Certbot renew error: Network is unreachable


#1

I am not currently able to renew my certbot certificate. I have of course searched the forum but have not found a solution. Being a total noob when it comes to certificates, the error here is most likely user-error.

Any help highly appreciated, and thanks for even reading this far.

I’ve filled out what I could below:

My domain is: fortuna.obsidiancode.io
I ran this command: sudo certbot renew
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fortuna.obsidiancode.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Attempting to renew cert (fortuna.obsidiancode.io) from /etc/letsencrypt/renewal/fortuna.obsidiancode.io.conf produced an unexpected error: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/fortuna.obsidiancode.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/fortuna.obsidiancode.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1066-aws x86_64)

My hosting provider, if applicable, is: AWS - EC2 instance

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

What happens if you run “curl -v https://acme-v02.api.letsencrypt.org/directory”?

Can the EC2 instance connect to the Internet in general? If it supports IPv6, is it working?


#3

Hello, thank you for your reply.
When I ran:
curl -v https://acme-v02.api.letsencrypt.org/directory

I get this output:

*   Trying 104.110.219.22...
*   Trying 2600:1408:17:187::3a8e...
* Immediate connect fail for 2600:1408:17:187::3a8e: Network is unreachable
*   Trying 2600:1408:17:1a0::3a8e...
* Immediate connect fail for 2600:1408:17:1a0::3a8e: Network is unreachable

I don’t have IPv6 set up on my EC2 instance, but that didn’t stop me from creating the certificate, and until the certificate was down, the EC2 instance could connect to the internet yes. I will re-check all the connections inside AWS though.


#4

Hi,

Could you please try to traceroute the domain?

traceroute acme-v02.api.letsencrypt.org

Thank you


#5

I have found that the error - like I expected - was mine: bad setup of my AWS made connection impossible.
I have now corrected my AWS setup and ping and traceroute both work.

I was able to run sudo certbot renew and it ran successfully, but I’m unclear as to the next step as my website still isn’t up.

I’m happy to close this question though as that’s a related but different issue.

Thank you all for reading and helping, much appreciated.


#6

Hi,

After you renewed the certificate, did you attempted to reload the web server?
(You need to do that if you are using certonly and did not specify a installer)

Thank you


#7

Also,. Could you please show the output of sudo certbot certificates?

Thank you


#8

I rebooted the EC2 instance, is that what you meant ?

and this is the output I get when I run sudo certbot certificates:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fortuna.obsidiancode.io
    Domains: fortuna.obsidiancode.io
    Expiry Date: 2019-02-13 06:49:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/fortuna.obsidiancode.io/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fortuna.obsidiancode.io/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thank you for your help!


#9

Hi,

Could you please dive into your apache ssl/tls virtual host (for this hostname) and see what’s defined in the SSLCertificateFile?

Thank you


#10

Hi @stevenzhu, again thanks for your help, so in:

/etc/apache2/sites-available/

my default-ssl.conf file has this value for SSLCertificateFile:

SSLCertificateFile /etc/ssl/certs/fullchain.pem


#11

Should I change that to match:

/etc/letsencrypt/live/fortuna.obsidiancode.io/fullchain.pem
?


#12

@stevenzhu, that did it! I don’t know if it’s the ‘right way’ to solve the problem but it seems to have worked. In any case I would not have been able to fix this so fast with your help, so thanks and kudos to you!

If this is not the ‘right way’, please do let me know.

What I did:
in:

/etc/apache2/sites-available/default-ssl.conf

I set the SSLCertificateFile value to /etc/letsencrypt/live/fortuna.obsidiancode.io/fullchain.pem
and the SSLCertificateKeyFile value to /etc/letsencrypt/live/fortuna.obsidiancode.io/privkey.pem

Then rebooted the EC2 instance, and it now works.

Thank you!


#13

Hi,

That’s correct!

Glad to see it working.