Debian 9.4 + kernel backports - Cannot renew certificat

Hi,

My home server (OMV NAS) is running on debian stretch.
Certbot is v0.23

I try to renew my cert but get an error while running the command.

My domain is:
home-server.famille-bocquet.fr

I ran this command:

root@home-server:/etc/cron.d# /usr/bin/certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/FAMILLE-BOCQUET.FR.conf


Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for home-server.famille-bocquet.fr

Waiting for verification...

Challenge failed for domain home-server.famille-bocquet.fr

Cleaning up challenges

Attempting to renew cert (FAMILLE-BOCQUET.FR) from /etc/letsencrypt/renewal/FAMILLE-BOCQUET.FR.conf produced an unexpected error: Challenges failed for all domains. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/FAMILLE-BOCQUET.FR/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/FAMILLE-BOCQUET.FR/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

Here is some logs:

2018-05-31 10:07:34,620:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:

2018-05-31 10:07:34,620:ERROR:certbot.renewal: /etc/letsencrypt/live/FAMILLE-BOCQUET.FR/fullchain.pem (failure)

2018-05-31 10:07:34,620:DEBUG:certbot.log:Exiting abnormally:

Traceback (most recent call last):

File "/usr/bin/certbot", line 11, in

load_entry_point('certbot==0.23.0', 'console_scripts', 'certbot')()

File "/usr/lib/python3/dist-packages/certbot/main.py", line 1266, in main

return config.func(config, plugins)

File "/usr/lib/python3/dist-packages/certbot/main.py", line 1179, in renew

renewal.handle_renewal_request(config)

File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request

len(renew_failures), len(parse_failures)))

certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

Python packages installed :slight_smile:

root@home-server:~# dpkg -l | grep python

ii dh-python 2.20170125 all Debian helper tools for packaging Python libraries and applications

ii libpython-stdlib:amd64 2.7.13-2 amd64 interactive high-level object-oriented language (default python version)

ii libpython2.7:amd64 2.7.13-2+deb9u2 amd64 Shared Python runtime library (version 2.7)

ii libpython2.7-minimal:amd64 2.7.13-2+deb9u2 amd64 Minimal subset of the Python language (version 2.7)

ii libpython2.7-stdlib:amd64 2.7.13-2+deb9u2 amd64 Interactive high-level object-oriented language (standard library, version 2.7)

ii libpython3-stdlib:amd64 3.5.3-1 amd64 interactive high-level object-oriented language (default python3 version)

ii libpython3.5-minimal:amd64 3.5.3-1 amd64 Minimal subset of the Python language (version 3.5)

ii libpython3.5-stdlib:amd64 3.5.3-1 amd64 Interactive high-level object-oriented language (standard library, version 3.5)

ii python 2.7.13-2 amd64 interactive high-level object-oriented language (default version)

ii python-apt-common 1.4.0~beta3 all Python interface to libapt-pkg (locales)

ii python-crypto 2.6.1-7 amd64 cryptographic algorithms and protocols for Python

ii python-dnspython 1.15.0-1 all DNS toolkit for Python

ii python-ldb 2:1.1.27-1+b1 amd64 Python bindings for LDB

ii python-minimal 2.7.13-2 amd64 minimal subset of the Python language (default version)

rc python-pbr 1.10.0-1 all inject useful and sensible default behaviors into setuptools - Python 2.x

ii python-samba 2:4.5.12+dfsg-2+deb9u2 amd64 Python bindings for Samba

ii python-talloc 2.1.8-1 amd64 hierarchical pool based memory allocator - Python bindings

ii python-tdb 1.3.11-2 amd64 Python bindings for TDB

ii python2.7 2.7.13-2+deb9u2 amd64 Interactive high-level object-oriented language (version 2.7)

ii python2.7-minimal 2.7.13-2+deb9u2 amd64 Minimal subset of the Python language (version 2.7)

ii python3 3.5.3-1 amd64 interactive high-level object-oriented language (default python3 version)

ii python3-acme 0.22.2-1~bpo9+1 all ACME protocol library for Python 3

ii python3-apt 1.4.0~beta3 amd64 Python 3 interface to libapt-pkg

ii python3-certbot 0.23.0-1~bpo9+1 all main library for certbot

ii python3-cffi-backend 1.9.1-2 amd64 Foreign Function Interface for Python 3 calling C code - runtime

ii python3-chardet 2.3.0-2 all universal character encoding detector for Python3

ii python3-configargparse 0.11.0-1 all replacement for argparse with config files and environment variables (Python 3)

ii python3-configobj 5.0.6-2 all simple but powerful config file reader and writer for Python 3

ii python3-cryptography 1.7.1-3 amd64 Python library exposing cryptographic recipes and primitives (Python 3)

ii python3-dbus 1.2.4-1+b1 amd64 simple interprocess messaging system (Python 3 interface)

ii python3-debian 0.1.30 all Python 3 modules to work with Debian-related data formats

