Cannot Renew *Some* Certificates


#1

Please fill out the fields below so we can help you better.

My domain is: various

I ran this command: letsencrypt renew

It produced this output:

  • The following errors were reported by the server:

Domain: [DOMAIN1]
Type: tls
Detail: Failed to connect to 104.28.29.89:443 for TLS-SNI-01
challenge

Domain: www.[DOMAIN1]
Type: tls
Detail: Failed to connect to 104.28.28.89:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
you have an up-to-date TLS configuration that allows the server to
communicate with the Let’s Encrypt client.

  • The following errors were reported by the server:

Domain: [DOMAIN2]
Type: unauthorized
Detail: Invalid response from http://DOMAIN2/.well-
known/acme-challenge/_rvzB5EKSA9XI50ivgKP0NoOdeHSkLUpTcPO9khFcGQ:
"

<html class="no-js "

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

My operating system is (include version): Ubuntu 16.04 LTS

My web server is (include version): NGINX

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No, just SSH

So here’s the scenario

  • LEMP stack w/letsencrypt already setup & working. Need to renew SSL cert.
  • All requests from HTTP to HTTPS via nginx conf rewrite
  • Moved to Cloudflare (with strict SSL settings)

I have few virtual hosts running exact same setup, yet these two are the only ones getting these errors.

Questions

  1. Is this a DNS / IP issue? Do i need to change the nameserver back to my own provider’s nameserver, renew the SSL cert, and move it back to cloudflare?
  2. What’s wrong with the config I have? Other vhosts running this setup seem to work just fine when renewing

#2

Providing your domain name would make it a lot easier for people to provide support.

My guess is that your DNS points to cloudflare’s proxy server, and as such, when the script triess to verify your domain on port 443 it’s actually going to cloudflare’s server - not your server, and hence failing. [quote=“TaeWoo, post:1, topic:25357”]

  1. Is this a DNS / IP issue? Do i need to change the nameserver back to my own provider’s nameserver, renew the SSL cert, and move it back to cloudflare?
    [/quote]

I suspect it’s a DNS / cloudflare issue because you are using cloudflare’s caching service. (I can’t confirm without your domain name )

Without comparing them I can’t tell. Perhaps they aren’t using cloudflare’s cache ?


#3

Currently I set up cloudflare as DNS only so that caching is bypassed.

Still no luck. Any thoughts?


#4

Now you have changed the settins at cloudflare to DNS only, can you provide the log of the attempt please ( pastebin.com is probably the easiest place )


#5

2017-01-10 03:28:16,762:WARNING:letsencrypt.cli:Attempting to renew cert from


#6

What command are you running on the command line ? and can you include the --debug option please, then paste the full output (including the command and everything following it )


#7

I ran

service nginx stop; letsencrypt renew --debug ; service nginx start

Same error message

Is the syntax wrong? I dont see “–debug” option in help (letsencrypt --help)


#8

The “service nginx stop” could be a good reason why it can’t connect.

How did you generate these certificates in the first place ? and why are you stopping nginx in order to renew ? can you provide a little more information on your setup please.

With the --debug. What version of letsencrypt are you using ? it sound like you are using an old version and (possibly) need to update to the latest certbot ( the updated name of the official letsencrypt client )


#9

(for example, if you used a webroot method to issue the certificate—since webroot requires that the web server is running during a renewal, while the standalone method often requires that the web server is not running during a renewal)


#10

How I installed

apt-get install letsencrypt

letsencrypt certonly --standalone -d example.com -d www.example.com

As far as version, when I re-run apt-get install… i get this

letsencrypt is already the newest version (0.4.1-1)

Why I stopped nginx

During the renew process, i got this message

> The program nginx (process ID 5914) is already listening on TCP port 80. This
> will prevent us from binding to that port. Please stop the nginx program
> temporarily and then try again. For automated renewal, you may want to use a
> script that stops and starts your webserver. You can find an example at
> https://letsencrypt.org/howitworks/#writing-your-own-renewal-script.
> Alternatively you can use the webroot plugin to renew without needing to stop
> and start your webserver.


#11

Ok I tried running renew while nginx is still on and got this error


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.