Can't renewal certificates

Help
#1

Hello,

I installed certbot on an ubuntu-server 32-bit with 3 certificates renewal worked once. Then I had an issue with operating system bit-version with wordpress. Did new installation of ubuntu server 64 bit. Apache, certbot cleared installed etc. Restoration of necessary files and configs. But it looks like something went wrong. Renewal is now not possible

For renewal subdomain testsite.wanker.co.at I have created this file successfully, which is accessible
https://testsite.wanker.co.at/.well-known/acme-challenge/test

My domain is:
Found the following certs:
Certificate Name: tauernadler.wanker.co.at
Domains: www.wanker.co.at tauernadler.wanker.co.at testsite.wanker.co.at
Expiry Date: 2020-10-08 13:16:42+00:00 (VALID: 12 days)
Certificate Path: /etc/letsencrypt/live/tauernadler.wanker.co.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tauernadler.wanker.co.at/privkey.pem
Certificate Name: testsite.wanker.co.at
Domains: testsite.wanker.co.at
Expiry Date: 2020-10-08 13:18:30+00:00 (VALID: 12 days)
Certificate Path: /etc/letsencrypt/live/testsite.wanker.co.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/testsite.wanker.co.at/privkey.pem
Certificate Name: www.wanker.co.at
Domains: www.wanker.co.at
Expiry Date: 2020-10-08 13:17:40+00:00 (VALID: 12 days)
Certificate Path: /etc/letsencrypt/live/www.wanker.co.at/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.wanker.co.at/privkey.pem

//////////////////////////////////////////////////////////////////////////////////
First Try:
I ran this command:
sudo certbot certonly --cert-name testsite.wanker.co.at

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for testsite.wanker.co.at
Input the webroot for testsite.wanker.co.at: (Enter 'c' to cancel): /var/www/testsite/
Waiting for verification...
Challenge failed for domain testsite.wanker.co.at
http-01 challenge for testsite.wanker.co.at
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: testsite.wanker.co.at
    Type: connection
    Detail: Fetching
    https://testsite.wanker.co.at/.well-known/acme-challenge/S8-j_9dxS_psrOEMqYCNdhL8y1da1bNrp22mUrr4S5E:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

//////////////////////////////////////////////////////////////////////////////////
Second Try:
I ran this command:
sudo certbot renew --cert-name testsite.wanker.co.at -w /var/www/testsite/

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/testsite.wanker.co.at.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for testsite.wanker.co.at
Using the webroot path /var/www/testsite for all unmatched domains.
Waiting for verification...
Challenge failed for domain testsite.wanker.co.at
http-01 challenge for testsite.wanker.co.at
Cleaning up challenges
Attempting to renew cert (testsite.wanker.co.at) from /etc/letsencrypt/renewal/testsite.wanker.co.at.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/testsite.wanker.co.at/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/testsite.wanker.co.at/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: testsite.wanker.co.at
    Type: connection
    Detail: Fetching
    https://testsite.wanker.co.at/.well-known/acme-challenge/vxH22rPerxudQcQHo0Pu0YBx5wU-qM3dJpdKUinPb7A:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-08-12T19:46:17

The operating system my web server runs on is (include version):
Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1016-raspi aarch64)

My hosting provider, if applicable, is:
My Domain is parked at company emerion in Austria.
I'm doing my Web-Hosting on my own webserver.
My Internet-Provider is A1.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No, only terminal on ubuntu server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Thanks for your help.

2 Likes
#2

Welcome to the Let's Encrypt Community, Alex :slightly_smiling_face:

It looks like there's a problem with the ipv6 address associated with wanker.home.dyndns.org. Try removing/fixing that AAAA record.

testsite.wanker.co.at. 3599 IN CNAME wanker.home.dyndns.org.

wanker.home.dyndns.org. 59 IN AAAA 2001:870:258:1a65:0:be:a1:aced

Screenshot_20200925-101915_Samsung Internet
Screenshot_20200925-101915_Samsung Internet1079×2937 1.06 MB

As for your certbot command, you might try the following, ensuring that your webroots are all correct:

sudo certbot certonly --cert-name wanker.co.at -a webroot -w /var/www/testsite/ -d testsite.wanker.co.at -w /var/www/tauernadler/ -d tauernadler.wanker.co.at -w /var/www/www/ -d www.wanker.co.at --dry-run

If this works, remove the --dry-run and run it again.