ii python3-debianbts 2.6.1 all Python interface to Debian's Bug Tracking System

ii python3-dialog 3.4.0-1 all Python module for making simple terminal-based user interfaces

ii python3-future 0.15.2-4 all Clean single-source support for Python 3 and 2 - Python 3.x

ii python3-httplib2 0.9.2+dfsg-1 all comprehensive HTTP client library written for Python3

ii python3-idna 2.2-1 all Python IDNA2008 (RFC 5891) handling (Python 3)

ii python3-josepy 1.0.1-1~bpo9+1 all JOSE implementation for Python 3.x

ii python3-lxml 3.7.1-1 amd64 pythonic binding for the libxml2 and libxslt libraries

ii python3-minimal 3.5.3-1 amd64 minimal subset of the Python language (default python3 version)

ii python3-mock 2.0.0-3 all Mocking and Testing Library (Python3 version)

ii python3-natsort 4.0.3-2 all Natural sorting for Python (python3)

ii python3-netifaces 0.10.4-0.1+b2 amd64 portable network interface information - Python 3.x

ii python3-openssl 16.2.0-1 all Python 3 wrapper around the OpenSSL library

ii python3-parsedatetime 2.4-2~bpo9+1 all Python 3 module to parse human-readable date/time expressions

ii python3-pbr 1.10.0-1 all inject useful and sensible default behaviors into setuptools - Python 3.x

ii python3-pkg-resources 33.1.1-1 all Package Discovery and Resource Access using pkg_resources

ii python3-pyasn1 0.1.9-2 all ASN.1 library for Python (Python 3 module)

ii python3-pycurl 7.43.0-2 amd64 Python bindings to libcurl (Python 3)

ii python3-pysimplesoap 1.16-2 all simple and lightweight SOAP Library (Python 3)

ii python3-pyudev 0.21.0-1 all Python3 bindings for libudev

ii python3-reportbug 7.1.7+deb9u1 all Python modules for interacting with bug tracking systems

ii python3-requests 2.12.4-1 all elegant and simple HTTP library for Python3, built for human beings

ii python3-rfc3339 1.0-4 all parser and generator of RFC 3339-compliant timestamps (Python 3)

ii python3-setuptools 33.1.1-1 all Python3 Distutils Enhancements

ii python3-six 1.10.0-3 all Python 2 and 3 compatibility library (Python 3 interface)

ii python3-tz 2016.7-0.3 all Python3 version of the Olson timezone database

ii python3-urllib3 1.19.1-1 all HTTP library with thread-safe connection pooling for Python3

ii python3-zope.component 4.3.0-1 all Zope Component Architecture

ii python3-zope.event 4.2.0-1 all Very basic event publishing system

ii python3-zope.hookable 4.0.4-4+b2 amd64 Hookable object support

ii python3-zope.interface 4.3.2-1 amd64 Interfaces for Python3

ii python3.5 3.5.3-1 amd64 Interactive high-level object-oriented language (version 3.5)

ii python3.5-minimal 3.5.3-1 amd64 Minimal subset of the Python language (version 3.5)

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
Debian 9.4 + 4.14 backport kernel

My hosting provider, if applicable, is:
Me :wink:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

Thanks a lot for any help with this.

I can't open home-server.famille-bocquet.fr with my browser.

So http-01 - validation cannot work. A file under http://home-server.famille-bocquet.fr/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxx must be global visible.

Is it possible to use dns-01 - validation?

Edit: There is a certbot-option:

./certbot-auto renew --preferred-challenges http

Use something like "dns" (I don't use certbot, so I don't know the exact option).

Did you block port 80 at the firewall?
Did your ISP block port 80 access to your IP?

Hi,

Thank you for your advice.
I’ve just found the reason of the error, and you were right :wink:
My port 80 was only opened to internal network, and I only left open the HTTPS port to the world.

Sorry, I should have think of that before asking…

For my knowledge, is there a way to do the renewal through HTTPS (443)?

Have a nice day

Short answer, no.

HTTP-01 validation will follow a redirect to HTTPS, but it always makes the initial request over HTTP.

Long answer, maybe, but don't. Let's Encrypt is phasing out TLS-SNI-01 validation, which validates using a TLS handshake on port 443, for security reasons. It may or may not be possible to use in the short term, but it will go away eventually.

Thank you for the info.

I will open my HTTP port every 90 days, not a big deal :wink:

You might be interested in the "hook" options provided by certbot, so you could add commands to two scripts (and tell certbot to use the scripts as a hook) to open and to close your firewall automatically when renewing.

See Renewing certificates for more info about this.

I would add a redirect http -> https and open the port 80 permanent.

If all users only internal: Someone might install a new browser, doesn't want to type "https" - and doesn't find your domain. All that - no problem with a public redirect.

That’s what I will uselly do, but the only internal and external user is me :wink: This is a home NAS.

Thx for your advice.

@Osiris : I will have a look at it. Seems interesting…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.