Due to changes in requirements after issuing the initial certificates my apache configuration has changed somewhat. Same hostnames. But all HTTP traffic is now redirected to HTTPS. Additionally, the CN for the cert was discovered to be wrong… as there was no clear documentation originally that the order domains were specified on the command line was significant. I re-ordered the renewal file to hopefully correct this on renewal (as suggested in another thread here that’s been weeks since I saw so I don’t have a link to it).
Apparently one or both of these has sent letsencrypt and/or certbot into a tailspin. What it says in the subject line. Doing a dry run renewal to test my new configuration results in “timedout” for all hostnames. I’m coming up on renewal as well.
My renewal config:
# renew_before_expiry = 30 days version = 0.16.0 archive_dir = /etc/letsencrypt/archive/annapuma.onsite-crt.com cert = /etc/letsencrypt/live/annapuma.onsite-crt.com/cert.pem privkey = /etc/letsencrypt/live/annapuma.onsite-crt.com/privkey.pem chain = /etc/letsencrypt/live/annapuma.onsite-crt.com/chain.pem fullchain = /etc/letsencrypt/live/annapuma.onsite-crt.com/fullchain.pem # Options used in the renewal process [renewalparams] authenticator = webroot installer = None account = d846e0b4dbf439b0363dbbd14c8da189 webroot_path = /var/www/certbot, rsa_key_size = 4096 [[webroot_map]] annapuma.onsite-crt.com = /var/www/certbot phpmyadmin.annapuma.onsite-crt.com = /var/www/certbot receptiveskepticism.org = /var/www/certbot www.receptiveskepticism.org = /var/www/certbot recepskep.onsite-crt.com = /var/www/certbot
My apache vhosts:
# For certbot -JCA Alias /.well-known /var/www/certbot/.well-known <Directory "/var/www/certbot/"> allow from all </Directory> # yes I'm aware that's not the "correct" way to use NameVirtualHost directives... # the correct way doesn't work... -JCA NameVirtualHost annapuma.onsite-crt.com:80 <VirtualHost 220.127.116.11:80> ServerName annapuma.onsite-crt.com RedirectPermanent / https://annapuma.onsite-crt.com/ </VirtualHost> NameVirtualHost annapuma.onsite-crt.com:443 <VirtualHost 18.104.22.168:443> ServerName annapuma.onsite-crt.com SSLEngine on DocumentRoot /var/www/html <Directory "/var/www/html"> allow from all Options SymLinksIfOwnerMatch AllowOverride FileInfo </Directory> </VirtualHost> NameVirtualHost phpmyadmin.annapuma.onsite-crt.com:80 <VirtualHost 22.214.171.124:80> ServerName phpmyadmin.annapuma.onsite-crt.com AssignUserId phpmyadmin phpmyadmin RedirectPermanent / https://phpmyadmin.annapuma.onsite-crt.com:8080/ </VirtualHost> NameVirtualHost phpmyadmin.annapuma.onsite-crt.com:443 <VirtualHost 126.96.36.199:443> ServerName phpmyadmin.annapuma.onsite-crt.com AssignUserId phpmyadmin phpmyadmin RedirectPermanent / https://phpmyadmin.annapuma.onsite-crt.com:8080/ SSLEngine on </VirtualHost> NameVirtualHost phpmyadmin.annapuma.onsite-crt.com:8080 <VirtualHost 188.8.131.52:8080> ServerName phpmyadmin.annapuma.onsite-crt.com AssignUserId phpmyadmin phpmyadmin SSLEngine on Include /etc/httpd/conf.d/phpMyAdmin.conf DocumentRoot /usr/local/share/phpMyAdmin/ <Directory "/usr/local/share/phpMyAdmin/setup"> deny from all </Directory> </VirtualHost> NameVirtualHost www.receptiveskepticism.org:80 <VirtualHost 184.108.40.206:80> AssignUserId recepskep recepskep ServerName www.receptiveskepticism.org ServerAlias receptiveskepticism.org recepskep.onsite-crt.com RedirectPermanent / https://www.receptiveskepticism.org/ </VirtualHost> NameVirtualHost www.receptiveskepticism.org:443 <VirtualHost 220.127.116.11:443> AssignUserId recepskep recepskep ServerName www.receptiveskepticism.org ServerAlias receptiveskepticism.org recepskep.onsite-crt.com SSLEngine on DocumentRoot /home/recepskep/www <Directory "/home/recepskep/www"> allow from all Options SymLinksIfOwnerMatch AllowOverride FileInfo Limit </Directory> </VirtualHost>
------------------------------------------------------------------------------- ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/annapuma.onsite-crt.com/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) ------------------------------------------------------------------------------- 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: annapuma.onsite-crt.com Type: connection Detail: Fetching http://annapuma.onsite-crt.com/.well-known/acme-challenge/WaRvkGFKf94uypk7FuuTSmEs3OnCKLk7AmBx-bUq9uc: Timeout Domain: www.receptiveskepticism.org Type: connection Detail: Fetching http://www.receptiveskepticism.org/.well-known/acme-challenge/CI2NX-Ic1_-Idx6S9DZ925F6ViGGNP4Qu6-0Vfyr_Lk: Timeout Domain: recepskep.onsite-crt.com Type: connection Detail: Fetching http://recepskep.onsite-crt.com/.well-known/acme-challenge/kD--UHGEO-B309AdOz2U1QOEnHSgCt8CcYdwGR9Wq6Q: Timeout Domain: receptiveskepticism.org Type: connection Detail: Fetching http://www.receptiveskepticism.org/.well-known/acme-challenge/nsVdvKVWT8gz66077vF_jLUzgyNIC7uIByZaKoKbUI4: Timeout Domain: phpmyadmin.annapuma.onsite-crt.com Type: connection Detail: Fetching http://phpmyadmin.annapuma.onsite-crt.com/.well-known/acme-challenge/lpiW5gVdioFAIByVjMOWc-CXqZ7shpSU7OLe8cJ2uYY: Timeout To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.