Certificate expired and renew not working


#1

Hi at all,
due to i am very nooby in point of server hosting i sadly was not able to fix this issue even there are a lot of quite similar posts here on the board…My certificate is expired and now i tried the following:

My domain is:

https://www.entwicklercouch.de

I ran this command:

certbot renew / sudo certbot renew

It produced this output:

# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.entwicklercouch.de.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.entwicklercouch.de
http-01 challenge for entwicklercouch.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.entwicklercouch.de.conf produced an unexpected error: Failed authorization procedure. www.entwicklercouch.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.entwicklercouch.de/.well-known/acme-challenge/LIKpwcfRsWfAlyOgtX33JtnWL6-4h-DIvhLxaekP06k: Connection refused, entwicklercouch.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://entwicklercouch.de/.well-known/acme-challenge/nKCb7Jd3La5gClevMSGkQum9U0dhb2VcPFaq2zttiQw: Connection refused. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.entwicklercouch.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):

Debian 8.5 64Bit

My hosting provider, if applicable, is:

ZAP Hosting

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

And here is my nginx config:

server {
listen 80 default_server;
listen [::]:80 default_server;
    server_name entwicklercouch.de www.entwicklercouch.de;
    return 301 https://$server_name$request_uri;
}

server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
    include snippets/ssl-entwicklercouch.de.conf;
    include snippets/ssl-params.conf;	
    access_log /root/log/nginx/entwicklercouch.de.log;

# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

# Add index.php to the list if you are using PHP

    location ~ /.well-known {
            allow all;
    }
    location /sockettest/ {
             root /root/webserver/sockettest;
             index index.html index.htm;
    }  
    location /alexa-api/ {
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection $http_connection;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_http_version 1.1;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header Host $host;
             proxy_pass http://localhost:3000;
    }

    location /alexa-skill/ {
             proxy_pass http://localhost:3009;
    }

    location /bamboo/ {
             proxy_pass http://localhost:8085;
             proxy_set_header 	X-Forwarded-Host $host;
             proxy_set_header 	X-Forwarded-Server $host;
	 proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	 proxy_set_header    X-Real-IP $remote_addr;
	 proxy_redirect 		off;
    }

    location / {
             proxy_pass http://localhost:8080;
             root /root/webserver/app/;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection 'upgrade';
             proxy_set_header Host $host;
             proxy_cache_bypass $http_upgrade;
    }

Please help me with this :frowning: i really have no idea what i am doing wrong


#2

Hi @messerbill

is there a firewall or something else? Port 80 doesn’t work.

This site can’t be reached
www.entwicklercouch.de refused to connect.

Port 80 must be open.

Actual, there is a self signed certificate, not an older letsencrypt-certificate.


#3

Is nginx running at all? Because most of the time, when some port (in this case 80) is filtered by a firewall, the client would get a time out (because all packets are silently dropped).

However, in your case, your server replies to the client with an “active” “go away” kind of signal, causing the “connection refused” error.

And with the tip of @JuergenAuer above: what is actually running on port 443? Because it doesn’t seem to be the nginx configuration you’ve posted here.


#4

Hi, thanks for the fast reply. Maybe nginx really is not working:

systemctl restart nginx

leads to

Job for nginx.service failed. See ‘systemctl status nginx.service’ and ‘journalctl -xn’ for details.

while

systemctl status nginx.service

shows

~# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
Active: failed (Result: exit-code) since So 2018-06-24 17:01:53 CEST; 1min 59s ago
Process: 18324 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
Process: 9555 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
Process: 18521 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Process: 18519 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 6293 (code=exited, status=0/SUCCESS)

