Certbot autorenew and renew fails


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
server-demo.wematch.live

I ran this command:
sudo certbot renew --nginx --dry-run

and also this one

cd /etc/letsencrypt/ && ./certbot-auto renew --dry-run --nginx

my certbot-auto script is in the letsencrypt dir

It produced this output:

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/server-demo.wematch.live.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for server-demo.wematch.live
nginx: [warn] conflicting server name “” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “server-demo.wematch.live” on 0.0.0.0:443, ignored
Waiting for verification…
Cleaning up challenges
nginx: [warn] conflicting server name “” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “server-demo.wematch.live” on 0.0.0.0:443, ignored
Attempting to renew cert (server-demo.wematch.live) from /etc/letsencrypt/renewal/server-demo.wematch.live.conf produced an unexpected error: Failed authorization procedure. server-demo.wematch.live (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://server-demo.wematch.live/.well-known/acme-challenge/BN9xKygmKkZv-qVxEGajtEv9XqsjJYwrTJVye8F3LB0: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server-demo.wematch.live/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/server-demo.wematch.live/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: server-demo.wematch.live
    Type: connection
    Detail: Fetching
    http://server-demo.wematch.live/.well-known/acme-challenge/BN9xKygmKkZv-qVxEGajtEv9XqsjJYwrTJVye8F3LB0:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
running on NGINX 1.10.3

The operating system my web server runs on is (include version):
Ubuntu 16.04.1 x64

My hosting provider, if applicable, is:
i configured my DNS records on cloudflare

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Installed: 0.28.0-1+ubuntu16.04.1+certbot+4


#2

Hi @Eitan

if you want to use http-01 challenge, an open port 80 is required. But your port 80 doesn’t answer ( https://check-your-website.server-daten.de/?q=server-demo.wematch.live ):

Domainname Http-Status redirect Sec. G
http://server-demo.wematch.live/
67.207.68.227 -14 10.026 T
Timeout - The operation has timed out
https://server-demo.wematch.live/
67.207.68.227 401 2.050 M
Unauthorized
http://server-demo.wematch.live/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
67.207.68.227 -14 10.027 T
Timeout - The operation has timed out

Is there a firewall or something else?

And your configuration is buggy:

You have the same server name in different blocks. Then Certbot doesn’t know which of these is used.


#3

there is a security mechanism that we implement on our level, that is why it is unauthorized.

do i need to open port 80 in the firewall setting for it to work ?


#4

The 401 on your / isn’t relevant to create a new certificate. Letsencrypt doesn’t check the main page.

If you want to use http-01 - validation: Yes.

But you can add a redirect http -> https, Letsencrypt follows this redirect.

It’s a good configuration having (1) an open port 80 and (2) correct redirects http -> https, then one redirect from the non-preferred version to the preferred version.

So in the end, there is no content visible under http (only redirects) and every user has (after some redirects) the same https - url.


#5

PS: I saw, you have rechecked your domain.

The 401 fetching a file in /.well-known/acme-challenge is critical.

So Letsencrypt can’t validate the file Certbot has created.


#6

yes, i have made some changes.
i think there is another issue i encounter now, when i add the following like to the crontab to automatically renew the certificate every interval, it is not getting renewed.
but when i run it manually it works.

25 * * * * cd /etc/letsencrypt/ && ./certbot-auto renew --nginx --force-renew && /bin/systemctl restart nginx

i saw the in syslog that it ran the command, but there was no renew


#7

You should NEVER add --force-renew to a cronjob! Let certbot decide if it’s time to update or not.

Also, with just “it is not getting renewed” and without any other information, we can’t give you any advice. At least you should post the certbot logs for the attempt.


#8

You have a new certificate

CN=server-demo.wematch.live
	02.02.2019
	03.05.2019
	server-demo.wematch.live - 1 entry

So use this certificate 2 months, then check, if the renew works.


#9

i know, but i wanted to test whether the crontab works or not.


#10

this was only for the purpose of testing the renewall


#11

There is an entire staging environment for testing.


closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.