Cert Renewal Failing


#1

I noticed that my certs didn’t renew automatically after I got my notification email that my certs were expiring soon. So I started investigating. I thought I had set up a cron job to renew them but I can’t find any evidence that I actually did. I noticed the documentation says that “The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire”. But they obviously didn’t. Do I need to set up my own cron job to renew them or does cerbot handle renewal automatically?

For now I got new certificates using sudo certbot certonly --standalone -d scottgauche.com, I had to set my port forwarding for 443 and 80 to my Pi.

Then I tried running sudo certbot renew --dry-run and it failed. I’m not certain why, but it seems like a permissions issue. How would I resolve this?

Thanks!

My domain is:
scottgauche.com

I ran this command:
sudo certbot renew --dry-run

It produced this output:

pi@raspberrypi:~ $ sudo certbot renew --dry-run

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/scottgauche.com.conf
-------------------------------------------------------------------------------
2017-01-12 19:48:15,404:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/scottgauche.com.conf produced an unexpected error: Failed authorization procedure. scottgauche.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 5a93afb71efad553cc69f51bf655b829.1456c3c39be14424550462ef30469c4f.acme.invalid from ##.##.##.##:443. Received certificate containing 'scottgauche.com'. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/scottgauche.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: scottgauche.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   5a93afb71efad553cc69f51bf655b829.1456c3c39be14424550462ef30469c4f.acme.invalid
   from 68.37.86.252:443. Received certificate containing
   'scottgauche.com'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My operating system is (include version):
Raspberry Pi Jessie

My web server is (include version):
I’m using cerbot to create certificates to use with Home Assistant. I’m not sure what Home Assistant runs.

My hosting provider, if applicable, is:
I’m hosting Home Assistant on my RPi

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

Probably the problem is trying to use renew with standalone without first stopping your existing webserver. The point of standalone is that it runs instead of your regular web server (and it needs to listen on the same ports), so it can’t be used if your regular server is still running. The error you saw is symptomatic of an attempt to get a cert while the existing server is still listening (although if that’s the case, I would have expected it to fail earlier with a different error about being unable to bind the port).

There are pre-hook and post-hook features that you can use to stop and restart your existing server, or you could use a method other than standalone (the most popular is webroot, where you specify a path for your web server’s document root).

The cron job should exist if the documentation says it does on your OS and you’re using the official OS package – can you take a look under the /etc/cron.* directories to see if there’s a Certbot renewal job started from there?


#3

Ah, I added the cron to /etc/crontab.

pi@raspberrypi:~ $ sudo cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* 3,15  * * * root certbot renew --quiet

And it looks like this is the cron that certbot added.

pi@raspberrypi:~ $ sudo cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew

#4

Is there a way to renew without having to shutdown my Home Assistant server?


#5

You can renew using port 80 and the “webroot” option, or you use the DNS-01 challenge ( if you can easily add a TXT record to your DNS.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.