Cannot renew certificates

Hi all

I am trying to renew the certificates for my domain, but I get an error.
Till some months ago (there was an IT manager, now he’s gone) we periodically ran “letsencrypt renew” and everything worked fine with the TLS-SNI-01 challenge.
Now I cannot use the same challenge, so I have tried the following:

  • update to Certbot
  • follow your guide: How to stop using TLS-SNI-01 with Certbot (by bmw)
  • tried several times to modify my server configuration (I admit: not always knowing what I was doing exactly) and then to renew the certificates with “sudo certbot renew”, but always get a “connection refused” error.

Can you please help me?

My domain is: integrasrl.cloud

I ran this command: sudo certbot renew

    It produced this output:
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/integrasrl.cloud.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator apache, Installer apache
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for integrasrl.cloud
    http-01 challenge for www.integrasrl.cloud
    Error while running apache2ctl graceful.
    httpd not running, trying to start
    Action 'graceful' failed.
    The Apache error log may have more information.

    [Fri Jun 07 14:23:55.758106 2019] [proxy_html:notice] [pid 17743] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
    AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

    Unable to restart apache using ['apache2ctl', 'graceful']
    Cleaning up challenges
    Attempting to renew cert (integrasrl.cloud) from /etc/letsencrypt/renewal/integrasrl.cloud.conf produced an unexpected error: Error while running apache2ctl graceful.
    httpd not running, trying to start
    Action 'graceful' failed.
    The Apache error log may have more information.

    [Fri Jun 07 14:23:55.758106 2019] [proxy_html:notice] [pid 17743] AH01425: I18n support in mod_proxy_html requires mod_xml2enc. Without it, non-ASCII characters in proxied pages are likely to display incorrectly.
    AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
    . Skipping.
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is: my own machine

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

Hi @sergioz

your configuration looks wrong. Checking your domain you see the problem ( https://check-your-website.server-daten.de/?q=integrasrl.cloud ):

Domainname Http-Status redirect Sec. G
http://integrasrl.cloud/
79.10.35.238 400 1.020 M
Bad Request
http://www.integrasrl.cloud/
79.10.35.238 400 0.694 M
Bad Request
https://integrasrl.cloud/
79.10.35.238 302 https://integrasrl.cloud/login 2.033 N
Certificate error: RemoteCertificateChainErrors
https://www.integrasrl.cloud/
79.10.35.238 302 https://www.integrasrl.cloud/login 0.590 N
Certificate error: RemoteCertificateChainErrors
https://integrasrl.cloud/login 200 0.670 N
Certificate error: RemoteCertificateChainErrors
https://www.integrasrl.cloud/login 200 0.586 N
Certificate error: RemoteCertificateChainErrors
https://integrasrl.cloud:80/
79.10.35.238 302 https://integrasrl.cloud/login 0.480 Q
Certificate error: RemoteCertificateChainErrors
Visible Content:
https://www.integrasrl.cloud:80/
79.10.35.238 302 https://www.integrasrl.cloud/login 0.433 Q
Certificate error: RemoteCertificateChainErrors
Visible Content:
http://integrasrl.cloud/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
79.10.35.238 400 0.076 M
Bad Request
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You’re speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 443
http://www.integrasrl.cloud/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
79.10.35.238 400 0.086 M
Bad Request
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You’re speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 443

If you use http-01 validation, Letsencrypt checks a file under http + /.well-known/acme-challenge.

But port 80 - upps, is configured as https port.

Or you have a wrong port forwarding port 80 extern -> port 443 intern.

Your error

Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 443

looks like that wrong port forwarding.

Port 80 extern -> must be port 80 intern.

Thank you @JuergenAuer, there was a mistake on the firewall, as you told me.
Now I have fixed it, but the renewal command still fails:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/integrasrl.cloud.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for integrasrl.cloud
http-01 challenge for www.integrasrl.cloud
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (integrasrl.cloud) from /etc/letsencrypt/renewal/integrasrl.cloud.conf produced an unexpected error: Failed authorization procedure. www.integrasrl.cloud (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.integrasrl.cloud/.well-known/acme-challenge/7qpEhFn2-zExifYr8j3D0bmRaQrvnkFdOO0xhep7d0U: Connection refused, integrasrl.cloud (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://integrasrl.cloud/.well-known/acme-challenge/JCsQT27iDALxepiNQbOxXrJrZPIjj9JjAZLvZ3GJ3Wk: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/integrasrl.cloud/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.integrasrl.cloud
   Type:   connection
   Detail: Fetching
   http://www.integrasrl.cloud/.well-known/acme-challenge/7qpEhFn2-zExifYr8j3D0bmRaQrvnkFdOO0xhep7d0U:
   Connection refused

