Certbot - issue SSL on new server


#1

I’m trying to generate a certificate for a domain that already has a certificate on another server. The DNS record is now point at the new server, and I don’t have access to the old server’s Let’s Encrypt directory to complete a full migration. I managed to grab the certificate itself from the old server and install on the new one, but it expires in a couple of weeks, and therefore I wish to generate a new one on the new server. The old certificate was generated by another person using the Let’s Encrypt API on the old server, and I’m trying to use Certbot on the new server.

Would it be a case of waiting till the certificate expiry is near enough, and then the authorization for generating a new one will stop failing? If so, what is the threshold? Otherwise, what would be the procedure of generating this certificate?

Thanks,
Amir

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mydata.energy

I ran this command:
sudo certbot certonly --webroot -v -d mydata.energy -w

It produced this output:
b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “mydata.energy”\n },\n “status”: “pending”,\n “expires”: “2018-07-03T06:25:26Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/TQfh29b_WYYloQvYLM2TkB8Msq_lFHXtyJZRpcPneco/5308375083”,\n “token”: “Jg_f1-yRNIFfsdrX2xdKU3lUC5sQVx7ySisVAnwgyUc”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/TQfh29b_WYYloQvYLM2TkB8Msq_lFHXtyJZRpcPneco/5308375084”,\n “token”: “xCm4ga8tSQ2KQfLeYpxyYlQai1qBQrrasZu4ahUfxQg”,\n “keyAuthorization”: “xCm4ga8tSQ2KQfLeYpxyYlQai1qBQrrasZu4ahUfxQg.KbgCzgzGMda699BS7m2qx7PsD0eZZfuVh_62XQEpCdw”\n }\n ],\n “combinations”: [\n [\n 1\n ],\n [\n 0\n ]\n ]\n}’
Cleaning up challenges
Removing /home/ubuntu/webapps/dashboard-app/dist/.well-known/acme-challenge/xCm4ga8tSQ2KQfLeYpxyYlQai1qBQrrasZu4ahUfxQg
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1157, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self.verify_authzr_complete(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 325, in verify_authzr_complete
raise errors.AuthorizationError(“Incomplete authorizations”)
certbot.errors.AuthorizationError: Incomplete authorizations
Incomplete authorizations

My web server is (include version):
nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

There’s no need to wait for the certificate to expire. You can issue a new certificate at any time.

For Ubuntu 16.04 (Xenial), make sure that you have your Certbot upgraded to 0.25+:

certbot --version

You can make sure this is the case by installing Certbot from the Ubuntu PPA: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

The simplest way to go is to use the Certbot nginx plugin, which would be:

certbot --nginx -d mydata.energy

#3

Hi there, _az

My latest on this, after upgrading Certbot:

I’m running the same command (not using the nginx plugin, which is installed though). I’m getting a timeout error:

Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. mydata.energy (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydata.energy/.well-known/acme-challenge/1slKdw4I0SITp-jshkzw-HE-RcViBvGfvoPrwdtYhIE: Timeout after connect (your server may be slow or overloaded)

Calling registered functions
Cleaning up challenges
Removing /home/ubuntu/webapps/dashboard-app/dist/.well-known/acme-challenge/1slKdw4I0SITp-jshkzw-HE-RcViBvGfvoPrwdtYhIE
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.25.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1323, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1213, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 383, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 326, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 362, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. mydata.energy (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydata.energy/.well-known/acme-challenge/1slKdw4I0SITp-jshkzw-HE-RcViBvGfvoPrwdtYhIE: Timeout after connect (your server may be slow or overloaded)
Failed authorization procedure. mydata.energy (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydata.energy/.well-known/acme-challenge/1slKdw4I0SITp-jshkzw-HE-RcViBvGfvoPrwdtYhIE: Timeout after connect (your server may be slow or overloaded)

At the same time the command is running, I am also performing a curl from another machine to the same URL, and am successfully getting the challenge:

ubuntu@ip-172-31-15-48:~/webapps/dashboard-app/dist/.well-know$ curl http://mydata.energy/.well-
known/acme-challenge/1slKdw4I0SITp-jshkzw-HE-RcViBvGfvoPrwdtYhIE
1slKdw4I0SITp-jshkzw-HE-
RcViBvGfvoPrwdtYhIE.KbgCzgzGMda699BS7m2qx7PsD0eZZfuVh_62XQEpCdw

(tried that from both another EC2 instance and my dev laptop, both worked).

I’m at a loss why it is timed out when Certbot initiates.


#4

Your domain is currently timing out on its IPv6 address: https://letsdebug.net/mydata.energy/2084


#5

@_az, thanks so much - removing the IPv6 record solved the issue. Much appreciated


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.