I am trying to renew the certificates for my domain, but I get an error.
Till some months ago (there was an IT manager, now he’s gone) we periodically ran “letsencrypt renew” and everything worked fine with the TLS-SNI-01 challenge.
Now I cannot use the same challenge, so I have tried the following:
update to Certbot
follow your guide: How to stop using TLS-SNI-01 with Certbot (by bmw)
tried several times to modify my server configuration (I admit: not always knowing what I was doing exactly) and then to renew the certificates with “sudo certbot renew”, but always get a “connection refused” error.
Can you please help me?
My domain is: integrasrl.cloud
I ran this command: sudo certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/integrasrl.cloud.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for integrasrl.cloud
http-01 challenge for www.integrasrl.cloud
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
[Fri Jun 07 14:23:55.758106 2019] [proxy_html:notice] [pid 17743] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Unable to restart apache using ['apache2ctl', 'graceful']
Cleaning up challenges
Attempting to renew cert (integrasrl.cloud) from /etc/letsencrypt/renewal/integrasrl.cloud.conf produced an unexpected error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.
[Fri Jun 07 14:23:55.758106 2019] [proxy_html:notice] [pid 17743] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
My web server is (include version): Apache/2.4.18 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS
My hosting provider, if applicable, is: my own machine
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 443
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 443
If you use http-01 validation, Letsencrypt checks a file under http + /.well-known/acme-challenge.
But port 80 - upps, is configured as https port.
Or you have a wrong port forwarding port 80 extern -> port 443 intern.
Your error
Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 443
Thank you @JuergenAuer, there was a mistake on the firewall, as you told me.
Now I have fixed it, but the renewal command still fails:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/integrasrl.cloud.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for integrasrl.cloud
http-01 challenge for www.integrasrl.cloud
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (integrasrl.cloud) from /etc/letsencrypt/renewal/integrasrl.cloud.conf produced an unexpected error: Failed authorization procedure. www.integrasrl.cloud (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.integrasrl.cloud/.well-known/acme-challenge/7qpEhFn2-zExifYr8j3D0bmRaQrvnkFdOO0xhep7d0U: Connection refused, integrasrl.cloud (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://integrasrl.cloud/.well-known/acme-challenge/JCsQT27iDALxepiNQbOxXrJrZPIjj9JjAZLvZ3GJ3Wk: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.integrasrl.cloud
Type: connection
Detail: Fetching
http://www.integrasrl.cloud/.well-known/acme-challenge/7qpEhFn2-zExifYr8j3D0bmRaQrvnkFdOO0xhep7d0U:
Connection refused
Domain: integrasrl.cloud
Type: connection
Detail: Fetching
http://integrasrl.cloud/.well-known/acme-challenge/JCsQT27iDALxepiNQbOxXrJrZPIjj9JjAZLvZ3GJ3Wk:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Your server doesn't send a correct answer. Use https://check-your-website.server-daten.de/ to recheck your domain, a Grade A checking http + /.well-known/acme-challenge is required.
Hi,
after some troubles, I finally get a grade A for http requests, but there is something else I have to fix since I still cannot renew the certificates (again the “connection refused” error)
I have tried to modify some configuration files (general apache2, sites-enabled, .htaccess), I have fixed some errors.
I also put a file in .well-known/acme-challenge directory in order to verify if it was reachable via a web browser (you can find it here: http://integrasrl.cloud/.well-known/acme-challenge/test ), but I cannot understand how to fix it for certbot.
With the checking site you suggested to me, I can see the following errors:
B https://integrasrl.cloud/ 79.10.35.238 - 302 - Missing HSTS-Header
B https://integrasrl.cloud/login - 200 - Missing HSTS-Header
B https://www.integrasrl.cloud/ 79.10.35.238 - 301 - Missing HSTS-Header
C Error - more then one version with Http-Status 200
F https://www.integrasrl.cloud/ 79.10.35.238 - 301 - http://integrasrl.cloud/ - wrong redirect https - http - never redirect https to http
H fatal error: http result with http-status 200, no encryption
N https://integrasrl.cloud/ 79.10.35.238 - 302 - https://integrasrl.cloud/login - Error - Certificate isn’t trusted, RemoteCertificateChainErrors
N https://integrasrl.cloud/login - 200 - Error - Certificate isn’t trusted, RemoteCertificateChainErrors
N https://www.integrasrl.cloud/ 79.10.35.238 - 301 - http://integrasrl.cloud/ - Error - Certificate isn’t trusted, RemoteCertificateChainErrors
X Fatal error: Nameserver doesn’t support TCP connection: a.nic.cloud: Fatal error (-14). Details: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. - An existing connection was forcibly closed by the remote host
but I don’t know if they are all involved in my issue.
For example I know that there is a problem with the certificates, since I have to renew them, and also I am not sure I need to try to fix the HSTS errors or the grade F: I do not want to redirect https to http
I would appreciate any help to understand how to go on with the renewal of the certificates
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 80
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at www.integrasrl.cloud Port 80
So your port 80 works and answers. And you have found your correct webroot. So use it:
certbot run -a webroot -i apache -w yourWebRoot -d integrasrl.cloud -d www.integrasrl.cloud
All other things are not good, but not relevant creating a certificate.
First you should have a valid certificate (Grade I, H or better). Then you can check the other things.
I had placed the following lines RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
in my /var/www/nextcloud/.htaccess file during my attempts and then had leaved it in there.
Now I have removed those 2 lines and the grade F error is fixed, there are only a couple of grade C errors:
C Error - more then one version with Http-Status 200
C Error - no preferred version www or non-www
but I will try to fix them by myself (not a certbot related issue)
To get the grade A with http requestes, in the end, I have simply (after a lot of attempts…) modified my /etc/apache2/sites-available/nextcloud.conf in order to have a separated VirtualHost for the port 80 and the 443 and not the previous <VirtualHost *:80 *:443>
I have modified also /etc/apache2/conf-enabled/charset.conf in order to have a default charset