Certificate renewal after expiry


#1

Please fill out the fields below so we can help you better.

My domain is:
kronos.mondodiverso.com
I ran this command:
letsencrypt renew
letsencrypt run
letsencrypt revoke
It produced this output:

Domain: kronos.mondodiverso.com
Type: connection
Detail: Failed to connect to 178.112.9.150:443 for TLS-SNI-01
challenge

My operating system is (include version):
XUbuntu 16.04
My web server is (include version):
Apache 2.4.18
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The error seems logical to me since after the cert expired, no valid ssl-connection can be established.
I disabled ssl on the apache, but letsencrypt obviously insists in renewal over ssl.

Neither run nor revoke work either.

Any ideas out there?


#2

The TLS-SNI-01 challenge does not use your site’s certificate, but rather a self-signed certificate that’s generated by the client, with a random component in it. Think of it this way: When you got your first certificate, you (probably) didn’t have a valid certificate either, and things worked anyway.

That being said, your error seems to be a general connection error, meaning no connection to port 443 was possible at all. This could be due to a firewall on your end or some ISP filtering. I noticed the IP belongs to an ISP I happen to know, and from what I recall they have a setting in their control panel that blocks all incoming connections which defaults to “off” (at least in my case). I would recommend testing basic external connectivity (telnet ftw!) to port 443 from some external VPS or through some VPN/proxy.

Note that revocation is a process to mark compromised certificates as insecure in browsers (which would be the case anyway due to the expiration date), and not a way to roll back your configuration or uninstall a certificate on your server.


#3

Thanks a lot,
your’re right, my fault.
Was a misconfiguration on portforwarding and network interfaces. Internally it worked so I didn’t see.
Going out via vpn and back in showed it!

Cert could be renewed in the meantime!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.