Cert renewal via cronjob no longer working - Timeout

Hallo,

my auto-renewal is no longer working with no changes made. Any help is appreciated. :slight_smile:

Please fill out the fields below so we can help you better.

My domain is: nc.schildbusch.de

I ran this command: sudo /etc/letsencrypt/letsencrypt-auto certonly --agree-tos --renew-by-default -a webroot --webroot-path /var/www/nextcloud/ -d nc.schildbusch.de

It produced this output:
1.
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

  1. letsenrypt logs:
    2017-07-17 21:04:37,738:DEBUG:certbot.main:certbot version: 0.16.0
    2017-07-17 21:04:37,743:DEBUG:certbot.main:Arguments: [’–agree-tos’, ‘–renew-by-default’, ‘-a’, ‘webroot’, ‘–webroot-path’, ‘/var/www/nextcloud/’, ‘-d’, ‘nc.schildbusch.de’]
    2017-07-17 21:04:37,743:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2017-07-17 21:04:38,000:DEBUG:certbot.log:Root logging level set at 20
    2017-07-17 21:04:38,007:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-07-17 21:04:38,023:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2017-07-17 21:04:38,081:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x76325470>
    Prep: True
    2017-07-17 21:04:38,090:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x76325470> and installer None
    2017-07-17 21:04:38,139:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u’mailto:pi@XXXXX.de’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x75cc4c90>)>)), uri=u’https://acme-v01.api.letsencrypt.org/acme/reg/10913405’, new_authzr_uri=u’https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), eafe91b24008fd96733c6a5cc9506542, Meta(creation_host=u’SchildbuschPi’, creation_dt=datetime.datetime(2017, 3, 15, 20, 4, 13, tzinfo=)))>
    2017-07-17 21:04:38,151:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
    2017-07-17 21:04:38,195:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2017-07-17 21:05:23,562:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
    sys.exit(main())
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 743, in main
    return config.func(config, plugins)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 667, in certonly
    le_client = _init_le_client(config, auth, installer)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 390, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 234, in init
    acme = acme_from_config_key(config, self.account.key)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 45, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 71, in init
    self.net.get(directory).json())
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 654, in get
    self._send_request(‘GET’, url, **kwargs), content_type=content_type)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 627, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py”, line 488, in request
    resp = self.send(prep, **send_kwargs)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py”, line 609, in send
    r = adapter.send(request, **kwargs)
    File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/adapters.py”, line 499, in send
    raise ReadTimeout(e, request=request)
    ReadTimeout: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

My web server is (include version): Server version: Apache/2.4.10 (Raspbian)

The operating system my web server runs on is (include version): “Raspbian GNU/Linux 8 (jessie)”

My hosting provider, if applicable, is:
Dynamic DNS via spdns
DNS hosted at 1&1.de
Raspberry/webservice hosted at my home

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I’m getting exactly the same error, running Apache/2.4.18 (Ubuntu) on ubuntu 16.04LTS on chunkhost… running “certbot renew”.

Hi @schildbusch, you are advertising an IPv4 address, 87.171.76.89, and an IPv6 address, 2003:c3:fbbf:b32:ca0e:14ff:fedd:839b. Your site is reachable on the IPv4 address and not on the IPv6 address. That’s the reason for this timeout.

1 Like

@zhoujianfu, I can’t check whether the same thing is true for you without knowing your domain name, but that might be something to look at.

Thanks @schoen! I removed the IPv6 from my dynDNS provider, however now I am still running into an error…:

$ sudo /etc/letsencrypt/letsencrypt-auto certonly --agree-tos --renew-by-default -a webroot --webroot-path /var/www/nextcloud/ -d nc.schildbusch.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nc.schildbusch.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nc.schildbusch.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nc.schildbusch.de/.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc: Error getting validation data

LE logs

2017-07-18 19:04:58,958:DEBUG:certbot.main:certbot version: 0.16.0
2017-07-18 19:04:58,963:DEBUG:certbot.main:Arguments: [’–agree-tos’, ‘–renew-by-default’, ‘-a’, ‘webroot’, ‘–webroot-path’, ‘/var/www/nextcloud/’, ‘-d’, ‘nc.schildbusch.de’]
2017-07-18 19:04:58,963:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-07-18 19:04:59,144:DEBUG:certbot.log:Root logging level set at 20
2017-07-18 19:04:59,149:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-18 19:04:59,153:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-07-18 19:04:59,193:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x762b1450>
Prep: True
2017-07-18 19:04:59,199:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x762b1450> and installer None
2017-07-18 19:04:59,239:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u’mailto:pi@xxx.de’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x75c50f90>)>)), uri=u’https://acme-v01.api.letsencrypt.org/acme/reg/10913405’, new_authzr_uri=u’https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), eafe91b24008fd96733c6a5cc9506542, Meta(creation_host=u’SchildbuschPi’, creation_dt=datetime.datetime(2017, 3, 15, 20, 4, 13, tzinfo=)))>
2017-07-18 19:04:59,249:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-07-18 19:04:59,286:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-07-18 19:04:59,814:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 352
2017-07-18 19:04:59,819:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: 2VCFYbY2IBrfLCS7awbQmb59kM2xthoJnQJ3J9BBO1k
Replay-Nonce: pUS4GaQtOMyhZ1IhjNKifcVRsUJMm53PGgRS8aQanFw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 18 Jul 2017 19:04:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 18 Jul 2017 19:04:59 GMT
Connection: keep-alive

