Debian 9.4 + kernel backports - Cannot renew certificat


#1

Hi,

My home server (OMV NAS) is running on debian stretch.
Certbot is v0.23

I try to renew my cert but get an error while running the command.

My domain is:
home-server.famille-bocquet.fr

I ran this command:

root@home-server:/etc/cron.d# /usr/bin/certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/FAMILLE-BOCQUET.FR.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for home-server.famille-bocquet.fr

Waiting for verification…

Challenge failed for domain home-server.famille-bocquet.fr

Cleaning up challenges

Attempting to renew cert (FAMILLE-BOCQUET.FR) from /etc/letsencrypt/renewal/FAMILLE-BOCQUET.FR.conf produced an unexpected error: Challenges failed for all domains. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/FAMILLE-BOCQUET.FR/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/FAMILLE-BOCQUET.FR/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

Here is some logs:

2018-05-31 10:07:34,620:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:

2018-05-31 10:07:34,620:ERROR:certbot.renewal: /etc/letsencrypt/live/FAMILLE-BOCQUET.FR/fullchain.pem (failure)

2018-05-31 10:07:34,620:DEBUG:certbot.log:Exiting abnormally:

Traceback (most recent call last):

File “/usr/bin/certbot”, line 11, in

load_entry_point('certbot==0.23.0', 'console_scripts', 'certbot')()

File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main

return config.func(config, plugins)

File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1179, in renew

renewal.handle_renewal_request(config)

File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 443, in handle_renewal_request

len(renew_failures), len(parse_failures)))

certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

Python packages installed :slight_smile:

root@home-server:~# dpkg -l | grep python

ii dh-python 2.20170125 all Debian helper tools for packaging Python libraries and applications

ii libpython-stdlib:amd64 2.7.13-2 amd64 interactive high-level object-oriented language (default python version)

ii libpython2.7:amd64 2.7.13-2+deb9u2 amd64 Shared Python runtime library (version 2.7)

ii libpython2.7-minimal:amd64 2.7.13-2+deb9u2 amd64 Minimal subset of the Python language (version 2.7)

ii libpython2.7-stdlib:amd64 2.7.13-2+deb9u2 amd64 Interactive high-level object-oriented language (standard library, version 2.7)

ii libpython3-stdlib:amd64 3.5.3-1 amd64 interactive high-level object-oriented language (default python3 version)

ii libpython3.5-minimal:amd64 3.5.3-1 amd64 Minimal subset of the Python language (version 3.5)

ii libpython3.5-stdlib:amd64 3.5.3-1 amd64 Interactive high-level object-oriented language (standard library, version 3.5)

ii python 2.7.13-2 amd64 interactive high-level object-oriented language (default version)

ii python-apt-common 1.4.0~beta3 all Python interface to libapt-pkg (locales)

ii python-crypto 2.6.1-7 amd64 cryptographic algorithms and protocols for Python

ii python-dnspython 1.15.0-1 all DNS toolkit for Python

ii python-ldb 2:1.1.27-1+b1 amd64 Python bindings for LDB

ii python-minimal 2.7.13-2 amd64 minimal subset of the Python language (default version)

rc python-pbr 1.10.0-1 all inject useful and sensible default behaviors into setuptools - Python 2.x

ii python-samba 2:4.5.12+dfsg-2+deb9u2 amd64 Python bindings for Samba

ii python-talloc 2.1.8-1 amd64 hierarchical pool based memory allocator - Python bindings

ii python-tdb 1.3.11-2 amd64 Python bindings for TDB

ii python2.7 2.7.13-2+deb9u2 amd64 Interactive high-level object-oriented language (version 2.7)

ii python2.7-minimal 2.7.13-2+deb9u2 amd64 Minimal subset of the Python language (version 2.7)

ii python3 3.5.3-1 amd64 interactive high-level object-oriented language (default python3 version)

ii python3-acme 0.22.2-1~bpo9+1 all ACME protocol library for Python 3

ii python3-apt 1.4.0~beta3 amd64 Python 3 interface to libapt-pkg

ii python3-certbot 0.23.0-1~bpo9+1 all main library for certbot

ii python3-cffi-backend 1.9.1-2 amd64 Foreign Function Interface for Python 3 calling C code - runtime

ii python3-chardet 2.3.0-2 all universal character encoding detector for Python3

ii python3-configargparse 0.11.0-1 all replacement for argparse with config files and environment variables (Python 3)

ii python3-configobj 5.0.6-2 all simple but powerful config file reader and writer for Python 3

ii python3-cryptography 1.7.1-3 amd64 Python library exposing cryptographic recipes and primitives (Python 3)

ii python3-dbus 1.2.4-1+b1 amd64 simple interprocess messaging system (Python 3 interface)

ii python3-debian 0.1.30 all Python 3 modules to work with Debian-related data formats

ii python3-debianbts 2.6.1 all Python interface to Debian’s Bug Tracking System

ii python3-dialog 3.4.0-1 all Python module for making simple terminal-based user interfaces

