Error 400 renewing expired certificate

ddesna · December 3, 2019, 7:44pm

I ran this command:
lego --tls --email="my@email.com" --domains="monoviajero.com" --domains="www.monoviajero.com" --path="/opt/bitnami/letsencrypt" renew

It produced this output:

2019/12/02 20:37:36 [INFO] [monoviajero.com] acme: Trying renewal with -48 hours remaining
        2019/12/02 20:37:36 [INFO] [monoviajero.com, www.monoviajero.com] acme: Obtaining bundled SAN certificate
        2019/12/02 20:37:37 [INFO] [monoviajero.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1517197274
        2019/12/02 20:37:37 [INFO] [www.monoviajero.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1517197275
        2019/12/02 20:37:37 [INFO] [monoviajero.com] acme: use tls-alpn-01 solver
        2019/12/02 20:37:37 [INFO] [www.monoviajero.com] acme: use tls-alpn-01 solver
        2019/12/02 20:37:37 [INFO] [monoviajero.com] acme: Trying to solve TLS-ALPN-01
        2019/12/02 20:37:43 [INFO] [www.monoviajero.com] acme: Trying to solve TLS-ALPN-01
        2019/12/02 20:37:50 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1517197274
        2019/12/02 20:37:50 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1517197275
        2019/12/02 20:37:50 acme: Error -> One or more domains had a problem:
        [monoviajero.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:
        [www.monoviajero.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:

My web server is (include version):
Apache

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

From provided links I can see the following errors:

{
          "type": "tls-alpn-01",
          "status": "invalid",
          "error": {
            "type": "urn:ietf:params:acme:error:connection",
            "detail": "Error getting validation data",
            "status": 400
},

      "type": "tls-alpn-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:tls",
        "detail": "remote error: tls: internal error",
        "status": 400,

_az · December 3, 2019, 8:15pm

If you wish to renew using TLS-ALPN, you would need to first stop your Apache webserver.

This is because both Apache and Lego’s TLS-ALPN server require exclusive use of port 443 during the renewal process.

Have you been doing that?

ddesna · December 3, 2019, 8:18pm

Yes, I stop Apache server before.

_az · December 3, 2019, 8:31pm

The error from Let’s Encrypt is a bit vague and unhelpful, but I think I’ve identified the cause.

When accessing your domain over its IPv6 address and port 443, it doesn’t seem to go to your Apache server (or when Apache isn’t running, Lego).

Take for instance:

$ curl -X GET -I -6 https://monoviajero.com
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Doesn’t seem to talk SSL. Maybe it’s misconfigured and talking normal HTTP?

$ curl -X GET -I -6 http://monoviajero.com:443
HTTP/1.1 400 Bad Request
Server: nginx
Date: Tue, 03 Dec 2019 20:26:45 GMT
Content-Type: text/html
Content-Length: 248
Connection: close

It seems to be an nginx server!

Could you check that 2001:8d8:100f:f000::238 is the correct IPv6 address for your domain?

Even weirder, port 80 on that same IPv6 address is Apache:

$ curl -X GET -I -6 http://monoviajero.com
HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 1364
Connection: keep-alive
Keep-Alive: timeout=15
Date: Tue, 03 Dec 2019 20:27:59 GMT
Server: Apache
X-Frame-Options: deny

ddesna · December 3, 2019, 9:24pm

I’m using AWS EC2 and I’m not sure if IPv6 is assigned. Anyway 2001:8d8:100f:f000::238 seems to be correct address.
Regarding Nginx response maybe your request was made just when lego is running because in my case the same requests obtain the following results (when Apache & Wordpress is running):

$ curl -X GET -I -6 http://monoviajero.com:443
HTTP/1.1 400 Bad Request
Date: Tue, 03 Dec 2019 21:10:18 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1

$ curl -X GET -I -6 http://monoviajero.com
HTTP/1.1 301 Moved Permanently
Date: Tue, 03 Dec 2019 21:10:48 GMT
Server: Apache
X-Powered-By: PHP/7.0.26
X-Redirect-By: WordPress
X-Frame-Options: SAMEORIGIN
Location: https://www.monoviajero.com/
Content-Length: 0
Content-Type: text/html; charset=UTF-8

