Certbot Stuck in the Same Renew Error

Help
1

Hi, Time to renew again, same error as last time. I used to make attempts to renew in the past and never ran into the time limits or got block by "too many renew attempts;

An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: 
Too many failed authorizations 
recently.

Yes, I have turn AT&T IPv6 off!
Yes, I know, I have a pesky AT&T router with certain limitations!

In all instances I can see the process running through and the /.well-known/acme-challenge directory being created by to disappear right under my eyes and Certbot falsely claiming that could not connect to the server.

Failed authorization procedure. bonsi.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://bonsi.org/.well-known/acme-challenge/hLEwrby_2NGcc67On3E78MCG-9sOdvzn4pc7Qf1Lt2I: Timeout

IMPORTANT NOTES:

Logs are available upon request!
Ideas? Questions? Welcome!

Ha, the procedure is the same to renew;

root# cd /Users/User2/letsencrypt
[server:~/letsencrypt] root# ./certbot-auto certonly --webroot --webroot-path /Users/User2/Sites/ --email webmaster@bonsi.org -d bonsi.org -d www.bonsi.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
An unexpected error occurred:

PS: I almost forgot to mention; The computer has been upgraded from Mavericks to OS X High Sierra V 10.13.2

2

Your web server is accessible over IPv4 but not IPv6.

curl -I -4 bonsi.org
HTTP/1.1 302 Found
Date: Mon, 11 Dec 2017 07:33:30 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Location: https://bonsi.org/
Content-Type: text/html; charset=iso-8859-1

nc -vvv -6 bonsi.org 80
Ncat: Version 6.40 ( http://nmap.org/ncat )
libnsock nsi_new2(): nsi_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 2602:306:ce87:4da0::2:80 (IOD #1) EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT TIMEOUT for EID 8 [2602:306:ce87:4da0::2:80]
Ncat: Connection to 2602:306:ce87:4da0::2 failed: Connection timed out.
Ncat: Trying next address...
libnsock nsock_connect_tcp(): TCP connection requested to 2602:306:ce87:4da0::3:80 (IOD #1) EID 16
libnsock nsock_trace_handler_callback(): Callback: CONNECT TIMEOUT for EID 16 [2602:306:ce87:4da0::3:80]
Ncat: Connection to 2602:306:ce87:4da0::3 failed: Connection timed out.
Ncat: Trying next address...
libnsock nsock_connect_tcp(): TCP connection requested to 2602:306:ce87:4da0::4:80 (IOD #1) EID 24
libnsock nsock_trace_handler_callback(): Callback: CONNECT TIMEOUT for EID 24 [2602:306:ce87:4da0::4:80]
Ncat: Connection timed out.

If you turned IPv6 off then you also need to withdraw the AAAA records for your domain(s):

dig bonsi.org aaaa +short
2602:306:ce87:4da0::2
2602:306:ce87:4da0::3
2602:306:ce87:4da0::1

In this case it is not Certbot that cannot connect, but rather the Let's Encrypt validation server(s), which connect from an external network. They could not connect because they tried to follow the AAAA records present on the domain.

1 Like
3

Thanks for the head up @_az!
This is nuts! Ok, let's try with ipv6 on:
root# nc -vvv -6 bonsi.org 80
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif lo0
src 2602:306:ce87:4da0::3 port 59696
dst 2602:306:ce87:4da0::3 port 80
rank info not available
TCP aux info available

Connection to bonsi.org port 80 [tcp/http] succeeded!

root# dig AAAA bonsi.org

; <<>> DiG 9.10.3 <<>> AAAA bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27358
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bonsi.org.			IN	AAAA

;; ANSWER SECTION:
bonsi.org.		21519	IN	AAAA	2602:306:ce87:4da0::3
bonsi.org.		21519	IN	AAAA	2602:306:ce87:4da0::4
bonsi.org.		21519	IN	AAAA	2602:306:ce87:4da0::2

;; AUTHORITY SECTION:
bonsi.org.		45457	IN	NS	ns-cloud-b3.googledomains.com.
bonsi.org.		45457	IN	NS	ns-cloud-b1.googledomains.com.
bonsi.org.		45457	IN	NS	ns2.bonsi.org.
bonsi.org.		45457	IN	NS	ns-cloud-b2.googledomains.com.
bonsi.org.		45457	IN	NS	ns3.bonsi.org.
bonsi.org.		45457	IN	NS	ns-cloud-b4.googledomains.com.
bonsi.org.		45457	IN	NS	ns1.bonsi.org.