{
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert
}
2017-07-18 19:04:59,845:DEBUG:certbot.renewal:Auto-renewal forced with --force-renewal…
2017-07-18 19:04:59,846:INFO:certbot.main:Renewing an existing certificate
2017-07-18 19:04:59,849:DEBUG:acme.client:Requesting fresh nonce
2017-07-18 19:04:59,849:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-07-18 19:05:00,065:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
2017-07-18 19:05:00,070:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: 2RGrK2EyH3GjPWjb9_1LNskGZ_Jjl0ZVTv9byHkNFYI
Replay-Nonce: OmihjRoT1ut4VT-XueeH-jjGIU0xzXHeJi-mYQApja8
Expires: Tue, 18 Jul 2017 19:05:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 18 Jul 2017 19:05:00 GMT
Connection: keep-alive

2017-07-18 19:05:00,071:DEBUG:acme.client:Storing nonce: OmihjRoT1ut4VT-XueeH-jjGIU0xzXHeJi-mYQApja8
2017-07-18 19:05:00,073:DEBUG:acme.client:JWS payload:
{
“identifier”: {
“type”: “dns”,
“value”: “nc.schildbusch.de
},
“resource”: “new-authz”
}
2017-07-18 19:05:00,142:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
“protected”: “eyJub25jZSI6ICJPbWloalJvVDF1dDRWVC1YdWVlSC1qakdJVTB4elhIZUppLW1ZUUFwamE4IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiNzQ5SnhxUEx6T01fX05kRkY3aWZzdTZQYlptODVHekxjeXZYTjNUa0dyZVN2RmYzMmNucjB6RVd4dGNsSk9iTUl0V245MnhIcjBuRklDbzFZNmt4LXF2TkF6Q3lBMTNQS0M2SDNvS2liQkxBSm5fMWhZM1BZcUFZeml1VEdWVTJ1VDZ3Sm5ZUWFjcDBCX2ZQbWozSHNralRBLWFHbHdGYmZOU1p3NzRGTmx4U2ZEY1VkcndiY3BKdlMwVy1HeHplX1IyZE92NFZkNF80Y3VKcE9TUmcxMV93Tk1Bem5WbTVPNVdtWm1WNXFnMGtKQ1ZrZEJkZEVmOFJwWU51blZHOFpfUWZteHppSy1Kd09ONmxOZVlWeWlaS3p0aVVHUFZCZF9mYW44X2dKM193cWNMZ19Cb01za1ZOQWlpd09tNjJBMWZOa0t1djJpaldpVWU2NmM4dVNRIn19”,
“payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAibmMuc2NoaWxkYnVzY2guZGUiCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ”,
“signature”: “zSPC_BMxLQltyqFPdMzCvPa-pQ4l-GBBukxroFdHCUPHvi9gpPu-W8uPAycyJYR1NgMr5HbqNWtWcG3L5_lHm3ox_QmdGh9TcCu6hIIiuwuYU-Wr-KEzQE2LciM48hLobviLXvcD15YVyVsBZ9xiRl0zdARbW6J3_1DORy2vBFusMlm28DBUdwXhlIrmNgF-U0yWs-0WuxrqsWEm17Gw-rcJx1l-jT4POq9o7TWJcCH2FWr3_2LSDNc5X3_sJ_L8iQZtn7ZcPTgXBUWKBZJEUambEcThcyZqUCHKw2SFlD4eLvlUC6qliVLM26jpHHldmvVifyJEUaQ1c2RCaZzT9A”
}
2017-07-18 19:05:00,376:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 1005
2017-07-18 19:05:00,381:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1005
Boulder-Request-Id: mkrC4OBIn4rRc_fjAEIGAyLWLt1YMeN9lG5R7G0QdxQ
Boulder-Requester: 10913405
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw
Replay-Nonce: 2S_LXXiUN5A7NHBA8gk5qmp9O-DjTkRkAxZd74zA9Z0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 18 Jul 2017 19:05:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 18 Jul 2017 19:05:00 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “nc.schildbusch.de
},
“status”: “pending”,
“expires”: “2017-07-25T19:05:00.262623991Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735744”,
“token”: “QlcZjK64vBYtRck89TcUvxDkf1IXjdlqA79Wt-KvAYc”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735745”,
“token”: “Zuu-DawaZUYVInvop-ed6Lz21CChEufazbXglYoZKRQ”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735746”,
“token”: “asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc”
}
],
“combinations”: [
[
2
],
[
1
],
[
0
]
]
}
2017-07-18 19:05:00,382:DEBUG:acme.client:Storing nonce: 2S_LXXiUN5A7NHBA8gk5qmp9O-DjTkRkAxZd74zA9Z0
2017-07-18 19:05:00,387:INFO:certbot.auth_handler:Performing the following challenges:
2017-07-18 19:05:00,388:INFO:certbot.auth_handler:http-01 challenge for nc.schildbusch.de
2017-07-18 19:05:00,390:INFO:certbot.plugins.webroot:Using the webroot path /var/www/nextcloud for all unmatched domains.
2017-07-18 19:05:00,391:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/nextcloud/.well-known/acme-challenge
2017-07-18 19:05:00,432:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/nextcloud/.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc
2017-07-18 19:05:00,437:INFO:certbot.auth_handler:Waiting for verification…
2017-07-18 19:05:00,439:DEBUG:acme.client:JWS payload:
{
“keyAuthorization”: “asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc.JOak71NF5X8WbxCjvmPzEqz37L9r_wMSzsTMLUed4qY”,
