Certbot renew bug


#1

My domain is:
domain.com

I ran this command:
certbot --apache -d domain.com -d www.domain.com

It produced this output:

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/TCCzkaTNdDqfg6OEpnrwjCqzleQkqbwyL5IDAJBVe8E: "<iframe src=“http://mcc.godaddy.com”, domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/RgDOCm_tz_dThTkKLHnw-B75vX0pbDEb_FfJ-IgEDfk: "<iframe src=“http://mcc.godaddy.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):

Apache 2.4.18

The operating system my web server runs on is (include version):

Ubuntu 16.04

My hosting provider, if applicable, is:

digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

I registered a certificate a few months ago.
Today, my domain certificate expired. I tried to renew it and I couldn’t. The problem was that the website is behind Cloudflare and for whatever reason, no method of renew worked.

The commands I entered:

certbot --apache -d domain.com -d www.domain.com
certbot --apache -d domain.com -d www.domain.com --preferred-challenges http
certbot --apache -d domain.com -d www.domain.com --preferred-challenges dns
certbot --apache renew
certbot renew --preferred-challenges http
certbot renew --preferred-challenges http-01

After a few tries, I got banned and not a single command completed succesfully. This a serious bug as my website is down.


#2

Hi,

This is a domain specific issue, you must share us your domain name in order for us to help you…

P.S. check your DNS settings & see if you point www to wrong A record (they must directly point to your server)

Thank you


#3

Yes, the DNS settings are the same and pointing in the right direction. Until today everything worked fine and I didn’t change anything. If you read again, you will see that is a problem between cloudflare and letsencrypt. I read a few hours about a solution for this, but failed to find one.
I will not disclose my domain as I will buy a certificate. I really need fast support when my website is down. Otherwise you get penalised by Google and I don’t know if you do, it’s really hard to get ranked.
I posted thinking that maybe some developer will read this and change the strategy to stop counting for renewals when in fact no renewal has succeeded.


#4

This has nothing to do with the behavior you’re seeing. What’s happening is that, first (in the output you showed us), your server is serving HTML for the challenge file when it should be serving plain text, and second, you hit a rate limit after too many failed validations in an hour (which will reset after an hour).

Cloudflare shouldn’t have anything to do with your problems either.

If your website is down, there’s something very badly broken with your renewal process–renewal attempts should start 30 days before the cert expires, so you should have plenty of time to take care of any issues before the site goes down.


#5

If your website is down because of an expired certificate and it’s behind Cloudflare - assuming you haven’t uploaded the expired certificate to Cloudflare itself, which isn’t even an option with their free service - you could just temporarily switch back to “Full SSL” mode (rather than “Full SSL (Strict)”) to get your site back up while you fix the certificate.

I don’t think an expired certificate would cause Cloudflare to render an <iframe> pointing to GoDaddy, though. Are you sure it’s the certificate that expired, and not the domain itself?


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.