Cert renewal faild


#1

Hello,

I’m not able to renew my certificate, whille the challenge path **

http://itbc-sgw.ddnss.de/.well-known/acme-challenge/Q8XkRydKmIaXC_zyvVYDf5zRXoBRLSGeKn6q3PdpyF0:

** does not exist on my server.

I’m running

  • ubunbtu 18.04 LTS
  • nginx/1.14.0 (Ubuntu)
  • certbot 0.28.0

The server is located behind a firewall with opened http/https ports for it and it is working fine.

How can I configure my server with the required challenge?

Many thanks and best regards

Harro


#2

Can you post the command you ran, and its complete output?

It’s normal for that file not to exist now. Certbot deletes the file before it exits. And some Certbot plugins might not create a real file at all.

For me, trying to connect to http://itbc-sgw.ddnss.de/ times out. (I can connect to https://itbc-sgw.ddnss.de/.)

By the way, it has a DNS record for the IPv6 localhost address.

itbc-sgw.ddnss.de.  10  A     78.94.133.162
itbc-sgw.ddnss.de.  10  AAAA  ::

#3

Hi @harro.mirbach

additional:

Are there two instances? Checking your website

Domainname Http-Status redirect Sec. G
http://itbc-sgw.ddnss.de/
78.94.133.162 -14 10.033 T
Timeout - The operation has timed out
https://itbc-sgw.ddnss.de/
78.94.133.162 400 1.850 M
Bad Request
http://itbc-sgw.ddnss.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
78.94.133.162 -14 10.030 T
Timeout - The operation has timed out

there is a Bad Request. But

(1) your certificate is ok

CN=itbc-sgw.ddnss.de
	05.12.2018
	05.03.2019
	itbc-sgw.ddnss.de - 1 entry

and (2): Loading this url with a browser there is a curious message:

400 Bad Request
No required SSL certificate was sent
nginx/1.14.0 (Ubuntu)

But my browser shows a correct certificate, created Mittwoch, 5. Dezember 2018.

So there is difference between the 400 - message and the correct certificate.

Looks like you have an external nginx

Server: nginx/1.14.0 (Ubuntu)

and a second, internal server, perhaps with a missing certificate or without a 443 - configuration.


#4

Hello,

I can confirm the IP address. My Internetconnection ist ipv4 only, ther is no ipv6.

In the meanwhile I disabeld the client certification verification on nginx to ensure that it is not the reason, but it’s still the same.

Tis ist the command and it’s output:
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/itbc-sgw.ddnss.de.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for itbc-sgw.ddnss.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (itbc-sgw.ddnss.de) from /etc/letsencrypt/renewal/itbc-sgw.ddnss.de.conf produced an unexpected error: Failed authorization procedure. itbc-sgw.ddnss.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://itbc-sgw.ddnss.de/.well-known/acme-challenge/nq-sNp6mIbetssg_8OBxHIdlSHcJnZXVHik128v6oJA: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itbc-sgw.ddnss.de/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itbc-sgw.ddnss.de/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: itbc-sgw.ddnss.de
    Type: connection
    Detail: Fetching
    http://itbc-sgw.ddnss.de/.well-known/acme-challenge/nq-sNp6mIbetssg_8OBxHIdlSHcJnZXVHik128v6oJA:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#5

There is a timeout fetching port 80 / http.

Is http configured?

You need an open port 80.

It may work internally. But from outside, your port 80 doesn’t answer.


#6

Hello Juergen,

sorry, prot 80 was not open. I’ve changed it now.


#7

Now I see an open port 80 with a (correct) redirect http -> https and the expected status 404 in /.well-known/acme-challenge.

Now check the renew again.


#8

Hello Juergen,

perfect. it works now.

many Thanks
Harro


#9

It may not be affecting Let’s Encrypt, but you should still remove the IPv6 DNS record.

(And I made a mistake in my last post: It’s not the localhost address, ::1.)


#10

There may not be an IPv6 address on your system, but there is definitely an IPv6 address in your public DNS zone:

As noted previously (and confirmed):

:: may not be localhost but some systems do resolve (interpret) it that way:

ping ::
PING ::(::) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.036 ms

Try for yourself:
nslookup itbc-sgw.ddnss.de 8.8.8.8
nslookup itbc-sgw.ddnss.de 1.1.1.1

[edit - technically :: equals 0:0:0:0:0:0:0:0 so requests to that address would be heard by the local system and replies to (much like an all F broadcast):
ping 0:0:0:0:0:0:0:0
PING 0:0:0:0:0:0:0:0(::) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.017 ms]


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.