Cant renew certificates, because server isn't visible

xtay2 · July 18, 2022, 9:45pm

My domain is:
pocketwiki.cau.ninja and wiki.pseudocode.site
I ran this command:
wiki.pseudocode.site
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pocketwiki.cau.ninja.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for pocketwiki.cau.ninja and wiki.pseudocode.site
Performing the following challenges:
http-01 challenge for pocketwiki.cau.ninja
http-01 challenge for wiki.pseudocode.site
Waiting for verification...
Challenge failed for domain pocketwiki.cau.ninja
Challenge failed for domain wiki.pseudocode.site
http-01 challenge for pocketwiki.cau.ninja
http-01 challenge for wiki.pseudocode.site

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: pocketwiki.cau.ninja
  Type:   connection
  Detail: 95.116.164.17: Fetching http://pocketwiki.cau.ninja/.well-known/acme-challenge/qyxJkAl_jkTRBw7pcSZCvMUHsJmnM1RCdUJKyWjfx_Q: Timeout during connect (likely firewall problem)

  Domain: wiki.pseudocode.site
  Type:   connection
  Detail: 95.116.164.17: Fetching http://wiki.pseudocode.site/.well-known/acme-challenge/pJDle8dk5oC5rlLpSWAj_6F0xe3ebDkm42Z1kx3GPds: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate pocketwiki.cau.ninja with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wiki.pseudocode.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for wiki.pseudocode.site
Failed to renew certificate wiki.pseudocode.site with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/pocketwiki.cau.ninja/fullchain.pem (failure)
  /etc/letsencrypt/live/wiki.pseudocode.site/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

My web server is (include version):
Apache 2.4.41
The operating system my web server runs on is (include version):
Ubuntu 20.4
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

MikeMcQ · July 18, 2022, 10:07pm

Hello @xtay2

It looks like a firewall is blocking any requests to port 80 (http) and port 443 (https).

You should check your firewall(s). Also check that your DNS is pointing to the right public IP for your server. The names seem like you might be using a dynamic DNS service. Maybe something has gone wrong.

nslookup wiki.pseudocode.site

wiki.pseudocode.site    canonical name = dennis-woithe.dynv6.net.
Name:   dennis-woithe.dynv6.net
Address: 95.116.164.17
Name:   dennis-woithe.dynv6.net
Address: 2a01:c23:9601:1bf1:3ea6:2fff:fede:3f3d

rg305 · July 18, 2022, 10:21pm

Since the errors are found via IPv4:

xtay2:

  Detail: 95.116.164.17: Fetching http://pocketwiki.cau.ninja/.well-known/acme-challenge/qyxJkAl_jkTRBw7pcSZCvMUHsJmnM1RCdUJKyWjfx_Q: Timeout during connect (likely firewall problem)
  Detail: 95.116.164.17: Fetching http://wiki.pseudocode.site/.well-known/acme-challenge/pJDle8dk5oC5rlLpSWAj_6F0xe3ebDkm42Z1kx3GPds: Timeout during connect (likely firewall problem)

And the names have both IPv4 and IPv6:

Addresses: 2a01:c23:9601:1bf1:3ea6:2fff:fede:3f3d
           95.116.164.17
Aliases:   pocketwiki.cau.ninja
Aliases:   wiki.pseudocode.site

That shows that IPv6 is failing and should be corrected or removed from DNS.

It might further indicate that some IP changes have taken place since the last certificate was issued/renewed. Which could mean that firewall/routing has also changed.
[pure guessing on my part]

In any case:

Is 99.9% a firewall problem.

xtay2 · July 18, 2022, 10:24pm

Thanks for the reply. That's very weird, I haven't changed anything about the firewalls and the two sites are running for a year now.

MikeMcQ · July 18, 2022, 10:40pm

Funny thing is the error message shows the IPv4 address. It normally shows the IPv6 addresses when an AAAA record is present. I cannot connect using either one.

@xtay2 Do those domains work from the public internet in your region? I tried a bunch of global areas and never connected.

Check you current IP addresses running these commands on the machine running certbot:

curl -4 ifconfig.co
curl -6 ifconfig.co

xtay2 · July 18, 2022, 10:43pm

I tried it and cannot connect. Now I'm totally confused.

MikeMcQ · July 18, 2022, 10:45pm

Are you saying the two curl commands don't work? Or you can't reach your own domains?

xtay2 · July 18, 2022, 10:45pm

I cant reach the domains. Even localhost will show me an error.

MikeMcQ · July 18, 2022, 10:46pm

Please show results of these commands

xtay2 · July 18, 2022, 10:46pm

95.116.232.113
and
2a01:c23:948f:5f00:5552:87df:be72:5b84

MikeMcQ · July 18, 2022, 10:50pm

OK. The IPv4 result matches what you have for one domain (wiki). But, they don't match what your DNS has for pocketwiki. And, I only see pocketwiki with an AAAA record now.

I am signing off for a bit but maybe Rudy or someone can continue

nslookup  wiki.pseudocode.site

wiki.pseudocode.site    canonical name = xtay2.ddnss.de.
Address: 95.116.232.113


nslookup pocketwiki.cau.ninja

pocketwiki.cau.ninja    canonical name = dennis-woithe.dynv6.net.
Address: 95.116.164.17
Address: 2a01:c23:9601:1bf1:3ea6:2fff:fede:3f3d

xtay2 · July 18, 2022, 10:52pm

Yes, I have changed the dyndns-provider as its service was fully offline.

MikeMcQ · July 18, 2022, 11:43pm

I can connect to the wiki domain with IPv4 now. Although, only with HTTP. An HTTPS request (port 443) looks like it is redirected to your port 80 server. Or, maybe is not setup right for HTTPS.

Some headers omitted for readability

curl -I4 http://wiki.pseudocode.site
HTTP/1.1 301 Moved Permanently
Date: Mon, 18 Jul 2022 23:33:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://wiki.pseudocode.site/index.php/Main_Page

curl -I4 Location: https://wiki.pseudocode.site/index.php/Main_Page
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

curl -I4 http://wiki.pseudocode.site:443
(see using http gets response from port 443, should not)
HTTP/1.1 301 Moved Permanently
Date: Mon, 18 Jul 2022 23:34:00 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://wiki.pseudocode.site/index.php/Main_Page

Those are issues but a cert request might succeed because this returns a 404 without redirecting so might work when used with actual request.

curl -I4 http://wiki.pseudocode.site/.well-known/acme-challenge/Test123
HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2022 23:41:53 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

system · August 17, 2022, 11:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.