Certificate renewal fails: Error getting validation data


#1

Hello Everyone,

I have been trying to renew my certificate for zespri.dedyn.io for the last two days, without success. I tried, like the many times before, to run sudo certbot --apache renew, which would fail with the same error as sudo certbot -a webroot -i apache -w /var/www/html:

Failed authorization procedure. zespri.dedyn.io (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zespri.dedyn.io/.well-known/acme-challenge/OGqPh904NK_KUJFQ3-QRRlGsv9J9WLqy523JwIa2qsk: Error getting validation data. Skipping.

I do realize that it has to do with the deprecation of TLS-SNI-01, but I am lost looking for a workaround. I am on Ubuntu with Apache 2.4.18 and OpenSSL 1.0.2g.

Thank you for consideration!
Valerie


#2

Hi @valerie

I see, you have already checked your domain via https://check-your-website.server-daten.de/?q=zespri.dedyn.io

Your port 80 doesn’t answer.

Domainname Http-Status redirect Sec. G
• http://zespri.dedyn.io/
87.123.145.72 -14 10.027 T
Timeout - The operation has timed out
• https://zespri.dedyn.io/
87.123.145.72 200 5.446 B
• http://zespri.dedyn.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
87.123.145.72 -14 10.040 T
Timeout - The operation has timed out

There is a timeout. If you want to use http-01 - validation, Certbot creates a file in /.well-known/acme-challenge with a random file name, Letsencrypt checks this file if it exists and if it has the correct content.

But if there is a timeout, the check doesn’t work.

Is this a home server? Is port 80 open? Correct router settings?


#3

Hi @JuergenAuer,

thank you very much for your swift reply! I didn’t see the obvious, that you mentioned: opening port 80 in my router. Now I remember that I closed it a few months ago because I thought I don’t need it :smiley:
--dry-run is successful, and now I am waiting until my rate limit is reset in 1h.

Thank you again!
Valerie


#4

Yep, now your port 80 is open.

You have a redirect http -> https, Letsencrypt follows these redirects. The redirect adds the complete path and file name, this is good.

So the certificate creation should work.


#5

Without HSTS preloading, a browser doesn’t know to use port 443 with HTTPS when a user simply types in the hostname of your site in the browsers address bar. I recon most people (if any) actually manually type https:// in their address bar before the hostname of the site.

Without port 80 open and without a HTTP redirect to HTTPS, your site wouldn’t be accessible. Users would get a “connection refused” or “timeout”, just like certbot got when you tried to renew.

So: just leave port 80 open for the redirect. That way, your site actually works :wink:


#6

@JuergenAuer: Just reporting back that the certificate renewal was successful. Thanks for the quick help!

@Osiris: Thank you for pointing this out. Indeed, in the last days I have been learning a lot about Apache. It is a bit unfortunate that there is so little high-level, conceptual documentation for the beginner-to-average user. Most documentation is either really complex or merely specific how-tos, which don’t allow you to understand why sth works (or doesn’t). So thank you very much for some basic background on this issue! :slight_smile:


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.