Please fill out the fields below so we can help you better.
My domain is:
I ran this command:
certbot renew --dry-run
It produced this output:
certbot renew --dry-run
Processing /etc/letsencrypt/renewal/*****.conf
2017-03-09 05:01:04,167:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/.conf produced an unexpected error: Failed authorization procedure. ****** (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested xxx.xxx.acme.invalid from 45.32.5.224:443. Received 2 certificate(s), first certificate had names "*". Skipping.
** DRY RUN: simulating ācertbot renewā close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/******/fullchain.pem (failure)
** DRY RUN: simulating ācertbot renewā close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: *****
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
xxx.acme.invalid
from 45.32.5.224:443. Received 2 certificate(s), first certificate
had names ā******ā
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My operating system is (include version):
Ubuntu 16.10
My web server is (include version):
n/a (running a custom express-based node.js server)
My hosting provider, if applicable, is:
n/a
I can login to a root shell on my machine (yes or no, or I donāt know):
Yes
Iām using a control panel to manage my site (no, or provide the name and version of the control panel):
Are you running the certbot renew --dry-run command on the same server as the one where your existing certificate is installed, or on a different server?
Is your express-based node.js server itself listening directly on port 443, or do you have a reverse proxy or similar?
Can you post the contents of the file /etc/letsencrypt/renewal/*****.conf please?
The command is running on the same server. The node server listens on port 443 directly. I do not have a reverse proxy.
# renew_before_expiry = 30 days
version = 0.8.1
cert = /etc/letsencrypt/live/schedule.greenwood.space/cert.pem
privkey = /etc/letsencrypt/live/schedule.greenwood.space/privkey.pem
chain = /etc/letsencrypt/live/schedule.greenwood.space/chain.pem
fullchain = /etc/letsencrypt/live/schedule.greenwood.space/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = ****
webroot_path = /home/greenwood/greenwood-scheduler,
[[webroot_map]]
I did some more sleuthing, and it looks like the back and forth dies when the eff site is unable to directly connect to the IP address, port 443 to the standalone server. I would be fine with enabling dns verification, but there is quite literally no documentation on how to do that other than āit will tell you if you try.ā Well, I tried, and it just said it wouldnāt do it, no further information.
Iām now 9 days from expiry on the site. Should I give up on renewal and just generate a new one? Will it even let me?
I may have found the issue. I have had 443 redirect to a user port to avoid having to run my express server as root (to get access to 443). Iām going to try disabling that redirect and then re-run.