“type”: “http-01”,
“resource”: “challenge”
}
2017-07-18 19:05:00,509:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735746:
{
“protected”: “eyJub25jZSI6ICIyU19MWFhpVU41QTdOSEJBOGdrNXFtcDlPLURqVGtSa0F4WmQ3NHpBOVowIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiNzQ5SnhxUEx6T01fX05kRkY3aWZzdTZQYlptODVHekxjeXZYTjNUa0dyZVN2RmYzMmNucjB6RVd4dGNsSk9iTUl0V245MnhIcjBuRklDbzFZNmt4LXF2TkF6Q3lBMTNQS0M2SDNvS2liQkxBSm5fMWhZM1BZcUFZeml1VEdWVTJ1VDZ3Sm5ZUWFjcDBCX2ZQbWozSHNralRBLWFHbHdGYmZOU1p3NzRGTmx4U2ZEY1VkcndiY3BKdlMwVy1HeHplX1IyZE92NFZkNF80Y3VKcE9TUmcxMV93Tk1Bem5WbTVPNVdtWm1WNXFnMGtKQ1ZrZEJkZEVmOFJwWU51blZHOFpfUWZteHppSy1Kd09ONmxOZVlWeWlaS3p0aVVHUFZCZF9mYW44X2dKM193cWNMZ19Cb01za1ZOQWlpd09tNjJBMWZOa0t1djJpaldpVWU2NmM4dVNRIn19”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogImFzV21md24tNEVOemNQSnVOeU9XRWdFenlfYWxsWWF5T21scHhsdksyUmMuSk9hazcxTkY1WDhXYnhDanZtUHpFcXozN0w5cl93TVN6c1RNTFVlZDRxWSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “L4u_0oozeq-bSx8bZ8Gsxw9jF2MCslv8bx1t77C8Kvaop7o-S3docyaaEnOE1UoLGxa97HUSeCF-TDM2Cl3GoUDkKtqWlsEJNqDUX42Jg6bHnx7qTZgqx2G70zX9U2ph-pDq17UwS9gQxYXmNu55i6T4RWNj4ElxBbddNvaulMlDffBlMREqVe6c05LA7Dq_7oV2_q4g7WbQjDY5rRWh5g6L4xFuppgtIU1fGiEUnXQrRCfQzioIGuRO58Prmr0FKh-tCmtmwIL8QacL-xXx8M9qRFf0CoHLuN6lgbPe4Kx-FgHsk7KZ7XgHVB_U_zdcbzL0rPUHZi47fKUc2tJEVQ”
}
2017-07-18 19:05:00,739:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735746 HTTP/1.1” 202 336
2017-07-18 19:05:00,744:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Request-Id: 7FT5YP6wvcs-TmNKOug50Zc7_zYMaV0nf5GUmfOghTQ
Boulder-Requester: 10913405
Link: https://acme-v01.api.letsencrypt.org/acme/authz/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735746
Replay-Nonce: SjHy7QNp8U3hsPLCYD5lah7dX9i7Wr6LPmRyKZV2B4U
Expires: Tue, 18 Jul 2017 19:05:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 18 Jul 2017 19:05:00 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735746”,
“token”: “asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc”,
“keyAuthorization”: “asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc.JOak71NF5X8WbxCjvmPzEqz37L9r_wMSzsTMLUed4qY”
}
2017-07-18 19:05:00,745:DEBUG:acme.client:Storing nonce: SjHy7QNp8U3hsPLCYD5lah7dX9i7Wr6LPmRyKZV2B4U
2017-07-18 19:05:03,752:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw.
2017-07-18 19:05:04,027:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw HTTP/1.1” 200 1749
2017-07-18 19:05:04,032:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1749
Boulder-Request-Id: ykEeEc7SDytW9EM_fyq_mt_6Mp3hfP6bT-LIZ4DRZQ8
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: Z0wve-s4SAD9Cw5hQRChRrIO1mgyu5GzSRD9MSP-3Kw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 18 Jul 2017 19:05:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 18 Jul 2017 19:05:04 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “nc.schildbusch.de
},
“status”: “invalid”,
“expires”: “2017-07-25T19:05:00Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735744”,
“token”: “QlcZjK64vBYtRck89TcUvxDkf1IXjdlqA79Wt-KvAYc”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735745”,
“token”: “Zuu-DawaZUYVInvop-ed6Lz21CChEufazbXglYoZKRQ”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Fetching http://nc.schildbusch.de/.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc: Error getting validation data”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/Md4fqvKKLSVf95rmmss-UPaWgi1luzCxk7WIuot55Yw/1570735746”,
“token”: “asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc”,
“keyAuthorization”: “asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc.JOak71NF5X8WbxCjvmPzEqz37L9r_wMSzsTMLUed4qY”,
“validationRecord”: [
{
“url”: “http://nc.schildbusch.de/.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc”,
“hostname”: “nc.schildbusch.de”,
“port”: “80”,
“addressesResolved”: [
“87.171.75.202”
],
“addressUsed”: “87.171.75.202”,
“addressesTried”: []
}
]
}
],
“combinations”: [
[
2
],
[
1
],
[
0
]
]
}
2017-07-18 19:05:04,051:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: nc.schildbusch.de
Type: connection
Detail: Fetching http://nc.schildbusch.de/.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc: Error getting validation data

