Cert renewal works for deter-mi.net but not for git.deter-mi.net

deter-mi.net

certbot renew --webroot-path /var/www/html/wordpress --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/deter-mi.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/deter-mi.net/fullchain.pem



Processing /etc/letsencrypt/renewal/git.deter-mi.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for git.deter-mi.net
Using the webroot path /var/www/html/wordpress for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (git.deter-mi.net) from /etc/letsencrypt/renewal/git.deter-mi.net.conf produced an unexpected error: Failed authorization procedure. git.deter-mi.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 89.82.241.180: Fetching http://git.deter-mi.net/.well-known/acme-challenge/pU2WiYXW2UctQ5QIyf3rF1iBvipkEx0bKYDqQVJqzr0: Timeout during connect (likely firewall problem). Skipping.


Processing /etc/letsencrypt/renewal/www.git.deter-mi.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.git.deter-mi.net
http-01 challenge for git.deter-mi.net
Cleaning up challenges
Attempting to renew cert (www.git.deter-mi.net) from /etc/letsencrypt/renewal/www.git.deter-mi.net.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/determinets.com/fullchain.pem (failure)
/etc/letsencrypt/live/git.deter-mi.net/fullchain.pem (failure)
/etc/letsencrypt/live/www.determinets.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.git.deter-mi.net/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/deter-mi.net/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/git.deter-mi.net/fullchain.pem (failure)
/etc/letsencrypt/live/www.git.deter-mi.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: git.deter-mi.net
    Type: connection
    Detail: 89.82.241.180: Fetching
    http://git.deter-mi.net/.well-known/acme-challenge/pU2WiYXW2UctQ5QIyf3rF1iBvipkEx0bKYDqQVJqzr0:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

apache

debian

myself

I can login to a root shell on my machine

The version of my client is 0.31.0

Hi @tlloancy, and welcome to the LE community forum :slight_smile:

The failure is via IPv4.
But the name resolves to both IPv6 and IPv4:

Name:      git.deter-mi.net
Addresses: 2001:861:51c6:48f0:2ef0:5dff:fe9f:d418
           89.82.241.180

That means LE tried IPv6 [preferred] and that failed, then tried IPv4 and that also failed.

If it worked deter-mi.net, then perhaps that site works via IPv6.
OR it worked the last time checked but would also fail if checked today.

In any case, HTTP access is currently broken/blocked for both IPv6 and IPv4:

curl -Ii4 git.deter-mi.net
curl: (56) Recv failure: Connection reset by peer

curl -Ii6 git.deter-mi.net
curl: (56) Recv failure: Connection reset by peer

Also, this really needs an upgrade:

2 Likes

deter-mi.net and git.deter-mi.net both have the same ipv6 ip. I don't understand

That makes two of us.
I also don't understand.
They use the same IPv6 and IPv4 addresses.
You say one works and the other doesn't work.
Today, for me, none of them work:

curl -Ii4 git.deter-mi.net
curl: (56) Recv failure: Connection reset by peer

curl -Ii6 git.deter-mi.net
curl: (56) Recv failure: Connection reset by peer

curl -Ii4 deter-mi.net
curl: (56) Recv failure: Connection reset by peer

curl -Ii6 deter-mi.net
curl: (56) Recv failure: Connection reset by peer
3 Likes

how is deter-mi.net renewd then ?

It was last renewed on: 2023-09-19
I can only assume it worked then, but would fail to renew today.
I don't see how it could renew today using HTTP-01 authentication.

2 Likes

the command up there show it would renew

Where?
I don't see anything showing that a renewal would succeed.

1 Like

The following certs were successfully renewed:
/etc/letsencrypt/live/deter-mi.net/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/git.deter-mi.net/fullchain.pem (failure)
/etc/letsencrypt/live/www.git.deter-mi.net/fullchain.pem (failure)

That needs fixing.

When using --dry-run you are using the staging environment.
Although similar, production and staging are not exactly the same [IPs].

Even so, we see the staging system also has trouble reaching the site via HTTP:

1 Like

The successful renewal could be due to caching.
It might have recently succeeded and isn't actually being tested [via HTTP] today.

2 Likes

Ok lets say i block the port 80 and keep only 443.

Shouldnt it be able to renew anyway ?

No, the renewals require port 80.
[not using the default authentication (HTTP-01)]

2 Likes

port 80 is now open and still

Processing /etc/letsencrypt/renewal/git.deter-mi.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for git.deter-mi.net
Using the webroot path /var/www/html/wordpress for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (git.deter-mi.net) from /etc/letsencrypt/renewal/git.deter-mi.net.conf produced an unexpected error: Failed authorization procedure. git.deter-mi.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 89.82.241.180: Invalid response from https://git.deter-mi.net/.well-known/acme-challenge/nQfI6HGWx_v2E4jpYWD6Y5B_twQ9GqEcfntXWpq59WY: 404. Skipping.


Processing /etc/letsencrypt/renewal/www.git.deter-mi.net.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.git.deter-mi.net
http-01 challenge for git.deter-mi.net
Cleaning up challenges
Attempting to renew cert (www.git.deter-mi.net) from /etc/letsencrypt/renewal/www.git.deter-mi.net.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/determinets.com/fullchain.pem (failure)
/etc/letsencrypt/live/git.deter-mi.net/fullchain.pem (failure)
/etc/letsencrypt/live/www.determinets.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.git.deter-mi.net/fullchain.pem (failure)


Not from my point on the Internet:

curl -Ii6 http://git.deter-mi.net/.well-known/acme-challenge/Test_File-1234
curl: (56) Recv failure: Connection reset by peer

curl -Ii4 http://git.deter-mi.net/.well-known/acme-challenge/Test_File-1234
curl: (56) Recv failure: Connection reset by peer
1 Like

i just reopened it

You shouldn't have to open it.
It [HTTP] should always be open.

1 Like

i can let it open the point is i still have the error while it's open

Then there is more to "open".

1 Like

It is now open to me:

curl -Ii4 http://git.deter-mi.net/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Date: Tue, 03 Oct 2023 18:14:44 GMT
Server: Apache/2.4.38 (Debian)
Location: https://git.deter-mi.net/.well-known/acme-challenge/Test_File-1234
Content-Type: text/html; charset=iso-8859-1

curl -Ii6 http://git.deter-mi.net/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Date: Tue, 03 Oct 2023 18:14:50 GMT
Server: Apache/2.4.38 (Debian)
Location: https://git.deter-mi.net/.well-known/acme-challenge/Test_File-1234
Content-Type: text/html; charset=iso-8859-1

And Let's Debug can also get through:
Let's Debug (letsdebug.net)

2 Likes