Can't renew an expired certificate

Help
1

I'm trying to renew an expired certificate. But I don't know how to do so. I tried to run sudo certbot --force-renewal because according to what I can read in the renewal site:

it causes the expiration time of the certificate(s) to be ignored when considering renewal, and attempts to renew each and every installed certificate regardless of its age.

So that seems to be exactly what I need. But then I'm getting an error.

My domain is:
malvar.dynu.net

I ran this command:
sudo certbot --force-renewal

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: malvar.dynu.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for malvar.dynu.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. malvar.dynu.net (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for malvar.dynu.net

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: malvar.dynu.net
    Type: unknownHost
    Detail: No valid IP addresses found for malvar.dynu.net

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
NGINX 1.10.3

The operating system my web server runs on is (include version):
Debian 9.4 stretch

My hosting provider, if applicable, is:
N.A.

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

2

Hi @m4l490n,

Your site is now at the private IP address 10.0.0.10. This address only exists on a local-area network and not on the public Internet. Therefore, nobody can connect to it from the Internet—including the Let’s Encrypt CA trying to validate your control over your domain name. Unless you can give your site a public IP address, you can’t use the TLS-SNI-01 method to prove your control over the domain name.

Since this is a renewal, presumably this server had a public IP address at some point in the past?

3

For what it's worth, --force-renewal is intended to force Certbot to renew certificates that aren't expiring any time soon and don't need to be renewed. (Which is a bit dangerous, since it makes it easier to issue a large number of certificates and hit the rate limits.)

Since this certificate has already expired, Certbot needs no encouragement to want to renew it, and it's not necessary to pass that option.

4

@schoen you are right, I had to create a DNS record with that local address because I wasn’t able to access the server locally using malvar.dynu.net and that is the only way I could. I have removed that record and ran the forced renewal again and I get a new error.

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: malvar.dynu.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for malvar.dynu.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. malvar.dynu.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks 
sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 
a99b15252e48bd87a51022b55ff7576e.a837df6416547aef3d7f045702e6996b.acme.invalid from 
98.250.148.138:443. Received 2 certificate(s), first certificate had names "malvar.dynu.net"

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: malvar.dynu.net
Type:   unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
a99b15252e48bd87a51022b55ff7576e.a837df6416547aef3d7f045702e6996b.acme.invalid
from 98.250.148.138:443. Received 2 certificate(s), first
certificate had names "malvar.dynu.net"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
5

@mnordhoff what option should I use then? because if I do only a sudo certbot renew I get:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/malvar.dynu.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for malvar.dynu.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (malvar.dynu.net) from /etc/letsencrypt/renewal/malvar.dynu.net.conf produced an 
unexpected error: Failed authorization procedure. malvar.dynu.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 
f183681f445fb380d2aeab92e0def2aa.a770eda62c7f8481ad345ae3a5c510fb.acme.invalid from 
98.250.148.138:443. Received 2 certificate(s), first certificate had names "malvar.dynu.net". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/malvar.dynu.net/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/malvar.dynu.net/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: malvar.dynu.net
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   f183681f445fb380d2aeab92e0def2aa.a770eda62c7f8481ad345ae3a5c510fb.acme.invalid
   from 98.250.148.138:443. Received 2 certificate(s), first
   certificate had names "malvar.dynu.net"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

And I haven’t found a correct way of renewing the certificate. Should I revoke it and get a new one? I don’t know what to do.

6

Do you possibly have some kind of firewall or proxy that routes inbound TLS connections based on the SNI hostname that they’re trying to connect to, as opposed to simply forwarding port 443 without inspecting the nature of inbound connections?

7

I have ufw, and this is the configuration:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp (Nginx HTTP)        ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
4321/tcp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (Nginx HTTP (v6))   ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)
4321/tcp (v6)              ALLOW IN    Anywhere (v6)

So I think I’m not filtering inbound TLS connections based on the SNI hostname that they’re trying to connect to, but I’m not completely sure.

8

Could you post the associated log file from /var/log/letsencrypt?

9

@schoen sorry for the delay. There is a ton of log files and I don’t know how to add them here. It did’t let me upload the tar file.

10

Maybe you could post the relevant one (the most recent one after the failed attempt) on a pastebin site like pastebin.com and then share the link here?

11

Here are the latest 3 logs. They contain a lot of stuff so I don’t really know what’s in there.

letsencrypt.log
letsencrypt.log.1
letsencrypt.log.2

I hope this helps to know what’s happening.

Thanks!

12

I would try:
sudo certbot --preferred-challenges http

And get the other problems fixed after you get your cert renewed.

13

Thanks for helping @rg305

What does sudo certbot --preferred-challenges http do?

14

It tells LE to use http instead of https to validate the challenge request.

tls-sni-01 = https

From: User Guide — Certbot 2.7.0.dev0 documentation
--preferred-challenges http to use port 80
--preferred-challenges tls-sni to use port 443

If you do try http, you might also need to exclude the acme-challenges from the http>https redirection.
Depending on how you are doing the redirection (there are several different ways), you might be able to do what I like to do; which is to use a separate location section and folder just for all the challenges.
Place something like this into your vhost config block:

  location /.well-known/acme-challenge {
    access_log logs/acme-challenges.log combined;
    root /path/for/dedicated/acme-challenges;
  }
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.