Can't renew an expired certificate


#1

I’m trying to renew an expired certificate. But I don’t know how to do so. I tried to run sudo certbot --force-renewal because according to what I can read in the renewal site:

it causes the expiration time of the certificate(s) to be ignored when considering renewal, and attempts to renew each and every installed certificate regardless of its age.

So that seems to be exactly what I need. But then I’m getting an error.

My domain is:
malvar.dynu.net

I ran this command:
sudo certbot --force-renewal

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: malvar.dynu.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for malvar.dynu.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. malvar.dynu.net (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for malvar.dynu.net

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: malvar.dynu.net
    Type: unknownHost
    Detail: No valid IP addresses found for malvar.dynu.net

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
NGINX 1.10.3

The operating system my web server runs on is (include version):
Debian 9.4 stretch

My hosting provider, if applicable, is:
N.A.

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO


#2

Hi @m4l490n,

Your site is now at the private IP address 10.0.0.10. This address only exists on a local-area network and not on the public Internet. Therefore, nobody can connect to it from the Internet—including the Let’s Encrypt CA trying to validate your control over your domain name. Unless you can give your site a public IP address, you can’t use the TLS-SNI-01 method to prove your control over the domain name.

Since this is a renewal, presumably this server had a public IP address at some point in the past?


#3

For what it’s worth, --force-renewal is intended to force Certbot to renew certificates that aren’t expiring any time soon and don’t need to be renewed. (Which is a bit dangerous, since it makes it easier to issue a large number of certificates and hit the rate limits.)

Since this certificate has already expired, Certbot needs no encouragement to want to renew it, and it’s not necessary to pass that option.


#4

@schoen you are right, I had to create a DNS record with that local address because I wasn’t able to access the server locally using malvar.dynu.net and that is the only way I could. I have removed that record and ran the forced renewal again and I get a new error.

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: malvar.dynu.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for malvar.dynu.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. malvar.dynu.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks 
sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 
a99b15252e48bd87a51022b55ff7576e.a837df6416547aef3d7f045702e6996b.acme.invalid from 
98.250.148.138:443. Received 2 certificate(s), first certificate had names "malvar.dynu.net"

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: malvar.dynu.net
Type:   unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
a99b15252e48bd87a51022b55ff7576e.a837df6416547aef3d7f045702e6996b.acme.invalid
from 98.250.148.138:443. Received 2 certificate(s), first
certificate had names "malvar.dynu.net"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

#5

@mnordhoff what option should I use then? because if I do only a sudo certbot renew I get:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/malvar.dynu.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for malvar.dynu.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (malvar.dynu.net) from /etc/letsencrypt/renewal/malvar.dynu.net.conf produced an 
unexpected error: Failed authorization procedure. malvar.dynu.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 
f183681f445fb380d2aeab92e0def2aa.a770eda62c7f8481ad345ae3a5c510fb.acme.invalid from 
98.250.148.138:443. Received 2 certificate(s), first certificate had names "malvar.dynu.net". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/malvar.dynu.net/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/malvar.dynu.net/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: malvar.dynu.net
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   f183681f445fb380d2aeab92e0def2aa.a770eda62c7f8481ad345ae3a5c510fb.acme.invalid
   from 98.250.148.138:443. Received 2 certificate(s), first
   certificate had names "malvar.dynu.net"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

And I haven’t found a correct way of renewing the certificate. Should I revoke it and get a new one? I don’t know what to do.


#6

Do you possibly have some kind of firewall or proxy that routes inbound TLS connections based on the SNI hostname that they’re trying to connect to, as opposed to simply forwarding port 443 without inspecting the nature of inbound connections?


#7

I have ufw, and this is the configuration:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp (Nginx HTTP)        ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
4321/tcp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (Nginx HTTP (v6))   ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)
4321/tcp (v6)              ALLOW IN    Anywhere (v6)

So I think I’m not filtering inbound TLS connections based on the SNI hostname that they’re trying to connect to, but I’m not completely sure.


#8

Could you post the associated log file from /var/log/letsencrypt?