ii python3-future 0.15.2-4 all Clean single-source support for Python 3 and 2 - Python 3.x

ii python3-httplib2 0.9.2+dfsg-1 all comprehensive HTTP client library written for Python3

ii python3-idna 2.2-1 all Python IDNA2008 (RFC 5891) handling (Python 3)

ii python3-josepy 1.0.1-1~bpo9+1 all JOSE implementation for Python 3.x

ii python3-lxml 3.7.1-1 amd64 pythonic binding for the libxml2 and libxslt libraries

ii python3-minimal 3.5.3-1 amd64 minimal subset of the Python language (default python3 version)

ii python3-mock 2.0.0-3 all Mocking and Testing Library (Python3 version)

ii python3-natsort 4.0.3-2 all Natural sorting for Python (python3)

ii python3-netifaces 0.10.4-0.1+b2 amd64 portable network interface information - Python 3.x

ii python3-openssl 16.2.0-1 all Python 3 wrapper around the OpenSSL library

ii python3-parsedatetime 2.4-2~bpo9+1 all Python 3 module to parse human-readable date/time expressions

ii python3-pbr 1.10.0-1 all inject useful and sensible default behaviors into setuptools - Python 3.x

ii python3-pkg-resources 33.1.1-1 all Package Discovery and Resource Access using pkg_resources

ii python3-pyasn1 0.1.9-2 all ASN.1 library for Python (Python 3 module)

ii python3-pycurl 7.43.0-2 amd64 Python bindings to libcurl (Python 3)

ii python3-pysimplesoap 1.16-2 all simple and lightweight SOAP Library (Python 3)

ii python3-pyudev 0.21.0-1 all Python3 bindings for libudev

ii python3-reportbug 7.1.7+deb9u1 all Python modules for interacting with bug tracking systems

ii python3-requests 2.12.4-1 all elegant and simple HTTP library for Python3, built for human beings

ii python3-rfc3339 1.0-4 all parser and generator of RFC 3339-compliant timestamps (Python 3)

ii python3-setuptools 33.1.1-1 all Python3 Distutils Enhancements

ii python3-six 1.10.0-3 all Python 2 and 3 compatibility library (Python 3 interface)

ii python3-tz 2016.7-0.3 all Python3 version of the Olson timezone database

ii python3-urllib3 1.19.1-1 all HTTP library with thread-safe connection pooling for Python3

ii python3-zope.component 4.3.0-1 all Zope Component Architecture

ii python3-zope.event 4.2.0-1 all Very basic event publishing system

ii python3-zope.hookable 4.0.4-4+b2 amd64 Hookable object support

ii python3-zope.interface 4.3.2-1 amd64 Interfaces for Python3

ii python3.5 3.5.3-1 amd64 Interactive high-level object-oriented language (version 3.5)

ii python3.5-minimal 3.5.3-1 amd64 Minimal subset of the Python language (version 3.5)

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
Debian 9.4 + 4.14 backport kernel

My hosting provider, if applicable, is:
Me :wink:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

Thanks a lot for any help with this.


#2

I can’t open home-server.famille-bocquet.fr with my browser.

So http-01 - validation cannot work. A file under http://home-server.famille-bocquet.fr/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxx must be global visible.

Is it possible to use dns-01 - validation?

Edit: There is a certbot-option:

./certbot-auto renew --preferred-challenges http

Use something like “dns” (I don’t use certbot, so I don’t know the exact option).


#3

Did you block port 80 at the firewall?
Did your ISP block port 80 access to your IP?


#4

Hi,

Thank you for your advice.
I’ve just found the reason of the error, and you were right :wink:
My port 80 was only opened to internal network, and I only left open the HTTPS port to the world.

Sorry, I should have think of that before asking…

For my knowledge, is there a way to do the renewal through HTTPS (443)?

Have a nice day


#5

Short answer, no.

HTTP-01 validation will follow a redirect to HTTPS, but it always makes the initial request over HTTP.

Long answer, maybe, but don’t. Let’s Encrypt is phasing out TLS-SNI-01 validation, which validates using a TLS handshake on port 443, for security reasons. It may or may not be possible to use in the short term, but it will go away eventually.


#6

Thank you for the info.

I will open my HTTP port every 90 days, not a big deal :wink:


#7

You might be interested in the “hook” options provided by certbot, so you could add commands to two scripts (and tell certbot to use the scripts as a hook) to open and to close your firewall automatically when renewing.

See Renewing certificates for more info about this.


#8

I would add a redirect http -> https and open the port 80 permanent.

If all users only internal: Someone might install a new browser, doesn’t want to type “https” - and doesn’t find your domain. All that - no problem with a public redirect.


#9

That’s what I will uselly do, but the only internal and external user is me :wink: This is a home NAS.

Thx for your advice.


#10

@Osiris : I will have a look at it. Seems interesting…


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.