Can't renew the certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
novagamer.it
I ran this command:
certbot renew
It produced this output:

_Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/csgo-italia.it.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/novagamer.it.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for novagamer.it
tls-sni-01 challenge for csgo-italia.it
tls-sni-01 challenge for www.csgo-italia.it
tls-sni-01 challenge for www.novagamer.it
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/novagamer.it.conf produced an unexpected error: Failed authorization procedure. novagamer.it (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure, www.novagamer.it (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure. Skipping.

Processing /etc/letsencrypt/renewal/www.csgo-italia.it.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/csgo-italia.it/fullchain.pem (skipped)
/etc/letsencrypt/live/www.csgo-italia.it/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/novagamer.it/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: novagamer.it
    Type: tls
    Detail: remote error: tls: handshake failure

    Domain: www.novagamer.it
    Type: tls
    Detail: remote error: tls: handshake failure

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    you have an up-to-date TLS configuration that allows the server to
    communicate with the Certbot client.
    _

My web server is (include version):

The operating system my web server runs on is (include version):
Centos 7
My hosting provider, if applicable, is:
OVH
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

2

novagamer.it seems to be behind CloudFlare. The tls-sni-01 challenge doesn’t work if the verification server can’t directly connect to the host running the ACME client.

Without disabling CloudFlare, your options are the http-01 challenge with the webroot plugin or the dns-01 challenge.

1 Like
3

what command i’ve to do?

4

You can read more about the webroot plugin here: https://certbot.eff.org/docs/using.html#webroot

Note: the documentation doesn’t highlight the following, but it is very much possible to combine the apache or nginx plugin for the certificate installation part (with -i apache or -i nginx) with the webroot plugin as authenticator (with -a webroot). In such a case you should not use the certonly mode as the above linked paragraph says!

This is quite a shortcoming of the documentation which presumes every webroot user doesn’t want or can’t use one of the webserver installation plugins. Unfortunately, although certbot is a great client with many hours of development (thanks!) in it, it is a maze of options and switches which can be used in many different ways and different combinations to make everything and life very difficult, especially for those without integral understanding of the client.

I would love to improve that specific documentation, but git isn’t letting me branch on my certbot repository because of some merging stuff… Also, my server is crashing, so git isn’t doing anything at the moment :stuck_out_tongue:

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.