Certificate renewal failed error 400

Created docker container in September and certificate installed fine but renewal has failed. We are running on an EC2 instance of 18.04 LTS (host) and Debian (container). Ports 443 and 80 are open to the world (to the best of my knowledge).

Certificate renewal fails. I have dumped output of letsencrypt.log below showing JSON from the failed request.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: irefer.rasa.org.au

I ran this command: ./certbot-auto renew --nginx --cert-name irefer.rasa.org.au

It produced this output:

root@3d4c7a2a2707:/usr/share/docassemble/letsencrypt# ./certbot-auto renew --nginx --cert-name irefer.rasa.org.au
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/irefer.rasa.org.au.conf


Attempting to parse the version 1.7.0 renewal configuration file found at /etc/letsencrypt/renewal/irefer.rasa.org.au.conf with version 1.4.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for irefer.rasa.org.au
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Waiting for verification...
Challenge failed for domain irefer.rasa.org.au
http-01 challenge for irefer.rasa.org.au
Cleaning up challenges
Attempting to renew cert (irefer.rasa.org.au) from /etc/letsencrypt/renewal/irefer.rasa.org.au.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/irefer.rasa.org.au/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/irefer.rasa.org.au/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: irefer.rasa.org.au
    Type: connection
    Detail: Fetching
    http://irefer.rasa.org.au/.well-known/acme-challenge/G7GwL85o-8qM7MHooXXlaudbBC_rWw68oM_IrH-bUIU:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    root@3d4c7a2a2707:/usr/share/docassemble/letsencrypt#

My web server is (include version): nginx version: nginx/1.14.2

The operating system my web server runs on is (include version): Docker container version:

root@3d4c7a2a2707:/usr/share/docassemble/letsencrypt# cat /etc/issue
Debian GNU/Linux 10 \n \l

root@3d4c7a2a2707:/usr/share/docassemble/letsencrypt# cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@3d4c7a2a2707:/usr/share/docassemble/letsencrypt#

Host version: Ubuntu 18.04 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

root@3d4c7a2a2707:/usr/share/docassemble/letsencrypt# ./certbot-auto --version
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
certbot 1.4.0
root@3d4c7a2a2707:/usr/share/docassemble/letsencrypt#


Output from letsencrypt.log

{
"identifier": {
"type": "dns",
"value": "irefer.rasa.org.au"
},
"status": "invalid",
"expires": "2020-12-09T10:25:50Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://irefer.rasa.org.au/.well-known/acme-challenge/G7GwL85o-8qM7MHooXXlaudbBC_rWw68oM_IrH-bUIU: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9018946311/JqX4iQ",
"token": "G7GwL85o-8qM7MHooXXlaudbBC_rWw68oM_IrH-bUIU",
"validationRecord": [
{
"url": "http://irefer.rasa.org.au/.well-known/acme-challenge/G7GwL85o-8qM7MHooXXlaudbBC_rWw68oM_IrH-bUIU",
"hostname": "irefer.rasa.org.au",
"port": "80",
"addressesResolved": [
"54.79.224.205"
],
"addressUsed": "54.79.224.205"
}
]
}
]
}

Hi @markatflinders

there

is your job. A working port 80 / http is required. Your port 80 doesn't answer, change that.

Port 80 is open

mail~:$ telnet irefer.rasa.org.au 80
Trying 54.79.224.205...
Connected to irefer.rasa.org.au.
Escape character is '^]'.

It's not - https://check-your-website.server-daten.de/?q=irefer.rasa.org.au

Domainname Http-Status redirect Sec. G
http://irefer.rasa.org.au/ 54.79.224.205 -14 10.013 T
Timeout - The operation has timed out
https://irefer.rasa.org.au/ 54.79.224.205 -14 10.027 T
Timeout - The operation has timed out
http://irefer.rasa.org.au/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 54.79.224.205 -14 10.013 T
Timeout - The operation has timed out
Visible Content:

Dead, completely dead.

Your local check isn't enough.

1 Like
PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https
2 Likes

Do you have certbot and certbot-auto installed?

@rg305 I'm running certbot-auto, at least from what I can tell. I see a certbot-auto script in my application install.

Certbot is included as a part of Docassemble. It doesn't seem to be a standard install, not least because its homedir is /usr/share/docassemble/letsencrypt

My post showed evidence that your ports 80 and 443 were filtered at the time I scanned them. This was following your comment to @JuergenAuer that the ports were open and accessible. Probably moot point now.

Thanks everyone. Ports were geoblocked. I could reach them because I was in Australia but nobody outside Australia could. Network people have removed the block and we're good.

Thanks for everyone's input!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.