Jun 24 17:01:52 rs-zap336199-1.zap-srv.com nginx[18521]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Jun 24 17:01:52 rs-zap336199-1.zap-srv.com nginx[18521]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Jun 24 17:01:52 rs-zap336199-1.zap-srv.com nginx[18521]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Jun 24 17:01:52 rs-zap336199-1.zap-srv.com nginx[18521]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Jun 24 17:01:53 rs-zap336199-1.zap-srv.com nginx[18521]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Jun 24 17:01:53 rs-zap336199-1.zap-srv.com nginx[18521]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
Jun 24 17:01:53 rs-zap336199-1.zap-srv.com nginx[18521]: nginx: [emerg] still could not bind()
Jun 24 17:01:53 rs-zap336199-1.zap-srv.com systemd[1]: nginx.service: control process exited, code=exited status=1
Jun 24 17:01:53 rs-zap336199-1.zap-srv.com systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Jun 24 17:01:53 rs-zap336199-1.zap-srv.com systemd[1]: Unit nginx.service entered failed state.

why is it already in use and why cant it be restarted?

greetings


#6

Hi,

Can you try netstat -l | grep "443" to see what is binding to your https port currently?

Thank you


#7

Hi stevenzhu,
netstat -l | grep "443" returns an empty list. So it seems that nginx is not running…but how can i start it again?

Edit:

maybe this helps you?

~# netstat -l | grep “80”
unix 2 [ ACC ] STREAM LISTENING 8042 /run/rpcbind.sock


#8

Hi @messerbill,

You should use switch -n so the command show the port number instead of service name.

netstat -ln | grep 443

Cheers,
sahsanu


#9

Hi, i was busy during the last days so i’ve had no time.

netstat -ln | grep 443 shows:

tcp6 0 0 :::443 :::* LISTEN

is this correct?


#10

On port 443, there is a website:

Moneygame Control Panel
Moneygame Admin Tool (MAT) Documentation Game-Client

I’ve accepted the self signed certificate. There is no AAAA-record, so tcp6 can’t see the server.


#11

ok and how to set the AAAA record? And how could you access the webpages?


#12

You don’t need an AAAA - record. If you would have one, you would need to have a listener. No AAAA-record -> no listener needed.

Open https://www.entwicklercouch.de/ and accept the certificate.


#13

chrome doees not give me the possibility to accept the certificate (also Firefox doesn’t). And I’d still love to renew the certificate again. 5 min ago I tried certbot renew again and i now receive:

Attempting to renew cert from /etc/letsencrypt/renewal/www.entwicklercouch.de.conf produced an unexpected error: Failed authorization procedure. www.entwicklercouch.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.entwicklercouch.de/.well-known/acme-challenge/kjMZc60QzvXnf8L8XqOdIh6OhTCPWSZORnOyzYLoobY: Connection refused, entwicklercouch.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://entwicklercouch.de/.well-known/acme-challenge/S3-Y2Ua0lhvec88WcbZHEJlCPgloHv_JXAMg5rD-lNI: Connection refused. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.entwicklercouch.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

but the webserver seems to be running:

root@rs-zap336199-1:~# netstat -ln | grep 443
tcp6 0 0 :::443 :::* LISTEN
root@rs-zap336199-1:~# netstat -ln | grep 80
tcp6 0 0 :::8080 :::* LISTEN
unix 2 [ ACC ] STREAM HÖRT 8042 /run/rpcbind.sock


#14

If you want to use http-01 - validation, you have to open port 80 and you have to create a web service on port 80.

So

http://www.entwicklercouch.de/

must work. Not Port 8080 + tcp6.


#15

PS: Post the picture of your chrome + https://www.entwicklercouch.de/

Normally, there is an option to expand


#16

Here is a screenshot with the opened extras (usually i can accept here and say smth like “visit website anyway”, but not in this case)


#17

Hi,

That’s wierd (since you don’t have hsts configtured but you are forced to use hsts…)

You could remove that hsts flag by go-to chrome://net-internal, find domain security policies, then go-to clear domain policy

Thank you


#18

HSTS is a wonderful feature. But it should only used when the certificate management process works.

Anyway: If it is not possible to use http-01 - challenge (Port 80 doesn’t work), check if you can switch to dns-01 - challenge (creating two dns - txt entries).


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.