Cerbot renewal dry run error


#1

Can anyone tell me how to fix this?

I’m running Apache on Ubuntu 14.04.

Thanks.

2016-09-20 22:52:16,376:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/www.domain.com.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(('There has been an error in parsing the file (%s): %s', u'/etc/apache2/sites-available/certbot.log', u'Syntax error'),). Skipping.

#2

Tried deleting certbot.log but now I get a new error.

2016-09-21 08:22:09,180:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/www.domain.conf produced an unexpected error: Failed authorization procedure. www.domain.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 104.24.117.32:443 for TLS-SNI-01 challenge, subdomain.domain.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 104.24.117.32:443 for TLS-SNI-01 challenge, domain.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 104.24.117.32:443 for TLS-SNI-01 challenge. Skipping.

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.domain.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.domain.com
   Type:   tls
   Detail: Failed to connect to 104.24.117.32:443 for TLS-SNI-01
   challenge

   Domain: subdomain.domain.com
   Type:   tls
   Detail: Failed to connect to 104.24.117.32:443 for TLS-SNI-01
   challenge

   Domain: domain.com
   Type:   tls
   Detail: Failed to connect to 104.24.117.32:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   you have an up-to-date TLS configuration that allows the server to
   communicate with the Certbot client.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Can anyone help? Is this caused by CloudFlare? Is there a fix? The IP referenced is a CloudFlare IP.


#3

If I completely disable CloudFlare it works. Is there a fix for this? If I have to disable CloudFlare then I will need to manually renew the certificates because my cron job isn’t going to work without CloudFlare being disabled.


#4

The tls-sni-01 challenge that the apache plugin uses is not compatible with reverse proxy services such as CloudFlare.

You can find instructions for CloudFlare in this topic. Note that this uses the webroot plugin, which does not provide automatic installation for apache (i.e. it won’t change your apache config). It’s possible to combine the webroot and apache plugin like this:

./certbot-auto --authenticator webroot --installer apache -w /var/www/html --expand -d example.com -d www.example.com

Note that you’ll need to explicitly provide the domains as arguments, and change the value of the -w argument to your DocumentRoot if it’s not /var/www/html. The --expand flag should cause the client to replace the existing certificate and renewal config files rather than create a new lineage (a subdirectory in /etc/letsencrypt/live).


#5

The instructions you’re linking deal with an executable called “letsencrypt” rather than “cerbot-auto” are they the same or has it been renamed?

Can I test it by adding --dry-run? Should I add --quiet in order to make this a cron job?

Thanks.


#6

letsencrypt was the previous name of the client now known as certbot. Whenever you read letsencrypt or ./letsencrypt-auto, you can replace that with ./certbot-auto, the commands are compatible.

The command I provided in my previous post and the one in the linked topic are used to obtained a new certificate (replacing the existing one), which is the easiest way to switch to the webroot plugin. --dry-run is what you can use to test renewal as the next step, but not while obtaining this new certificate. To clarify: this does not change the command you run for renewal, that’s still ./certbot-auto renew.


#7

So if I understand correctly:

  1. Run this command ONE time:

./certbot-auto --authenticator webroot --installer apache -w /var/www/html --expand -d example.com -d www.example.com -d subdomain.example.com

  1. Test with:

./certbot-auto renew --dry-run

  1. Leave my cron job in place as is:

    0 5 * * 1 /usr/sbin/certbot-auto renew --quiet --no-self-upgrade

Is that right?

Thanks.


#8

Yep, that’s exactly right. :+1:


#9

Thanks, that finally clears it all up!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.