Cannot renew --dry-run a certificate

Help
1

Hello,

setting up certificates for a client. The server is hosting multiple domains, plan is a couple will have SSL certs on. This domain mentioned below is the first one. Since I’m cautious about config changes, I tend to do them myself, so I issued:
certbot certonly --webroot -w /home/www.simpss.si/public_html/ -d www.simpss.si -d simpss.si
and then edited the configs myself and everything works fine. However, when testing the renewal process with either:
certbot certonly --dry-run --webroot -w /home/www.simpss.si/public_html/ -d www.simpss.si -d simpss.si
or simply:
certbot renew --dry-run

produces:

My domain is: www.simpss.si (alias - simpss.si)

I ran this command: certbot renew --dry-run

It produced this output:

My web server is (include version): Apache/2.4.6

The operating system my web server runs on is (include version): Centos7

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have checked the .well-known dir, it’s there, in it a file ‘i-am-here.txt’ is retrievable. Double checked DNSes, ipv6 not present. When certbot command was run, I also made a copy of the acme-challenge dir with it’s contents, it’s still there and retrievable:
/.well-known/acme-challenge-copy/isuD_k4afzcC9DckjEleCcU2ssCYsorYZ4yK2pFQeE4
/.well-known/acme-challenge-copy/QA80LRfaNEiSvKtdPlK8UiCo6BBGcHRX_XVnQ7tjjyU

I also did a tcpdump from the server, and I see them talking, my server responding with:

 HTTP/1.1 200 OK
 Date: Wed, 14 Feb 2018 15:00:20 GMT
 Server: Apache
 Last-Modified: Wed, 14 Feb 2018 15:00:19 GMT
 ETag: W/"57-5652d5ea6606b"
 Accept-Ranges: bytes
 Content-Length: 87
 Connection: close

 jbHFTrdXWUKGKyGfauNFV9c7Kw1CnIDwJOFNrX3Fkjk.kEEAP_6osHaWHuG8k4gh7DN-q9twZ3XwLp8A_LImPmY[!http]

and yet I always end up with the same error. Any help greatly appreciated!

Regards,
Neven

2

Hi @briskola,

Could you please create a test file so we can try to retireve it?.

mkdir -p /home/www.simpss.si/public_html/.well-known/acme-challenge/ 
echo -n 'test for simpss.si' > /home/www.simpss.si/public_html/.well-known/acme-challenge/test

Cheers,
sahsanu

3

Sure thing. I’ve created it.

http://www.simpss.si/.well-known/acme-challenge/test

4

Does this happen on the production server (without --dry-run) too?

5

I can’t check, as the cert if fresh and won’t be renewed. The server is in production though.

6

Weird. That error is the “fallback” error in Boulder when it basically can’t classify it as anything more specific.

Maybe @cpu can check why it is happening. I think there were some problems taking place on staging today, at least based on a report in another thread I read today.

7

It is strange, I can reach the test file perfectly from several countries.

As @_az said, maybe there is some issue on staging server as other users are reporting but I just tested it issuing a certificate for a test domain using --dry-run and it completed successfully.

8

You can always issue a certbot renew --force-renewal to be sure it is working as expected, it won't hurt your site.

9

Not sure on how to proceed. I’ve generated another cert for a placeholder (default) page on the same server and it’s the same - the cert gets generated without any issue and I install it and it works (the site is buck.softnet.si), but when renewing with dry-run it produces the same error like the above.

@sahsanu - indeed, certbot renew --force-renewal works fine for both virtualhosts, thank you! I’ll just crontab it once per month, I guess, unless you have a better suggestion? :smiley:

Thanks for the help!

10

I don’t think there is any need to cron force-renewal. It /really/ looks like there’s a problem on the staging server.

Your production certificates should renew themselves without issue.

1 Like
11

In that case, I’ll set up a “normal” renewal process via cron and wait till it’s due to renew.

Thanks for the help guys!

12

Well, then seems something related to staging server after all.

3 things:

1.- If you installed certbot from the packages provided by your Linux Distribution you should already have a cron entry and/or systemd timer.

2.- You should not use --force-renewal parameter on your cron job, it was just a test to check whether you can renew your certs but not something to put in a cron job.

3.- certbot renew can run every day, indeed it is recommended twice a day, certbot renew will check if any cert is close to expire (30 days or less to expire) and in that case and only in that case, it will try to renew the cert. If no certs will expire in 30 days or less it will do nothing.

So, before you add your own cron job, check if you already have a cron entry and/or systemd timer.

To check the cron job, it will be here (or something similar :wink: ):
/etc/cron.d/certbot

To check systemd timers:
systemctl list-timers -all

Cheers,
sahsanu

13

I won’t use force. I am unable to find the cron or systemd job for certbot (centos7, and yes - installed via yum/epel), but I’ll just set one up for a daily run. I’ll get back to you guys in 3 months, if the problem arises in production, otherwise, you’re a wonderfully helpful bunch :clap:

Regards,
Neven

1 Like
14

I suspect this might have been internet weather - the original error was "no route to host".

I saw the other thread w.r.t the staging environment and tagged some operations folks. I'm not aware of any outage and the metrics seem ~normal overnight.

@briskola Were you successful in using the production environment? Is staging still failing for you or has that resolved itself?

Thanks all!

15

@cpu Not having issues generating and installing certificates for new virtualhosts, 5 in total now, on this server. It’s just the dry-run test that fails (still does, on all). I’ve set up the crontab and I guess I’ll see when the certificates are due to expire.

16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.