Can't renew all my domains

Luluwebmaster · November 18, 2017, 5:41pm

Hello,

I have a problem when I try to renew all my domains :

My domain is: https://youtube-twitch-alerts.addons.luc-mergault.fr/

I ran this command: /opt/letsencrypt/letsencrypt-auto renew or /opt/letsencrypt/letsencrypt-auto --apache --renew-by-default -d youtube-twitch-alerts.addons.luc-mergault.fr

It produced this output: Failed authorization procedure. youtube-twitch-alerts.addons.luc-mergault.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

My web server is (include version): Apache/2.4.10 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 8

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

Thanks you !

schoen · November 18, 2017, 6:33pm

Do you have any sort of firewall that could be limiting inbound connections from some parts of the Internet?

rg305 · November 18, 2017, 8:45pm

wget http://youtube-twitch-alerts.addons.luc-mergault.fr/
redirects permanently (301) to https.
and
wget https://youtube-twitch-alerts.addons.luc-mergault.fr/
returns: {“error”:true}
as also shown by all major browsers:

Luluwebmaster · November 18, 2017, 10:07pm

@schoen :

I have Fail2ban, but when I watch the ban list, I don’t have IP address :-/

After, I have the default Firewall ( I believe IPtable ) ^^

@rg305 :

Yes it’s normal ^^

rg305 · November 19, 2017, 12:02am

You could try putting a test.txt file at:
https://youtube-twitch-alerts.addons.luc-mergault.fr/.well-known/acme-challenge/test.txt

Luluwebmaster · November 19, 2017, 1:33am

Hmm, why do you want me to do this?

rg305 · November 19, 2017, 1:38am

To test if it can be reached form the Internet correctly.

Luluwebmaster · November 19, 2017, 2:36am

I have this path if you want ^^

schoen · November 19, 2017, 5:32am

It would be good to use the exact path that @rg305 suggested because /.well-known/acme-challenge/ has a special meaning to the certificate authority.

Luluwebmaster · November 19, 2017, 3:31pm

Ho, ok sorry, I have created this path :

https://youtube-twitch-alerts.addons.luc-mergault.fr/.well-known/acme-challenge/test.txt

Edit : Just for information, I have this problem in all my domains

schoen · November 20, 2017, 4:47am

@cpu, could you perhaps try this and see if there’s something strange about the routing or a netblock-specific firewall?

rg305 · November 20, 2017, 5:16am

Have you made any special coding for /.well-known or /.well-known/acme-challenge requests?

cpu · November 20, 2017, 2:21pm

I will ask our operations team to look into this. It's not something I can check myself unfortunately.

Phil · November 20, 2017, 3:10pm

I have been able to access your website on ports 80/443 from different network vantage points. If you have programmatic access to install a DNS TXT record, could you try using the DNS-01 challenge?

If you use certbot standalone , what result do you get?

Out of curiosity, can you post your webserver vhost configuration please?

Luluwebmaster · November 20, 2017, 7:56pm

@rg305 No, but I do not think that’s the problem ^^

For information, the problem was not the 3 ~ 4 months ago, it is only recently that it is there :-/

@devnullisahappyplace

1 - What is “DNS-01 challenge” ?
2 - Will not that break the configuration of my server ?
3 - The global server configuration or just for a specific domain ?

Here the log after trying to launch command ( I deleted some info that seemed to me private ) :

https://pastebin.com/9Wbp7as2

jared.m · November 20, 2017, 8:07pm

The DNS-01 challenge type involves creating a TXT record on your domain with the challenge response as its value.

No, this will not break your domain.

Depends on what you're issuing certificates for. For example, if you issue for youtube-twitch-alerts.luc-mergault.fr, you would need to create a TXT record for _acme-challenge.youtube-twitch-alerts.luc-mergault.fr. If you wanted to generate a certificate for, say, www.youtube-twitch-alerts.luc-mergault.fr, you would need to create a TXT record for _acme-challenge.www.youtube-twitch-alerts.luc-mergault.fr.

Luluwebmaster · November 24, 2017, 6:43pm

Oops, sorry for the delay …

1 - Um, ok, I’m not sure I understand ( I’m not an expert in the field ^^)
2 - Ok ok
3 - Ha okay, but why do we have to do this now that it worked properly before ? :-/

Edit : What should I enter in the entrance ?

Edit 2 : I was thinking, maybe the problem comes from an Apache module or a configuration, what do you think ?

I know that during the installation of the server, I had installed one / modules, but I do not remember which ( And I also changed some things about the operation of the server ) :-/

Here my list of Pache2 modules loaded :

Luluwebmaster · November 24, 2017, 9:56pm

Ok, new update, I tried this command :

/opt/letsencrypt/letsencrypt-auto renew --force-renewal

This domains successful renew :

  /etc/letsencrypt/live/mynar.luluwebmaster.fr/fullchain.pem (success)
  /etc/letsencrypt/live/mr.luluwebmaster.fr/fullchain.pem (success)
  /etc/letsencrypt/live/samacup.luluwebmaster.fr/fullchain.pem (success)
  /etc/letsencrypt/live/jtchat.luluwebmaster.fr/fullchain.pem (success)
  /etc/letsencrypt/live/bottleflip.luluwebmaster.fr/fullchain.pem (success)
  /etc/letsencrypt/live/luc-mergault.fr/fullchain.pem (success)
  /etc/letsencrypt/live/luluwebmaster.fr/fullchain.pem (success)
  /etc/letsencrypt/live/fm-motoculture.fr-0001/fullchain.pem (success)
  /etc/letsencrypt/live/i.luwe.fr/fullchain.pem (success)

And other random domain did not work :-/

Attempting to renew cert (amazon-wtf.luluwebmaster.fr) from /etc/letsencrypt/renewal/amazon-wtf.luluwebmaster.fr.conf produced an unexpected error: Failed authorization procedure. amazon-wtf.luluwebmaster.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/luwe.fr/fullchain.pem (failure)
  /etc/letsencrypt/live/youtube-twitch-alerts.addons.luc-mergault.fr/fullchain.pem (failure)
  /etc/letsencrypt/live/u.luwe.fr/fullchain.pem (failure)
  /etc/letsencrypt/live/fm-motoculture.fr/fullchain.pem (failure)
  /etc/letsencrypt/live/frame.luluwebmaster.fr/fullchain.pem (failure)
  /etc/letsencrypt/live/amazon-wtf.luluwebmaster.fr/fullchain.pem (failure)

Other information, all domains listed changed from VPS 3 ~ 4 months ago

Here it is, if it helps ^^

Luluwebmaster · November 27, 2017, 9:06am

Hello,

Ok, so I really do not understand this problem …

I just reassured this morning, and there, all the certificates have been renewed !

system · December 27, 2017, 9:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.