Cannot renew certificates

ljm · October 3, 2018, 10:58am

My domain is: ljm.name
My web server is (include version):
Server version: Apache/2.2.22 (Debian)
Server built: Mar 10 2013 05:18:18
The operating system my web server runs on is (include version):
2017-06-21-raspbian-jessie
I can login to a root shell on my machine: yes

Renewing certificates does not work, so I read a number of topics here and tried if I could see what is wrong with debug options.
/etc/letsencrypt/certbot-auto renew --debug-challenges -v
This produces a lot of messages, finally resulting in

Calling registered functions
Cleaning up challenges
Removing /links/www/.well-known/acme-challenge/GN3ESw_dN0A78KDwGeuU2RBRxkvhkhUUF8PrR_vnphc
All challenges cleaned up
Attempting to renew cert (ljm.name) from /etc/letsencrypt/renewal/ljm.name.conf produced an unexpected error: Failed authorization procedure. ljm.name (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ljm.name/.well-known/acme-challenge/GN3ESw_dN0A78KDwGeuU2RBRxkvhkhUUF8PrR_vnphc: "<!doctype html><html lang=\"nl\"><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, user-scalable=no". Skipping.

So I tried to renew manually, using
./certbot-auto renew --email my_email@provider -a manual

Which gave me a dialog:
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): ljm.name
…
Are you OK with your IP being logged?
Yes

and the instructions to create a file, which I did. Before “Enter to continue” I checked from a different computer that this file was accessible over the Internet at the given URL, and contained exactly the data that was in the dialog.

The result was basically the same (a bit less verbose because I did not specify the verbosity-flag).

(at some point, I ran into “There were too many requests of a given type”, but I should be able to run any tests that may be suggested)

JuergenAuer · October 3, 2018, 11:04am

Hi @ljm

you have an A- and an AAAA - record (ipv4 and ipv6):

D:\temp>nslookup ljm.name.
Name: ljm.name
Addresses: 2a00:4e40:1:1::2:202
83.163.211.192

But the AAAA sends another answer.

[Address Type=IPv4,Server=Apache/2.2.22 (Debian),HTTP Status=404] vs [Address Type=IPv6,Server=Apache/2.4.10,HTTP Status=200]

So you should fix your configuration (perhaps no ipv6 webserver configuration) or remove the ipv6 dns entry.

ljm · October 3, 2018, 11:30am

That is bizar? I never subscribed to an IPv6 resolution, because I do not serve IPv6. But you are right: my DNS-provider has created his own idea of an IPv6 host. I checked this with centralops.net. I removed the AAAA-record (got lots of warnings in the web-interface of the DNS-provider), waited for the time-out, and now the certificate is renewed.

Many thanks.

JuergenAuer · October 3, 2018, 11:38am

Yep, that happens sometimes. The customer uses only an ipv4, years later - opps, there is an ipv6 - address.

And it's terrible because if someone wants to load your website via ipv6, he doesn't see the correct content.

system · November 2, 2018, 11:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed authorizations renew Help	21	1058	January 4, 2021
Unable renewing certificate Help	17	704	May 13, 2024
Certbot renew errors with "unexpected error: Failed authorization procedure Help	5	1345	August 20, 2020
Certbot renewal was working, but broke at some point Help	3	763	April 30, 2018
Certbot - IPV6 Addresses on Domains Means Renewals Don't Work Help	5	2620	July 9, 2017

Cannot renew certificates

Related topics