If that works, try this:
sudo certbot run --cert-name wanker.co.at -i apache

4 Likes
#3

Hello griffin :slight_smile:

thanks for you fast anwer and help! :smiley:

I have checked current ipv6 settings on my router.
The ipv6 seems to be correct and forwarded to dyndns AAAA record.
But maybe there is a problem at port forwarding.
I have disable IPv6.

Let's debug -> All OK! :partying_face:

Then tried the first command. --> Try-run was successful.
--> Without try-run --> Certs new expire date -> 2020-12-25 :+1:

But as I tried this command:
sudo certbot run --cert-name wanker.co.at -i apache

I got this:
What does this command do?

////////////
How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
The requested apache plugin does not appear to be installed
////////////

There are the certification-files for testsite subdomain:
SSLCertificateFile /etc/letsencrypt/live/www.wanker.co.at/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.wanker.co.at/privkey.pem

When I check this files, they where not updated.

So with the last request it has created new certificate at new folder "wanker.co.at". So I can use this certificate for all "VirtualHosts" / Subdomains? That would be fine. :grin:

grafik

Thank you

2 Likes
#4

Hello again,

I have configured apache2 and set the new certificate for "wanker.co.at" for all virtualhosts.
The certificate looks good now.
grafik

Only this command didn't worked:
sudo certbot run --cert-name wanker.co.at -i apache

1 Like
#5

Hey Alex :slightly_smiling_face:

Just finished checking all three of your sites. Redirects look good, but they're still serving the old certificates. This is to be expected because of the command you used. I'll explain.

sudo certbot certonly --cert-name wanker.co.at -a webroot -w /var/www/testsite/ -d testsite.wanker.co.at -w /var/www/tauernadler/ -d tauernadler.wanker.co.at -w /var/www/www/ -d www.wanker.co.at --dry-run

certonly acquires a certificate, but does not install it

--cert-name specifies a friendly name to be used for managing your certificate (e.g. wanker.co.at), which becomes the directory name used for the certificate's information

-a specifies which method to use to acquire/authenticate the certificate (e.g. webroot)

-w specifies which webroot directory (e.g. /var/www/testsite/) is to be used for all upcoming -d parameters (hence why there are multiple -w parameters if your domains don't all use the same webroot)

-d specifies which domain(s) to certify (e.g. testsite.wanker.co.at)

As for the next command, it was an attempt to actually install the certificate.

sudo certbot run --cert-name wanker.co.at -i apache

-i specifies which method to use to install the certificate (e.g. apache)

That's my fault. I assumed something about the run command. I'm in the midst of drafting the upcoming certbot handbook and clearly have a great many things to discuss with the developers... The command should have been:

sudo certbot install --cert-name wanker.co.at -i apache

The challenge with installation (and why in the handbook I am making it a point to split acquisition and installation) is that it can screw up your webserver configuration. If it does, you can reverse the damage with:

sudo certbot rollback

Screenshot_20200926-100143_Samsung Internet
Screenshot_20200926-100143_Samsung Internet1439×2724 464 KB

Screenshot_20200926-100242_Samsung Internet
Screenshot_20200926-100242_Samsung Internet1439×2724 480 KB

Screenshot_20200926-100309_Samsung Internet
Screenshot_20200926-100309_Samsung Internet1439×2724 526 KB

3 Likes
#6

Excellent! :partying_face:

Glad you got the certificate installed successfully.

I just rechecked all three sites and can confirm that they're all serving the new certificates from my end.

You should only need to use the following next time (to only renew that one certificate):
sudo certbot renew --cert-name wanker.co.at

By the by, you can view your certificates with the following and note their names:
sudo certbot certificates

Then you can delete what you don't need:
sudo certbot delete name

2 Likes
#7

Hey griffin,

thank you very much for your support and explication. :raised_hands:
I have deleted all old certificates.

Done,
Thanks and
have a nice weekend.
Alex

3 Likes
#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.