP being logged?
Yes

and the instructions to create a file, which I did. Before “Enter to continue” I checked from a different computer that this file was accessible over the Internet at the given URL, and contained exactly the data that was in the dialog.

The result was basically the same (a bit less verbose because I did not specify the verbosity-flag).

(at some point, I ran into “There were too many requests of a given type”, but I should be able to run any tests that may be suggested)


#2

Hi @ljm

you have an A- and an AAAA - record (ipv4 and ipv6):

D:\temp>nslookup ljm.name.
Name: ljm.name
Addresses: 2a00:4e40:1:1::2:202
83.163.211.192

But the AAAA sends another answer.

https://letsdebug.net/ljm.name/6140

[Address Type=IPv4,Server=Apache/2.2.22 (Debian),HTTP Status=404] vs [Address Type=IPv6,Server=Apache/2.4.10,HTTP Status=200]

So you should fix your configuration (perhaps no ipv6 webserver configuration) or remove the ipv6 dns entry.


#3

That is bizar? I never subscribed to an IPv6 resolution, because I do not serve IPv6. But you are right: my DNS-provider has created his own idea of an IPv6 host. I checked this with centralops.net. I removed the AAAA-record (got lots of warnings in the web-interface of the DNS-provider), waited for the time-out, and now the certificate is renewed.

Many thanks.


#4

Yep, that happens sometimes. The customer uses only an ipv4, years later - opps, there is an ipv6 - address.

And it’s terrible because if someone wants to load your website via ipv6, he doesn’t see the correct content.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.