Certbot renew don't work

Help
1

Hello, I have a server that is now more than a year old, the certificate was automatically renewed without any problem even if I remember that it bothered me at first. The certificate was not renewed, I did everything, but I can't do it. NEED HELP PLEASE

My domain is: apisnix-crm.com

I ran this command: certbot renew

It produced this output:
===≈====================
certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/apisnix-crm.com.conf

Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for apisnix-crm.com
Using the webroot path /srv/www/htdocs for all unmatched domains.
Waiting for verification...
Challenge failed for domain apisnix-crm.com
http-01 challenge for apisnix-crm.com
Cleaning up challenges
Attempting to renew cert (apisnix-crm.com) from /etc/letsencrypt/renewal/apisnix-crm.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/apisnix-crm.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/apisnix-crm.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: apisnix-crm.com
    Type: connection
    Detail: 151.236.39.57: Fetching
    https://151.236.39.57/.well-known/acme-challenge/B0-WxwFEl3IALuLQXm5swnCmStvHrZWl1mPZwq0AfyM:
    Invalid host in redirect target "151.236.39.57". Only domain names
    are supported, not IP addresses

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

===============================

My web server is (include version): vicidial (opensuse 15.2)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

My certbot version is: 1.4.0

I try:
certbot renew
Certbot certonly --webroot
certbot renew --force-renewal --cert-name apisnix-crm.com --dry-run
certbot renew -a webroot -w /var/www/html --dry-run
certbot -d apisnix-crm.com --force-renewal
certbot renew --preferred-challenges -d
certbot run -a webroot -i apache -w /srv/www/htdocs -d apisnix-crm.com --debug-challenges
certbot certonly --cert-name apisnix-crm.com
certbot rollback
certbot renew --break-my-certs
certbot renew --quiet
certbot renew --force-renewal --cert-name apisnix-crm.com --dry-run

Thank you in advance

2

Hello @Franck98, welcome to the Let's Encrypt community. :slightly_smiling_face:

Checkout Let's Debug

apisnix-crm.com has an A (IPv4) record (151.236.39.57) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "https://151.236.39.57/.well-known/acme-challenge/letsdebug-test": No AAAA or A records were found for 151.236.39.57

Best Practice - Keep Port 80 Open

Also previously you have gotten certificates https://crt.sh/?q=apisnix-crm.com

2 Likes
3

Also this error:

151.236.39.57: Fetching https://151.236.39.57/.well-known/acme-challenge/otnZFysQnuHxDV6Pyp3KJHXkzD5FTHlBKPCwda_mZZU: Invalid host in redirect target "151.236.39.57". Only domain names are supported, not IP addresses

Your server redirected the original HTTP challenge request to an IP address. This is not allowed. See here about redirects:

3 Likes
4

As Let’s Encrypt offers Domain Validation (DV) certificates; IP Addresses are not a Domain.

1 Like
5

Hello and thank you for your very quick answers, excuse the language, I'm French speaking.
I have opened port 80 but anyway, I disable firewalld before renewing (advice from another technician last year)
I have read the articles and links you sent me and I am starting to see the problem but what should I do concretely please ?

2 Likes
6

Please do NOT use this option if you don't understand what it actually does. It does NOT magically renew your certificate if there is a validation problem. Using this option carelessly potentially adds unnecessary strain/load on the Let's Encrypt infrastructure and can lead you running into rate limits, denying you any further certificate for a certain amount of time.

Your webserver should not redirect to the IP address of your site. Why would it do that in the first place?

3 Likes
7

okay boss, I won't do it again

I just checked and honestly, I don't know but in July, I did a lot of manipulations on the server (there were some issues). I send you the results of the virtual hosts ecause I think there is a problem there

apachectl -t -D DUMP_VHOSTS
which: no w3m in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin)
which: no lynx in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin)
AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, using 151.236.39.57. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  apisnix-crm.com (/etc/apache2/vhosts.d/1111-default-ssl.conf:1)
*:80                   vicibox.company.com (/etc/apache2/vhosts.d/1111-default.conf:1)
*:446                  dynportalcompany.com (/etc/apache2/vhosts.d/dynportal-ssl.conf:1)
*:81                   dynportal.company.com (/etc/apache2/vhosts.d/dynportal.conf:1)

 nano /etc/apache2/vhosts.d/1111-default-ssl.conf
  GNU nano 4.9.2                                                            /etc/apache2/vhosts.d/1111-default-ssl.conf
<VirtualHost _default_:443>
        ServerAdmin admin@apisnix-crm.com
        ServerName apisnix-crm.com
        #ServerAlias
        DocumentRoot /srv/www/htdocs
        ErrorLog /var/log/apache2/error_log
        #CustomLog /var/log/apache2/access_log combined
        CustomLog /dev/null combined
        HostnameLookups Off
        UseCanonicalName Off
        ServerSignature Off
        TraceEnable Off
        Include /etc/apache2/conf.d/*.conf
        DirectoryIndex index.html index.php index.htm

