Certbot with Apache - New Certificates Obtained but Apache Not Restarted So They Are Not in Use

Hi guys,

I am pretty happy with my lets-encrypt and just checked on my cert and tried to install a cron for the renew process. How ever I got a error during my dry run and need some help from you guys.

The error is “Attempting to renew cert from /etc/letsencrypt/renewal/e-familynet.com.conf produced an unexpected error: Failed authorization procedure. e-familynet.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 216.144.253.186:443 for tls-sni-01 challenge. Skipping.”

I checked already with nslookup my domain and all looks good to me. also a couple of thousand users are online every day so should be all good there. I also checked on port 443 which is also open and fine. I guess otherwise my site would not be open with https anyway.

Any tip for me in this case? thx in advance…

Hi @floripaoliver,

Could you fill in the form that comes up when you create a Help topic? For example, it asks what command you ran, which is an important question in order to help you here.

Hi, thx for your reply. I actually did not see this form before… sorry, I filled it out now.

My domain is: e-familynet.com

I ran this command: certbot-auto renew --dry-run

It produced this output:

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future
version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/e-familynet.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for e-familynet.com
tls-sni-01 challenge for www.e-familynet.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/e-familynet.com.conf produced an unexpected error: Failed authorization procedure. e-familynet.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 216.144.253.186:443 for tls-sni-01 challenge. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.e-familynet.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.e-familynet.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.e-familynet.com/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/www.e-familynet.com/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/e-familynet.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: e-familynet.com
   Type:   connection
   Detail: Failed to connect to 216.144.253.186:443 for tls-sni-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): Apache

The operating system my web server runs on is (include version): CentOS release 6.5 (Final)

My hosting provider, if applicable, is: None, my own dedicated server

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Thank you for your help in advance…

Hi @floripaoliver, thanks for the additional information.

I’ve never seen this particular error in a situation where there’s a working HTTPS site (and I succeed in connecting to https://www.e-familynet.com/ on port 443 in a browser using the same IP address that appeared in the error message).

@jsha @cpu, do you think you could check if something strange is going on with routing here? This is a TLS-SNI-01 “failed to connect” error, yet the existing site appears to load at the very same IP address (216.144.253.186) with HTTPS in a browser. (Using the staging server, not production.)

@floripaoliver, if that’s your only certificate, you could also try certbot renew --force-renew to force a renewal attempt using the production (not test) server. If you have only this one certificate, doing this one shouldn’t cause any troubles with rate limiting. This would show if there’s any difference in behavior between the test (staging) and production servers.

Using certbot renew --force-renew isn’t advisable in cron jobs or if you have many different certificates, because then it’s likely to trigger Let’s Encrypt rate limits.

Hi, thx for your feedback. I am a little bit confused now. I have to say I am everything else as a pro with all this but try to follow all tips. My confusion is about the production or testing server. I do not have any testing or staging server. This machine is my only server and their for the production environment.

if I use the --force-renew command I need to be sure I dont mess this working cert up because this site has about 100.000 visits/day and in the meanwhile all 100% on https so if something goes wrong now with the cert I am pretty much in trouble.

Can I use the --force-renew without the danger that after this nothing works anymore, neither the old or renewed one?

Also interesting is that the certbot tries to process 2 configs (www.e-familynet.com and e-familynet.com) but I do have actually only one .conf in my apache configured. Only the e-familynet.com.conf exist. And even more strange to me is that the second process for www.e-familynet.comm seems to work fine. My site is actually only running on www and everything else I even rewrite to www so maybe I am fine anyway since the renew for www.e-familynet.com seems to go through and I might not even care for the version without www.

If you want to have a close look on my server get in touch with me with private message and I can give you access to my server as well.

thanks again

[quote="floripaoliver, post:6, topic:35196"]
Hi, thx for your feedback. I am a little bit confused now. I have to say I am everything else as a pro with all this but try to follow all tips. My confusion is about the production or testing server. I do not have any testing or staging server. This machine is my only server and their for the production environment. [/quote]

Sorry, I was referring to the Let's Encrypt staging server. Whenever you use --dry-run, a different (testing) certificate authority is contacting instead of the normal public certificate authority. We call these the staging and production CAs. It doesn't refer to staging or production infrastructure of users.

Well, maybe we should hear more about your setup just to understand whether there's any specific risk.

For example, did you intend to have two separate certificates for www.e-familynet.com and e-familynet.com? It seems that you have at least one certificate that already covers both names, so it's possible that the certificate that's failing to renew is redundant and unnecessary! (You could get more information about the two certificates with certbot-auto certificates.)

However, I should point out that even the --dry-run with the Apache plugin that you are apparently using is already modifying your web server configuration and restarting the server and so the level of risk you've been taking with this experiment is already non-zero. Obviously we try to make Certbot as safe and correct as possible, so we don't expect that it will cause your web server to go down, but the tests you're doing are already involving server restarts and configuration changes, because that's how the Apache plugin works!

Hi again,

Okay, I got it work now with your tips and some fiddeling :slight_smile:

First to answer your question: Nope, I did not to intend to have two separate certs for my domain. In fact I use anyway only www and even use mod-rewrite to rewrite anything else like xxx.domain or http://domain always to my www. This means nobody ever use http://domain which seems the cert which does not want to renew.

So here is what I did.

I checked the /etc/letsencrypt directory and deleted the cert for e-familynet.com (without the www) from all folders which had something with this cert. than i also made sure that the httpd/conf/sites config file for the domain reads the correct letsencrypt certs (which it did not). My conf did point to the e-familynet.com version without the www but the cert for www was present in the letsencryot folder. I think I messed something up when I first tried to install all.

Again, I am not half a pro in this area and I am happy I survive with the help of guys like you :slight_smile:
Once I deleted the e-familynet.com cert, and edited my conf to use the www cert I tried again the --dry-run version and it did go through without a problem.

Now it shows:

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.e-familynet.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.e-familynet.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.e-familynet.com/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.e-familynet.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

I guess I am fine now and can add this as cronjob as described in your docs to make sure my cert is always active.

Thank you so much for your great support here, I really appreciate it. thx

One more thing… do I need to restart apache also all the time when I renew the cert is this not needed?

Apache doesn’t know to check for new certificates, so you do have to do something so that it picks them up.

Many people would use something like

--renew-hook "service apache2 graceful"

in the certbot renew command. This command is run at the end only if a renewal occurs.

1 Like

great… thx a lot once again… all solved for me now! great support here…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.