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-07-18 19:05:04,052:INFO:certbot.auth_handler:Cleaning up challenges
2017-07-18 19:05:04,054:DEBUG:certbot.plugins.webroot:Removing /var/www/nextcloud/.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc
2017-07-18 19:05:04,056:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/nextcloud/.well-known/acme-challenge
2017-07-18 19:05:04,057:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 743, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 683, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 317, in obtain_certificate
self.config.allow_subset_of_names)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. nc.schildbusch.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nc.schildbusch.de/.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc: Error getting validation data

I can’t connect to http://nc.schildbusch.de/ at all in a web browser—can you?

@schoen: Yes, I can. It is redirecting to https://nc.schildbusch.de (nextcloud)

I just found that 7 minutes after trying the cert renewal I can see the following GET request in my apache logs:

87.171.75.202 - - [18/Jul/2017:21:12:18 +0200] “GET /.well-known/acme-challenge/asWmfwn-4ENzcPJuNyOWEgEzy_allYayOmlpxlvK2Rc HTTP/1.1” 404 4389 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0”

Well, I think there’s a firewall problem or something—when you access it in the web browser, are you accessing it from the same network or a different network?

I still can’t access it at all and I assume that the CA is having the same problem that I am.

@schoen: I just tried from an external network by tethering with my mobile, site is still reachable from my side. maybe a DNS timing issue…I will try again later then.

I don’t think it’s DNS-related. I’m trying 87.171.75.202 by IP address and can’t connect. (That’s the same address that the CA saw.)

@schoen: The IP is correct and also working for me. Site is loading. Very strange…

My setup is as follows: nc.schildbusch.de forwards to schildbusch.spdns.de which is my dyndns address.

When I try to connect, I am seeing ICMP error 13, which we just learned today in another thread on this forum is a sign of a firewall blocking the connection. That firewall could be on your device, or your router, or your ISP, but there’s a firewall somewhere that’s refusing these connections, at least from some origins.

@schoen: I do not know if this makes any sense… :slight_smile:

I just player around with the firewall on my router and opened port 80, forwarded it to my server. Running the renewal now produces the follwing result:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/nc.schildbusch.de/fullchain.pem. Your cert
will expire on 2017-10-16.

But when loading https://nc.schildbusch.de the certificate used still expires on 04 Aug

You should make sure that your web server is configured to use this certificate and not a different, prior one (since certonly doesn’t make any changes to your web server configuration). You should also make sure that your web server was restarted or reloaded its configuration (since certonly also doesn’t do that).

1 Like

@schoen: Thanks for your help for now. After restarting apache the new cert is taken. Will have to investigate until October why it wasn’t working the way it used to.

How long had you been doing it sans restarting Apache?

My renewal script stops httpd, does all the renewals, then restarts Apache

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.