Certificate renew fails

Hello,

I have troubles to renew my certificate.
I am using a VM (the certificate is for this VM) on my Synology NAS.
The certificate is existing on the VM (Bitwarden) and the renew failed. I tried to add this domain on a global Letsencrypt certificate on the NAS as a sub-domain (https://crt.sh/?id=2807392590).
It was a bad idea because Bitwarden refuse to start without a valide certificat.
How can I revoque the global certificate (https://crt.sh/?id=2807392590) ?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vault.vequeau.eu

I ran this command: ./bitwarden start

It produced this output:


Processing /etc/letsencrypt/renewal/vault.vequeau.eu.conf


Cert is due for renewal, auto-renewing…
Non-interactive renewal: random delay of 180.58898340937054 seconds
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vault.vequeau.eu
Waiting for verification…
Challenge failed for domain vault.vequeau.eu
http-01 challenge for vault.vequeau.eu
Cleaning up challenges
Attempting to renew cert (vault.vequeau.eu) from /etc/letsencrypt/renewal/vault.vequeau.eu.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vault.vequeau.eu/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vault.vequeau.eu/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

===============
2020-05-24 06:56:18,033:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 24 May 2020 06:56:24 GMT
Content-Type: application/json
Content-Length: 1004
Connection: keep-alive
Boulder-Requester: 73605716
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0101Voxs0GwGN3nh4r2yC0DyweqH76HGt1ZSYOR4qYvBav4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “vault.vequeau.eu”
},
“status”: “invalid”,
“expires”: “2020-05-31T06:56:10Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://vault.vequeau.eu/.well-known/acme-challenge/JMWDwwcElLs9qJDpB0FcpFmHiUHssZ86fytSsZY5U9k: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/4778464255/XGzuTg”,
“token”: “JMWDwwcElLs9qJDpB0FcpFmHiUHssZ86fytSsZY5U9k”,
“validationRecord”: [
{
“url”: “http://vault.vequeau.eu/.well-known/acme-challenge/JMWDwwcElLs9qJDpB0FcpFmHiUHssZ86fytSsZY5U9k”,
“hostname”: “vault.vequeau.eu”,
“port”: “80”,
“addressesResolved”: [
“92.139.219.252”
],
“addressUsed”: “92.139.219.252”
}
]
}
]
}

My web server is (include version): bitwarden (nginx)

The operating system my web server runs on is (include version): debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): non

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @avk

that starts an own webserver.

That says: Your domain is invisible.

Firewall? Wrong router? Is it possible to start a webserver and use that? --standalone is hard to debug.

1 Like

So lets see if I got things straight:

You’re running a Synology NAS with Let’s Encrypt support, which you used to use for a certificate with multiple subdomains under the subdomain .maison.vequeau.eu but not with the vault subdomain for Bitwarden. Bitwarden used its own certbot to get a separate certificate for vault.vequeau.eu but it’s expiring on May 31st.

On May 13th, you added the vault subdomain to the certificate used for the maison subdomain using the certbot client outside Bitward.

However, the certbot client inside the Bitward VM doesn’t know nor use that certificate, and wants to renew its own certificate, but can’t.

Does that sound about right?

Firstly: revoking any certificate does not help you with your current problem. Revoking is only helpful for its intended purpose: when a private key has been leaked, you’re required to revoke the certificate. Any other “use” for revoking does not exist.

Secondly: there’s nothing answering to port 80 on your IP address. To validate the hostname(s), Let’s Encrypt (temporarily) needs access to port 80 from the world wide web. This needs to be (port)mapped to your Synology NAS if you’re using the certbot client outside of Bitward, but if you want to renew the certificate inside Bitward, you’ll need to make sure port 80 is somehow mapped to the Bitward virtual machine.

Thirdly: it might be possible for Bitward to use the certificate on your Synology NAS, but I don’t know what kind of VM software you’re using. It’s probably easier to just let Bitward take care of its own certificate with just the vault subdomain.

1 Like

@JuergenAuer : unfortunately, the web server requires the certificat update before starting; and to renew certificate, Letsencrypt need a web server running :frowning:

@Osiris

  • your summary is good.
  • firstly : understood, thank you
  • secondly : letsencrypt will ask using the public IP or the domain name? Can I use a reverse proxy to forward the request?
    I only have one public IP and several hosts using Letsencrypt
  • thirdly : that is what I try to do but I don’t know if I can have several hosts using Letsencrypt with only one public IP

Thank you in advance!

1 Like

Letsencrypt checks port 80, not port 443, so no certificate is required.

If you want a running port 443, you can install a self signed certificate. Checking a redirect http -> https Letsencrypt ignores such a certificate error.

1 Like

Let's Encrypt will resolve the hostname to an IP address, just like every other HTTP client on the web. It needs the IP address to be a public IP address for it to be able to connect to it. You can indeed use a reverse proxy. Requests for the vault subdomain could be rerouted to your VM internally with all other hostnames be processed by your NAS itself.

Sure you can. Let's Encrypt uses HTTP 1.1 to retrieve the http-01 challenge file, including the HTTP Host header.

Also, what kind of VM is your Bitwarden running on?

1 Like

The VM is under Debian Buster.

The problem was that I need the web server running to renew the certificate and the web server needed to renew the certificate to start (bitwarden requirement)…

I solve the problem by adding a reverse proxy which has the LE certificate before the VM.

Thank you for your clarifications

1 Like

A post was merged into an existing topic: Cannot renew certificates

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.