Cant renew certificate, problem with connecting to acme-staging


#1

Hello all,

I have used a Lets Encrypt while for a long time, but suddenly my certificate expired, however I did configure auto renewal and i know 99% sure that it worked before.
Now i wanted to renew my certificate, but when I try I cant get past this stage:
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org

There seems to be a problem setting up a connection, what can be the problem?

Thank you for your help


#2

How are you trying to renew your certificate? Using what client? acme-staging.api.letsencrypt.org is the staging (or sanbox) envoirment, intended for developers to test their code, it’s not for production. To renew a real certificate, your client should’ve used acme-v01.api.letsencrypt.org. I’m guessing it means that your client still developing the renewal option, and you cannot use it now. You might want to use other client.

If you trying to develop a client and trying to build a renewal function, then I can’t help you :confounded:


#3

I am using Certbot. I am running CentOS 7.
I tried certbot renew --dry-run
As well as certbot --apache

Nothing seems to work. I hope you can help :slight_smile:

edit: the --dry-run command is for testing only, that explains why it used that url, my bad. However, when trying the --apache command, noting actually happens when I press enter. It seems to stay there forever doing nothing.

edit2: Running the command certbot renew shows me that it now tries to connect to acme-v01.api.letsencrypt.org
But nothing happens from there… it seems like it cannot establish a connection somehow…


#4

can you use the --verbose option, and then paste the log in pastebin.com or somewhere it can be read ?


#5

Here is the output by using certbot renew --verbose

http://pastebin.com/GTf6A54r

I deleted domain names for security reasons.
As you can see the whole process stops at Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Thank you for your help


#6

Does it time out ? or what happens after the

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org line ?

As a note - all domain names are publicly listed as soon as certificates are obtained, so there is no “security” benefit of removing the domain name.


#7

It doesnt time out it seems. I have let it run overnight and its still in the same spot.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org is the last line…


#8

Can you ping acme-v01.api.letsencrypt.org? What’s the output for traceroute acme-v01.api.letsencrypt.org?


#9

Here is the output for ping and traceroute, looks normal to me?

http://pastebin.com/qWM2mcZd


#10

Yep, that looks fine. From your previous run with --verbose (or a new one, if those logs are gone), can you check if the logs in /var/log/letsencrypt contain anything else other than the “Starting new HTTPS connection …” message?

Does curl -v https://acme-v01.api.letsencrypt.org/directory succeed?


#11

curl seems to succeed:
[root@srvwb-mid-001 ~]# curl -v https://acme-v01.api.letsencrypt.org/directory

The log files dont go any further than the Starting new HTTPS connection message, hmm this does not get easier!

EDIT: I got a little further, it seemed that the Cisco firewall was blocking the connexction… I am going to open the firewall and try to renew the cert after. I will post the outcome…


#12

My certificate is succesfully renewed. At the end it was just a Cisco firewall problem on my side, thank you all for your help! :slight_smile:


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.