;; ADDITIONAL SECTION:
ns-cloud-b1.googledomains.com. 71342 IN	A	216.239.32.107
ns-cloud-b2.googledomains.com. 105184 IN A	216.239.34.107
ns-cloud-b3.googledomains.com. 105184 IN A	216.239.36.107
ns-cloud-b4.googledomains.com. 105184 IN A	216.239.38.107

Tried again and fail with IPv6 responding ok on the Server.
IMPORTANT NOTES:

4

Sure, it works for me now as well.

As soon as the failed authorizations rate limit drops off (I believe the window is hourly), then you should be able to get a successful renewal.

Edit: I see your edit. Looks like the challenge file is not being served as expected, so you would need to check your webroot setup etc. But this is a new issue.

5

I will have to go to the register and delete all the IPv6 entries. It is really nuts!
I am going to get some sleep! Maybe Tomorrow we can get to a reasonable answer from the developers!
Thanks @_az!

6

Ok, I tried going towards the long way by issuing the Manual command;

[server:~/letsencrypt] root# ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d bonsi.org -d www.bonsi.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bonsi.org
http-01 challenge for www.bonsi.org

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: Y

Create a file containing just this data:

DQg3iCiG8Fbp8nPqDDgJzoTmQ4EKUHwaW3QlRgtvJgg.leJ_vnpQW_xnlf_bfhHOTIcIOw4nJHvTHLKOHHJmHQI

And make it available on your web server at this URL:

links was removed! ... no longer valid!

Press Enter to Continue

Create a file containing just this data:

-Tnegwo0LoJSP7PwOEM0OPAjDHUDfzMUni7a3RG26PQ.leJ_vnpQW_xnlf_bfhHOTIcIOw4nJHvTHLKOHHJmHQI

And make it available on your web server at this URL:

links was removed! ... no longer valid!

Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bonsi.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching

links was removed! ... no longer valid!

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: bonsi.org
    Type: connection
    Detail: Fetching

links was removed! ... no longer valid!

Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Obs: When I click on these challenges links, I do not see any time-outs to connect to the server.

links was removed! ... no longer valid!

Even trying without the "https" present any problems;

links was removed! ... no longer valid!

These links have been tested both using a normal Browser and Tor and none presented any challenges to connect from my end...

  • Could you please, test these links and let me know if you have any issues or "timeouts"? Thanks!

Posterior Note: Since the validation already happened, I will have to remove the links for here so it won't become forever dead links!

7

Looks fine to me. No DNS problems, no IPv6, I get a fast reply from multiple locations.

Maybe @cpu can take a look from the Let’s Encrypt perspective.

2 Likes
8

Thanks for getting back to the thread @_az! Much appreciated!

Daniel, @cpu it is fine, I got them all renewed. I am not sure what the final issue was... Maybe it was removing the entries for IPv6 at the register parent, something that I find very excessive.

Imagine someone with lots of domains. Hugh! In the end of the process It was something that I think it is related to permissions. I still think Certbot should have something like "Trying IPv6 ... not ready ... skipping ... trying ipv4, ipv4 ok! Validating through challenge, domain ok!, done!

Here is the Terminal input/output resulted;

[server:~/letsencrypt] root# ./certbot-auto certonly --webroot --webroot-path /Users/User2/Sites/ --email webmaster@bonsi.org -d bonsi.org -d www.bonsi.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bonsi.org
http-01 challenge for www.bonsi.org
Using the webroot path /Users/User2/Sites for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /Users/User2/Sites/.well-known/acme-challenge

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/bonsi.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/bonsi.org/privkey.pem
    Your cert will expire on 2018-03-12. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    "certbot-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Thanks again @_az!

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.