   Domain: integrasrl.cloud
   Type:   connection
   Detail: Fetching
   http://integrasrl.cloud/.well-known/acme-challenge/JCsQT27iDALxepiNQbOxXrJrZPIjj9JjAZLvZ3GJ3Wk:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Your server doesn’t send a correct answer. Use https://check-your-website.server-daten.de/ to recheck your domain, a Grade A checking http + /.well-known/acme-challenge is required.

thank you again
now I will try to understand what to do in order to get

(probably I will not check this community until next Monday => have a nice weekend)

Hi,
after some troubles, I finally get a grade A for http requests, but there is something else I have to fix since I still cannot renew the certificates (again the “connection refused” error)

I have tried to modify some configuration files (general apache2, sites-enabled, .htaccess), I have fixed some errors.
I also put a file in .well-known/acme-challenge directory in order to verify if it was reachable via a web browser (you can find it here: http://integrasrl.cloud/.well-known/acme-challenge/test ), but I cannot understand how to fix it for certbot.

With the checking site you suggested to me, I can see the following errors:
B https://integrasrl.cloud/ 79.10.35.238 - 302 - Missing HSTS-Header
B https://integrasrl.cloud/login - 200 - Missing HSTS-Header
B https://www.integrasrl.cloud/ 79.10.35.238 - 301 - Missing HSTS-Header
C Error - more then one version with Http-Status 200
F https://www.integrasrl.cloud/ 79.10.35.238 - 301 - http://integrasrl.cloud/ - wrong redirect https - http - never redirect https to http
H fatal error: http result with http-status 200, no encryption
N https://integrasrl.cloud/ 79.10.35.238 - 302 - https://integrasrl.cloud/login - Error - Certificate isn’t trusted, RemoteCertificateChainErrors
N https://integrasrl.cloud/login - 200 - Error - Certificate isn’t trusted, RemoteCertificateChainErrors
N https://www.integrasrl.cloud/ 79.10.35.238 - 301 - http://integrasrl.cloud/ - Error - Certificate isn’t trusted, RemoteCertificateChainErrors
X Fatal error: Nameserver doesn’t support TCP connection: a.nic.cloud: Fatal error (-14). Details: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. - An existing connection was forcibly closed by the remote host

but I don’t know if they are all involved in my issue.
For example I know that there is a problem with the certificates, since I have to renew them, and also I am not sure I need to try to fix the HSTS errors or the grade F: I do not want to redirect https to http

I would appreciate any help to understand how to go on with the renewal of the certificates

Thank you for your attention

That’s good. And your /.well-known/acme-challenge/random-filename has the expected Grade A ( https://check-your-website.server-daten.de/?q=integrasrl.cloud ):

Domainname Http-Status redirect Sec. G
http://integrasrl.cloud/
79.10.35.238 200 0.083 H
http://www.integrasrl.cloud/
79.10.35.238 200 0.080 H
https://integrasrl.cloud/
79.10.35.238 302 https://integrasrl.cloud/login 0.554 N
Certificate error: RemoteCertificateChainErrors
https://www.integrasrl.cloud/
79.10.35.238 301 http://integrasrl.cloud/ 0.477 N
Certificate error: RemoteCertificateChainErrors
https://integrasrl.cloud/login 200 0.530 N
Certificate error: RemoteCertificateChainErrors
http://integrasrl.cloud/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
79.10.35.238 404 0.130 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at integrasrl.cloud Port 80
http://www.integrasrl.cloud/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
79.10.35.238 404 0.143 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at www.integrasrl.cloud Port 80

So your port 80 works and answers. And you have found your correct webroot. So use it:

certbot run -a webroot -i apache -w yourWebRoot -d integrasrl.cloud -d www.integrasrl.cloud

All other things are not good, but not relevant creating a certificate.

First you should have a valid certificate (Grade I, H or better). Then you can check the other things.

Thank you: now I have a valid certificate!

I had placed the following lines
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]

RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

in my /var/www/nextcloud/.htaccess file during my attempts and then had leaved it in there.
Now I have removed those 2 lines and the grade F error is fixed, there are only a couple of grade C errors:
C Error - more then one version with Http-Status 200
C Error - no preferred version www or non-www

but I will try to fix them by myself (not a certbot related issue)

To get the grade A with http requestes, in the end, I have simply (after a lot of attempts…) modified my /etc/apache2/sites-available/nextcloud.conf in order to have a separated VirtualHost for the port 80 and the 443 and not the previous <VirtualHost *:80 *:443>
I have modified also /etc/apache2/conf-enabled/charset.conf in order to have a default charset

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.