Certificate renewal on Debian 10 machine using Cloudflare DNS results in error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:eclassactions.com

I ran this command:sudo certbot --nginx renew

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/eclassactions.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (eclassactions.com) from /etc/letsencrypt/renewal/eclassactions.com.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x752ae810>: Failed to establish a new connection: [Errno -2] Name or service not known')). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/eclassactions.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/eclassactions.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):Raspberry Pi version 3+ configured as a reverse proxy

The operating system my web server runs on is (include version):Debian 10 (lite)

My hosting provider, if applicable, is:Hosted on local network

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no using SSH on internal network

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.30.0

Please debug and fix your DNS on that Pi.

2 Likes

I agree that the DNS is an issue.
I am running a number of websites behind an nginx reverse proxy. The websites themselves use Cloudflare name servers (domain A records point to Cloudflares DNS). This was done to improve website performance and was subsequent to obtaining original certificates.
The SSL certificates terminate at the reverse proxy and I use port 80 between reverse proxy and the local network websites.

From the log above it seems that I am unable to make a connection to host='acme-v02.api.letsencrypt.org', on port=443. It seems the name or service is not known from the looks of it.
If I ping acme-v02.api.letsencrypt.org from the reverse proxy I receive "Name or service not known"
Yet if I ping acme-v02.api.letsencrypt.org from a windows machine it resolves to pacloudflare.com

Pinging ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com [172.65.32.248] with 32 bytes of data:
Reply from 172.65.32.248: bytes=32 time=34ms TTL=57
Reply from 172.65.32.248: bytes=32 time=33ms TTL=57
Reply from 172.65.32.248: bytes=32 time=34ms TTL=57
Reply from 172.65.32.248: bytes=32 time=33ms TTL=57

How does one go about renewing stale letsencrypt certificates?

in /etc/dhcpcd.conf my my
static domain_name_servers=108.162.192.160 108.162.195.240 172.65.32.248

The first two are the DNS servers I use with Cloudlfare. I just added the third address to see if it makes a difference and it doesn't.

Does one need letsencrypt certificates if Cloudflare itself is handling them? I'm confused.

You shouldn't use authorative name servers as a resolving name server. Usually, these types of name servers are different from each other. An authorative name server is only used for the DNS zones that specific server is authorative for. Other DNS zones should result in errors.

Resolving name servers are responsible for recursively resolving hostnames from other (authorative) name servers by "walking" the DNS tree and usually cache the results for a specific time, usually, the TTL from the requested record.

You should set your Pi's DNS server to a resolver. See for more info e.g. https://www.cloudflare.com/learning/dns/dns-server-types/#recursive-resolver

2 Likes

This is what Cloudflare says when using their service

Cloudflare Nameservers

To use Cloudflare, ensure your authoritative DNS servers, or nameservers have been changed. These are your assigned Cloudflare nameservers.

Note that they assign me authorative Domain Name Servers. When I remove authorative dns servers in dhcpcd.conf and replace with the resolving name servers 1.1.1.1 and 1.0.0.1, I still receive the same error as shown above, only now I can't ping google.com as it shows Temporary failure in name resolution.

Please define "their service".

1 Like

This is Cloudflares DNS service I am referring to.

when I run the command: sudo letsencrypt --nginx renew, I receive the same error.
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/eclassactions.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (eclassactions.com) from /etc/letsencrypt/renewal/eclassactions.com.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x752a2210>: Failed to establish a new connection: [Errno -2] Name or service not known')). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/eclassactions.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/eclassactions.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

I will ignore the issues about setting up DNS. But, you are also using Cloudflare CDN.

With that there is an HTTPS connection between the Cloudflare Edge and the client (browser). That cert is usually setup in CF and it updates it as needed.

There is another connection between the CF Edge and your Origin server. Usually this is also HTTPS so uses another cert on your Origin Server for that. Cloudflare even offers something called an Origin CA cert for this purpose and often this is easier than creating your own cert on your server.

You said the CDN was setup subsequent to your original Let's Encrypt certs so when you added CDN service you need to review how your end-to-end connections work. See these topics for Cloudflare background:

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

2 Likes

You need to differentiate between the Cloudflares DNS service for a domain zone and their DNS service for recursive DNS such as 1.1.1.1.

Please understand the difference. I've linked more info about what a recursive DNS resolver is above and on that page near the bottom it's explained what an authorative DNS server is.

A client such as a Raspberry Pi or other operating system should use recursive DNS resolvers as their DNS server and not hardcode authorative DNS servers.