        SSLEngine on
        SSLCertificateFile /etc/certbot/live/apisnix-crm.com/cert.pem
        SSLCACertificateFile /etc/certbot/live/apisnix-crm.com/fullchain.pem
        SSLCertificateKeyFile /etc/certbot/live/apisnix-crm.com/privkey.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

        <Files ~ "^\.ht">
                Require all denied
        </Files>
        <Files ~ "opcache.php">
                Require ip 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 127.0.0.1
        </Files>

        <Directory "/srv/www/htdocs">


nano /etc/apache2/vhosts.d/1111-default.conf
  GNU nano 4.9.2                                                              /etc/apache2/vhosts.d/1111-default.conf
<VirtualHost _default_:80>
        ServerAdmin admin@company.com
        ServerName vicibox.company.com
        #ServerAlias
        DocumentRoot /srv/www/htdocs
        Redirect permanent / https://151.236.39.57/
        ErrorLog /var/log/apache2/error_log
        #CustomLog /var/log/apache2/access_log combined
        CustomLog /dev/null combined
        HostnameLookups Off
        UseCanonicalName Off
        ServerSignature Off
        TraceEnable Off
        Include /etc/apache2/conf.d/*.conf
        DirectoryIndex index.html index.php index.htm

        <Files ~ "^\.ht">
                Require all denied
        </Files>
        <Files ~ "opcache.php">
                Require ip 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 127.0.0.1
        </Files>

        <Directory "/srv/www/htdocs">
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>

        ### Uncomment this if you want PCI-DSS WebScan results to pass, but it'll likely mess up scripting in vicidial
        #<IfModule mod_headers.c>
        #       Header always set X-Frame-Options: DENY
        #       Header always set X-XSS-Protection "1; mode=block"
        #       Header always set X-Content-Type-Options: nosniff
        #       Header always set Content-Security-Policy "script-src 'self'; object-src 'self'"
        #       Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
        #</IfModule>

        ### To force everything to SSL uncomment the following
        #RewriteEngine On
        #RewriteCond %{HTTPS} off
        #RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
8

/etc/apache2/vhosts.d/1111-default.conf is the configuration file for an entirely different hostname, not for apisnix-crm.com. Where did the HTTP (port 80) virtualhost for apisnix-crm.com go?

3 Likes
9

I don't know what to tell you, I can only tell you that the present name is the system default name and not the name of a third party

10

If you want a certificate for the hostname apisnix-crm.com, your Apache needs to be configured for that hostname with a HTTP (port 80) virtualhost, which currently is not the case.

3 Likes
11

Should I copy the contents of 1111-default-ssl.conf to 1111-default.conf or just change the servername?

I will try both but I would like to know if it can work or if apache doesn't have a command to do it in its system?

12

I can't advise you on how you need to configure your Apache. This is not the correct Community for that. And also I have absolutely no idea what kind of directives certain sites of your system need.

In any case I would not advise to just change the servername. That would disable the virtualhost for the original hostname if you'd do that, which I would not recommend. Copying contents of "random" configuration files is also not something I would advise. If I were you, I would write a new configuration file entirely. If you have a working HTTPS (port 443) virtualhost, the HTTP port 80 virtualhost doesn't need to be complex. In fact, it could exist purely of a HTTP to HTTPS redirect.

3 Likes
13

Thanks a lot for your help,
you just had to fill in the ServerName in httpd.conf

The ServerName track was the right one, I used this site

2 Likes
14

How does that "bypass" the redirection to an IP address problem?:

2 Likes
15

Furthermore, there is only one vhost that covers port 80.
And it has the same document root as the one in question.

So, "that" wasn't part of the problem.

Is it fixed now?

2 Likes
16

Let's Debug https://letsdebug.net/ Test result for apisnix-crm.com using http-01 is still failing.

1 Like
17

New certificates have been issued also https://crt.sh/?q=apisnix-crm.com

1 Like
18

Ghe, entirely missed that redirect, I only saw the commented out RewriteEngine redirect :roll_eyes:

3 Likes
19

Although SSL Server Test: apisnix-crm.com (Powered by Qualys SSL Labs) is passing. :thinking:

1 Like
21

sorry, I was correcting and adjusting the phone

yes it works

2 Likes