Certbot dry run error


#1

Whenever I run this command certbot renew --dry-run from this link, I got these errors:

Attempting to renew cert (davessa.net) from /etc/letsencrypt/renewal/davessa.net.conf produced an unexpected error: Failed authorization procedure. www.davessa.net (tls-sni-01): urn:ietf:params:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure, davessa.net (tls-sni-01): urn:ietf:params:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure. Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/davessa.net/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/thedavessablog.cf/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/davessa.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.davessa.net
   Type:   tls
   Detail: remote error: tls: handshake failure

   Domain: davessa.net
   Type:   tls
   Detail: remote error: tls: handshake failure

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   you have an up-to-date TLS configuration that allows the server to
   communicate with the Certbot client.

I’m really lost here, and is a newbie in this things, can you guys help me? Can you give commands, references & more?


#2

There are issues with using CloudFlare:

https://letsdebug.net/davessa.net/701

You should change the title to include that.
Like:
Certbot dry run error (using CloudFlare)


#3

To expand on that answer, you can’t use the TLS-SNI challenge with Cloudflare.

So you can try e.g.

certbot renew --dry-run --preferred-challenges http

#4

Now it’s giving me this error:

Attempting to renew cert (davessa.net) from /etc/letsencrypt/renewal/davessa.net.conf produced an unexpected error: Failed authorization procedure. davessa.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://davessa.net/.well-known/acme-challenge/Y8-jDlM_7x4huql_CUw4hUVA1QsqKc9T0k8R9uqDlwY: "<!DOCTYPE html>
<html lang="en-US" xmlns:fb="http://ogp.me/ns/fb#" prefix="og: http://ogp.me/ns#">
<head>


<meta name="p:domain". Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/davessa.net/fullchain.pem (failure)

#5

Could you show /etc/letsencrypt/renewal/davessa.net?

And also

certbot --version

#6

You have an HTTP to HTTPS redirect in CloudFlare.
So even if you force certbot to use HTTP, certbot will be forced to follow the HTTPS redirection and CloudFlare will intercept the HTTPS challenge request and break the authentication process.
Try turning of the redirection.
Or try to set it to ignore redirection when requests are to the acme-challenge folder.
(NOTE: I don’t use CloudFlare, so I can’t say for sure if folder exclusion is even possible in their system)


#7

I think the redirect is probably fine, it properly forwards the path component and Let’s Encrypt will follow it to the destination.

At the moment WordPress is intercepting the requests to /.well-known/acme-challenge/, so a helpful next step would be know how Certbot is setup.

For example, the solution might be to renew using

-a apache -i apache

(or nginx), depending on how your website is setup.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.