[root@primteksolusindo home]# ./certbot-auto renew --dry-run
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for www.primteksolusindo.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.primteksolusindo.com) from /etc/letsencrypt/renewal/www.primteksolusindo.com.conf produced an unexpected error: Failed authorization procedure. www.primteksolusindo.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 22c9ca8be3fba64829fc8f466e4f1ff4.1bab6623a03b65f8c2d4362bcb3078a7.acme.invalid from 192.124.249.103:443. Received 3 certificate(s), first certificate had names “*.sucuri.net, sucuri.net”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.primteksolusindo.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.primteksolusindo.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: www.primteksolusindo.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
22c9ca8be3fba64829fc8f466e4f1ff4.1bab6623a03b65f8c2d4362bcb3078a7.acme.invalid
from 192.124.249.103:443. Received 3 certificate(s), first
certificate had names “*.sucuri.net, sucuri.net”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[root@primteksolusindo home]#
Could you provide some more info about your setup here? It seems something else may be terminating your TLS besides the server running Certbot, or else Certbot is having issues reconfiguring your web server.
It looks like Sucuri is an IDS vendor. You can’t use the TLS-SNI-01 method for issuing certificates (including for renewing a previously-obtained certificate) if you’re behind any other sort of device or service that proxies HTTPS for you, whether that’s a network appliance, an online service, a content delivery network, a malware scanner, or whatever. TLS-SNI-01 can only be used when inbound HTTPS connections directly reach the machine where you’re running your Let’s Encrypt client.
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/primteksolusindo.com.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for primteksolusindo.com
Using the webroot path /var/www/html/primteksolusindo.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/primteksolusindo.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/primteksolusindo.com/privkey.pem
Your cert will expire on 2017-12-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
"certbot-auto renew"
If you like Certbot, please consider supporting our work by:
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for www.primteksolusindo.com
Using the webroot path /var/www/html/primteksolusindo.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.primteksolusindo.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.primteksolusindo.com/.well-known/acme-challenge/FS23A2917eHHiy-acF8UBX7RkWF0Qd2H0REW2_dIpA0: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[root@primteksolusindo home]#
This is apparently because of the redirect that you have from the HTTP version of the site to the HTTPS version. If you either remove that redirect or exempt the /.well-known/acme-challenge path from it, the same process that worked for your other domain should work for this one too.
Although now your machine seems to be listening in HTTPS, so maybe there was another problem that you’ve already fixed—or maybe Sucuri doesn’t want to allow these connections for some reason.