Copied a server setup which broke certbot

Icorp · June 6, 2019, 3:28pm

I cloned a server to a second server setup.

I then changed the httpd domain configurations on the second server, not realizing there were certbot configurations I had migrated over. When I ran “certbot renew” on the new server, it renewed some certificates that were no longer pointing to that server, which now seems to have invalidated my original server’s certbot configuation.

Unfortunately this seems to have broken the original server’s authorization?

After realizing this, I went to the directory: /etc/letsencrypt/renewal and removed all the domain.conf files for domains that were no longer pointing to the new server. (I assume perhaps I should have used the certbot delete command but this does the same thing?)

How can I make sure both servers can successfully renew their certificates?

What I tried to do was run the command:

certbot update_account

On one of the servers. This may have made both of them unique to the cert authority? But when I tried to renew the certs on the original server, I got this message:

Processing /etc/letsencrypt/renewal/www.xx.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (www.xx.com) from /etc/letsencrypt/renewal/www.xx.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xx.com/fullchain.pem (failure)
/etc/letsencrypt/live/xx.com/fullchain.pem (failure)

Do I just need to wait a little while before trying again? Or have I broken one or both certbot installations?

When I type “certbox certificates” - I get a list of different certs on each of the two servers now, so that is ok. I just want to make sure that since I accidentally renewed a few certs on the new/wrong box, it won’t cause the old/original renewal for those domains to fail.

Any help would be appreciated!

Phil · June 6, 2019, 3:44pm

Hi @Icorp,

Welcome to the community forum!

Yes, you’ll need to wait a little while before you can attempt issuance and renewal again. I suggest using the staging API to work through your migration before switching over to the production API. The rate limits in staging are far more lenient.

cpu · June 6, 2019, 3:51pm

Thanks @Phil!

Just one hour to be precise

Icorp · June 6, 2019, 3:59pm

So the fact that when I tried to renew the cert and was initially denied, because it had renewed on a different server won’t cause a problem?

I want to make sure because I’m using those certs on a production server, and in about 50 days the rest of them will come up for renewal and I want to make sure they won’t give me problems.

Is there any handshaking with letsencrypt I may have to do to invalidate the earlier request I made that was renewed so I can properly renew the cert in the original server? What I did in response was remove the .conf file for the domain so the new server no longer recognizes the domain.

Icorp · June 6, 2019, 4:08pm

actually on my production server (the original one) now there are some weird configurations… instead of one domain cert I see two and three files in /etc/letsencrypt/renewal

-rw-r–r--. 1 root 589 Jun 3 03:42 xx.com-0001.conf
-rw-r–r--. 1 root 570 Jun 6 10:13 xx.com-0002.conf
-rw-r–r--. 1 root 564 Apr 3 03:42 xx.com.conf

where xx.com is the domain I accidentally renewed an the cloned server…

There should only be one certificate…

certbot certificates shows:

Certificate Name: xx.com-0001
Domains: xx.com www.xx.com
Expiry Date: 2019-09-01 07:42:37+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/deepsouthblenders.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/deepsouthblenders.com-0001/privkey.pem
Certificate Name: xx.com-0002
Domains: xx.com
Expiry Date: 2019-09-04 14:13:07+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/xx.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xx.com-0002/privkey.pem
Certificate Name: xx.com
Domains: x.com (and several other unrelated domain names here)
Expiry Date: 2019-07-02 07:42:52+00:00 (VALID: 25 days)
Certificate Path: /etc/letsencrypt/live/xx.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xx.com/privkey.pem

Things look very confusing for certbot

Should I delete all three and try to create a new one? Or just delete the 2 invalid ones? what commands would I use? The first one is the right one.

Icorp · June 7, 2019, 1:33am

This morning the cert renewal was unsuccessful:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xx.com
http-01 challenge for www.xx.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (xx.com) from /etc/letsencrypt/renewal/xx.com.conf produced an unexpected error: Failed authorization procedure. xx.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xx.com/.well-known/acme-challenge/GnuaqXBMWQ1_qKiOHLIlngGAyhcP3ObYsQnaLef79W4 [91.195.240.126]: “<html lang=“en” data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWX”, www.xx.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.xx.com/.well-known/acme-challenge/LG1yxMO1XMUE-d5gLMly4JVCNVtY_FCeD1tdottK4P0 [91.195.240.126]: “<html lang=“en” data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWX”. Skipping.

JuergenAuer · June 7, 2019, 6:11am

Hi @Icorp

please share your domain name.

Which server has a problem? The original or the cloned server?

Is this - 91.195.240.126 - the original or the ip with the cloned server?

PS: The ip has a parking certificate:

CN=cc.sedoparking.com, OU=Domain Control Validated
	17.10.2017
	11.12.2020
expires in 553 days	cc.sedoparking.com - 1 entry

So that can't work.

Icorp · June 7, 2019, 9:35pm

It looks like the certbot configuration on my original server is completely hosed… I do not know why… the certificate files in the vhosts.conf for ssl are all mixed up under different host names… WTF?

Icorp · June 7, 2019, 9:39pm

I ended up having to manually edit my vhosts file and delete areas where certbot apparently mixed up the domain names and certificate names… .not sure why that happened… I was able to re-request a cert and it went through… I still am not sure what went wrong, but I will need to wait several weeks to see if the renewals will go through.

Icorp · June 7, 2019, 9:43pm

btw, here’s a weird behavior… if you set a domain to automatically redirect to the SSL and there’s code already in there, certbot answers with an ambiguous error message that indicates there was a problem:

Failed redirect for xx.com
Unable to set enhancement redirect for xx.com

I would expect it to be a little more specific about the error.

system · July 7, 2019, 9:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.