Certificate renewal is not happening


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: test.playtoome.com

I ran this command: sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No renewals were attempted.


My web server is (include version): Tomcat 7.0.68

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1


#2

Hi @panurag

there is a certificate:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:test.playtoome.com&lu=cert_search

valide 13.11.2018 - 11.02.2019

What says certbot certificates ? Did you delete config files?

Your domain is completely invisible ( https://check-your-website.server-daten.de/?q=test.playtoome.com )

Domainname Http-Status redirect Sec. G
http://test.playtoome.com/
35.154.202.22 -2 1.380 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 35.154.202.22:80
https://test.playtoome.com/
35.154.202.22 -2 1.370 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 35.154.202.22:443
http://test.playtoome.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.154.202.22 -2 1.393 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 35.154.202.22:80

so you can’t use http-01 validation.

If you have used tls-sni-01 validation, this is deprecated.

What happens if you use

sudo certbot -d test.playtoome.com --preferred-challenges http

But you need an open port 80.


#3

How did you create the certificate?

Did you use Certbot?

What command did you use?


#4

Hi,

Thank you.

The responnse to certbot certificates is:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certs found.


No config files were deleted.

Please check at the address https://test.playtoome.com:8443.

The output for the command is “sudo certbot -d test.playtoome.com --preferred-challenges http”:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

Port 80 is open.

Regards,
Anurag


#5

Hi,

Thank you.

I used certbot to create the certificate. The command used was: “sudo certbot certonly”.

Regards,
Anurag


#6

Sorry, I forgot the certonly - parameter.

sudo certbot certonly -d test.playtoome.com --preferred-challenges http

I see, you have checked your 8443 - port ( https://check-your-website.server-daten.de/?q=test.playtoome.com%3A8443 ): But your port 80 doesn’t work.

Domainname Http-Status redirect Sec. G
http://test.playtoome.com/
35.154.202.22 -2 1.397 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 35.154.202.22:80
https://test.playtoome.com/
35.154.202.22 -2 1.387 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 35.154.202.22:443
http://test.playtoome.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.154.202.22 -2 1.377 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 35.154.202.22:80

The last row is critical. Looks there is a firewall or something else that blocks active.

Is there a firewall or another server? I don’t see headers, because all standard ports are blocked.

Letsencrypt needs the standard port 80 to check your domain, perhaps a redirect to port 443.


#7

Hi,

I had used the command “sudo certbot certonly --csr request.csr”, not “sudo certbot certonly”.

Regards,
Anurag


#8

Hi,

At the time of issuing certificates, I had chosen the option to spin up a temporary server.

Thank you, Regards,
Anurag


#9

Then add the -vvv option, so more informations are logged.

And share

/var/log/letsencrypt/letsencrypt.log

#10

When you use the --csr option, certbot renew does not support renewing the certificate.

Can you create a few certificate without using --csr?


#11

Hi,

The certificate was created successfully.

Thank you, Regards,
Anurag


#12

Yep

https://test.playtoome.com:8443/

has now a new certificate, created today.


closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.