Certbot renew in windows error

pks · November 16, 2023, 10:04am

My domain is:ahead.kerala.gov.in

I ran this command:certbot renew

It produced this output:Failed to renew certificate ahead.kerala.gov.in with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt

My web server is (include version):IIS 10

The operating system my web server runs on is (include version):windows 2016 DC

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.24.0

rg305 · November 16, 2023, 10:39am

Hi @pks, and welcome to the LE community forum

This error doesn't explain why it failed previously:

It only states that you've tried to renew it too many times [recently].

Let's have a look at the certbot log file.
[not sure where that is in Windows]

pks · November 16, 2023, 10:46am

error is: Fetching http://ahead.kerala.gov.in/.well-known/acme-challenge/e0qtFf6IubViOb4oYqXhCyhGaQiiaQ2rVKG4di_byH4: Timeout during connect (likely firewall problem)

log file :  Fetching http://www.ahead.kerala.gov.in/.well-known/acme-challenge/FKq2CYCmbyZH8wAv_A8wtlo2MSm_X5Clz3PySBw4zQc: Timeout during connect (likely firewall problem)

  Domain: ahead.kerala.gov.in
  Type:   connection
  Detail: Fetching http://ahead.kerala.gov.in/.well-known/acme-challenge/0L3KLZO9zS-4mQNC8SRC4CNZvR0GmFJ3P-9nikb54HA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-11-16 14:43:26,325:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-16 14:43:26,325:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-16 14:43:26,325:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-16 14:43:26,325:DEBUG:certbot._internal.plugins.webroot:Removing C:\ahead_4.6\.well-known\acme-challenge\FKq2CYCmbyZH8wAv_A8wtlo2MSm_X5Clz3PySBw4zQc
2023-11-16 14:43:26,325:INFO:certbot._internal.plugins.webroot:Cleaning web.config file generated by Certbot in C:\ahead_4.6\.well-known\acme-challenge.
2023-11-16 14:43:26,325:DEBUG:certbot._internal.plugins.webroot:Removing C:\ahead_4.6\.well-known\acme-challenge\0L3KLZO9zS-4mQNC8SRC4CNZvR0GmFJ3P-9nikb54HA
2023-11-16 14:43:26,325:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-11-16 14:43:26,325:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "runpy.py", line 197, in _run_module_as_main
  File "runpy.py", line 87, in _run_code
  File "C:\Program Files (x86)\Certbot\bin\certbot.exe\__main__.py", line 29, in <module>
    sys.exit(main())
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\main.py", line 19, in main
    return internal_main.main(cli_args)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\main.py", line 1679, in main
    return config.func(config, plugins)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\main.py", line 1538, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\main.py", line 127, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\renewal.py", line 345, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\client.py", line 441, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\client.py", line 493, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-16 14:43:26,341:ERROR:certbot._internal.log:Some challenges have failed.

rg305 · November 16, 2023, 11:00am

This is the problem:

Is your site accessible from the Internet?

rg305 · November 16, 2023, 11:09am

There also seems to be a DNS CAA issue:
Let's Debug (letsdebug.net)

pks · November 16, 2023, 11:13am

yes its is

rg305 · November 16, 2023, 11:17am

Not from my IP:

curl -Ii http://ahead.kerala.gov.in/
curl: (56) Recv failure: Connection reset by peer

Not from this random testing site on the Internet:
Ahead.kerala.gov.in - Is Ahead Down Right Now? (isitdownrightnow.com)

pks · November 16, 2023, 11:20am

may be available only in india

rg305 · November 16, 2023, 11:34am

Then something has changed since your last renewal on 2023-08-21:

It must have been accessible then.

If it will longer be accessible via HTTP, you will have to change the authentication method to DNS.

pks · November 16, 2023, 11:41am

not working in HTTP

rg305 · November 16, 2023, 11:53am

Then, we are agreed on that.

How would you like to proceed?

speak with your IT folks and restore HTTP access.
speak with your DNS folks to see if that is a viable option

webprofusion · November 16, 2023, 11:53am

Are you working with Dilan? I tried to renew one our website certificate using the certify the web manager and it shows "too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/". i need your support for to know how to fix this issue - #2 by webprofusion - Question - Certify The Web - Support Community

pks · November 16, 2023, 12:43pm

now port 80 is enabled and telnet is their for 80. and now shows error
Failed to renew certificate ahead.kerala.gov.in with error: Problem binding to port 80: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions

rg305 · November 16, 2023, 12:55pm

certbot may need exclusive rights to use HTTP on port 80.
If anything else [like IIS] is already bound to port 80, certbot will have that problem.
You can:

stop whatever is using port 80 [like IIS]
so that certbot can use it and then restart after use
use another ACME client [more compatible with Windows (and IIS)]
note: certbot for Windows will soon be "retired"

But I still can't reach your site:

curl -Ii http://ahead.kerala.gov.in/
curl: (56) Recv failure: Connection reset by peer

webprofusion · November 16, 2023, 1:25pm

I'd suggest that you consider using https://certifytheweb.com (which I develop) or win-acme as these can both work alongside IIS and will install a PFX in the certificate store and update IIS bindings. Certbot is optimised for use with things like Apache and nginx.