Can't renew my cert


#1

Please fill out the fields below so we can help you better.

My domain is:It is a domain from no-ip I’m worried about hacking so I’m using xxxx.ddns.net to hide my domain from the forum. I hope that doesn’t prevent me from getting help.

I ran this command:/usr/local/bin/certbot renew

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/xxxx.ddns.net.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxx.ddns.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /usr/local/etc/letsencrypt/renewal/xxxx.ddns.net.conf produced an unexpected error: Failed authorization procedure. xxxx.ddns.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to xxxx.ddns.net. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/xxxx.ddns.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xxxx.ddns.net
    Type: connection
    Detail: Could not connect to xxxx.ddns.net

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):FreeNAS-9.10.2-U2 (e1497f2)

My web server is (include version):Nextcloud in a freenas jail using nginx

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

Hi @NasKar,

Unfortunately, it’s very hard to know exactly what the problem with your domain was that produces the “Could not connect” error without knowing what the domain is.

If you don’t want to share it, I would suggest plugging it in to some DNS checker tools to see if they can identify a problem. Other people are successfully getting certificates for ddns.net dynamic domains in pretty large numbers:

https://crt.sh/?Identity=%.ddns.net&iCAID=16418

One thing to point out is that the authentication method that you’re using (http-01, probably a result of selecting --webroot when you originally requested the certificate) requires there to be a web server running on port 80 of your server. If you shut down your port 80 web server and switched to only using port 443 after getting your cert, the CA would not be able to use port 80 to confirm your identity for the renewal, which is one possible reason for this error.


#3

I’m not familar with your forums, is there a way for my to private message you my domain?
Here is my nginx.conf:
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

#user nobody;
worker_processes 2;

This default error log path is compiled-in to make sure configuration parsing

errors are logged somewhere, especially during unattended boot when stderr

isn’t normally logged anywhere. This path will be touched on every nginx

start regardless of error log location configured here. See

https://trac.nginx.org/nginx/ticket/147 for more info.

#error_log /var/log/nginx/error.log;

#pid logs/nginx.pid;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
#turn off server tokens
server_tokens off;

add pound to remove

#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        off;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  off;

ssl_certificate /usr/local/etc/nginx/server.crt;

ssl_certificate_key /usr/local/etc/nginx/server.key;

#######SSL SECTION########################################
# global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers
# first. PFS ciphers are those which start with ECDHE which means (EC)DHE
# which stands for (Elliptic Curve) Diffie-Hellman Ephemeral. 256bit preference.

# ciphers for RSA signed certificates

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA;

# ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;

#ssl_ciphers EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
# Nginx with BoringSSL ciphers for Elliptic Curve Digital Signature Algorithm
# (ECDSA) signed certificates. equal preference groups.
# ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384]:[ECDHE-ECDSA-AES128-SHA256|ECDHE-ECDSA-AES256-SHA384]:[ECDHE-ECDSA-AES128-SHA|ECDHE-ECDSA-AES256-SHA];

ssl_certificate /usr/local/etc/letsencrypt/live/xxxx.ddns.net/fullchain.pem;
	ssl_certificate_key /usr/local/etc/letsencrypt/live/xxxx.ddns.net/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/xxxx.ddns.net/chain.pem;

ssl_certificate /usr/local/etc/nginx/ssl/nginx-selfsigned.crt;

ssl_certificate_key /usr/local/etc/nginx/ssl/nginx-selfsigned.key;

ssl_dhparam /usr/local/etc/nginx/ssl/dhparam.pem;

ssl_ecdh_curve secp384r1;              # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash
ssl_prefer_server_ciphers on;          # the preferred ciphers are listed on the server by "ssl_ciphers"
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;   # protocols, the order is unimportant
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 128s;              # how long before the client and server must renegotiate the ssl key
#ssl_stapling on;                       # staple the ssl cert to the initial reply returned to the client for speed
#ssl_stapling_verify on;

######END SSL SECTION########################################

server {
listen 80;
listen 443 ssl;
server_name 192.168.1.180;
add_header Strict-Transport-Security “max-age=0; includeSubDomains; preload;”;

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;

    root /usr/local/www;
    location = /robots.txt { allow all; access_log off; log_not_found off; }
    location = /favicon.ico { access_log off; log_not_found off; }


    location ^~ /nextcloud {
        client_max_body_size 512M;
        error_page 403 /nextcloud/core/templates/403.php;
        error_page 404 /nextcloud/core/templates/404.php;
        location /nextcloud {
            rewrite ^ /nextcloud/index.php$uri;
        }
        location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
        location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
        location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_pass unix:/var/run/php-fpm.sock;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param front_controller_active true;
            fastcgi_intercept_errors on;
        }
        location ~* \.(?:css|js)$ {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=7200";
        }
        location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
        }

    }
}

}


#4

You should be able to tell whether the HTTP listener is still running by going to http://xxxx.ddns.net/ in a web browser.


#5

I get 401 unauthorized


#6

My error http://xxxx.ddns.net opens my router login which is what happens if I enter my ISP IP address. If I do http://xxxx.ddns.net/nextcloud I get the unauthorized 401 error


#7

When I go to http://dnscheck.pingdom.com it says :
Delegation not found at parent.

No delegation could be found at the parent, making your zone unreachable from the Internet.


#8

It sounds like your router isn’t configured to forward port 80 to your web server. If this is so, you won’t be able to renew using the authentication method that you originally used until this is changed.


#9

schoen,
Thank you so much for your help. I forgot that I turned off that port forwarding on port 80 to that server on my router. I figured that it would be more secure to just leave port 443 open.

Congratulations, all renewals succeeded. The following certs have been renewed:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.