3 Likes

Thanks a lot Mike!

2 Likes

Well this is odd. I have two websites each running on a separate Raspberry Pi behind an Nginx Reverse Proxy Server (also on a separate raspberry pi). The letsencrypt certificates for each website expired at the same time last year and reside on the reverse proxy. Both domains use Cloudflare authoritative name servers and the Cloudflare DNS management resolves to the correct WAN IP address of my router.

In my dhcpcd.conf file I have set my dns to point to 1.1.1.1 and 1.0.0.1 according to Cloudflare. These are recursive dns servers and not the authoritative dns servers originally

As seen below I can update the letsencrypt certificate for one domain, but not the other as it fails authorization procedure http-01. A review of the debug log shows that the domain I was successful in obtaining a letsencrypt certificate resolved correctly to my single WAN IP address during the http-01 challenge whereas the http-01 challenge for the domain that failed to obtain a certificate resolved to two separate Cloudflare IP addresses - 104.21.26.135 and 172.67.136.75.

I've triple checked the domain name and A records in Cloudflare and both are correct and resolve to my current WAN IP address. Would the authorization failure to obtain a certificate have to do with the resolved address being the Cloudflare IP(s) and not my WAN IP?

$ sudo certbot certonly -d eclassactionslawyer.com -d www.eclassactionslawyer.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Obtaining a new certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/eclassactionslawyer.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/eclassactionslawyer.com/privkey.pem
    Your cert will expire on 2022-05-11. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

$ sudo certbot certonly -d eclassactions.com -d www.eclassactions.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for eclassactions.com
http-01 challenge for www.eclassactions.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.eclassactions.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.eclassactions.com/.well-known/acme-challenge/qrlaf8Lu 1lAQs9oGQCSNorXvZ8L1oEyr-uB5F0MkxIE [2606:4700:3036::ac43:884b]: "\n 404 Not Found\n<body bgcolor="white">\n

404 N ot Found

\n
ngin", eclassactions.com (http-01): urn:ietf :params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://eclassactions.com/.well-known/acme-challenge/tBH9H Mi0MCPMnOsNs1VBrt2R55nd7mJlnmaVgLuiZ0o [2606:4700:3035::6815:1a87]: "\n404 Not Found\n<body bgcolor="white">\n

40 4 Not Found

\n
ngin"

IMPORTANT NOTES:

I see one certbot command worked but you did not show which domain names.

The second command failed for both names it seems.

I think your DNS setup is wrong. I do not know which is correct but you probably want these to be the same - yeah? It is puzzling as the errors above do not match what now shows in your DNS. For one, it looks like above attempted IPv6 for your www domain but there is no IPv6 address in the DNS now. Have you changed it since that attempt?

Your 'apex' name is pointing to Cloudflare CDN, the other is not.

Name:   eclassactionslawyer.com
Address: 172.67.154.48
Address: 104.21.4.196
Address: 2606:4700:3032::ac43:9a30
Address: 2606:4700:3035::6815:4c4

Name:   www.eclassactionslawyer.com
Address: 24.89.215.217
2 Likes

Actually the one that worked is eclassactionslawyer.com the one that didn't work is eclassactions.com (see blue shaded text above).

The above looks like both names failed.

Which of your DNS entries is correct? (i.e., do you want to use Cloudflare CDN?)

2 Likes

I see what you are saying. Yes you are correct. Both www.eclassactions.com and eclassactions.com failed to authorize. What I don't understand is why www.eclassactionslawyer.com and eclassactionslawyer.com did? Both are set up identically. I'm stumped as to why it failed the acme challenge despite the other passing with flying colors.

Oh, my bad. Missed 'lawyer' on the one pair. But, they are not setup the same. eclassactions.com and its www have DNS both setup to Cloudflare CDN (below). Note difference to my post #14 for the 'lawyer' names.

Name:   eclassactions.com
Address: 172.67.136.75
Address: 104.21.26.135
Address: 2606:4700:3035::6815:1a87
Address: 2606:4700:3036::ac43:884b

Name:   www.eclassactions.com
Address: 104.21.26.135
Address: 172.67.136.75
Address: 2606:4700:3036::ac43:884b
Address: 2606:4700:3035::6815:1a87
2 Likes

That's just it, they ARE set up the same. Cloudflare hosts both domains DNS. If I look at the Cloudflare DNS settings both domains correctly resolve to my WAN IP. For some reason certbot authorizes if I use my WAN IP, but fails to when using Cloudflares IP.

Have you read through the CF documentation?
Do you really need an LE cert?

2 Likes