Any idea or some workaround ? I’m ok to revoke current certificate and generate new one but revoking also throws error:

$ sudo /opt/bitnami/letsencrypt/lego --tls --email="example@mail.com" --domains="monoviajero.com" --domains="www.monoviajero.com" --path="/opt/bitnami/letsencrypt" revoke
2019/12/03 21:20:23 Trying to revoke certificate for domain monoviajero.com
2019/12/03 21:20:23 Error while revoking the certificate for domain monoviajero.com
	acme: error: 403 :: POST :: https://acme-v02.api.letsencrypt.org/acme/revoke-cert :: urn:ietf:params:acme:error:unauthorized :: Certificate is expired, url:

Creating new certificate with new email also throws same error:

$ sudo /opt/bitnami/letsencrypt/lego --tls --email="new@email.com" --domains="monoviajero.com" --domains="www.monoviajero.com" --path="/opt/bitnami/letsencrypt" run
2019/12/03 21:22:28 [INFO] [monoviajero.com, www.monoviajero.com] acme: Obtaining bundled SAN certificate
2019/12/03 21:22:28 [INFO] [monoviajero.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1533701636
2019/12/03 21:22:28 [INFO] [www.monoviajero.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1533701637
2019/12/03 21:22:28 [INFO] [monoviajero.com] acme: use tls-alpn-01 solver
2019/12/03 21:22:28 [INFO] [www.monoviajero.com] acme: use tls-alpn-01 solver
2019/12/03 21:22:28 [INFO] [monoviajero.com] acme: Trying to solve TLS-ALPN-01
2019/12/03 21:22:34 [INFO] [www.monoviajero.com] acme: Trying to solve TLS-ALPN-01
2019/12/03 21:22:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1533701636
2019/12/03 21:22:41 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1533701636
2019/12/03 21:22:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1533701637
2019/12/03 21:22:41 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/1533701637
2019/12/03 21:22:41 Could not obtain certificates:
	acme: Error -> One or more domains had a problem:
[monoviajero.com] acme: error: 400 :: urn:ietf:params:acme:error:tls :: remote error: tls: internal error, url:
[www.monoviajero.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Error getting validation data, url:

Thanks

_az · December 3, 2019, 10:05pm

I still see nginx on IPv6 port 443. I’ve tested from multiple locations.

That IPv6 address is owned by 1&1, not EC2. Are you really sure it’s correct?

Even the port 80 response is not correct:

$ curl -X GET -I -6 http://monoviajero.com
HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 1364
Connection: keep-alive
Keep-Alive: timeout=15
Date: Tue, 03 Dec 2019 21:40:08 GMT
Server: Apache
X-Frame-Options: deny


$ curl -X GET -I -4 http://monoviajero.com
HTTP/1.1 301 Moved Permanently
Date: Tue, 03 Dec 2019 21:40:12 GMT
Server: Apache
X-Powered-By: PHP/7.0.26
X-Redirect-By: WordPress
X-Frame-Options: SAMEORIGIN
Location: https://www.monoviajero.com/
Content-Length: 0
Content-Type: text/html; charset=UTF-8

ddesna · December 3, 2019, 9:42pm

You have a right ! I just see here the following warning:

Fatal: Check of /.well-known/acme-challenge/random-filename has different answers checking ipv6 / ipv4. 
Ipv6 doesn't have the expected result http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 validation may not work. 
Checking the validation file in /.well-known/acme-challenge Letsencrypt prefers ipv6. Two options: Remove your ipv6 / AAAA DNS entry or (better) fix your ipv6, so your webserver handles ipv6 correct. 
Perhaps add "Listen [::]:80". Don't use <VirtualHost ip-address:80>, switch to <VirtualHost *:80>. If you use IIS, check your bindings. 
Don't select a single ip address. Use this tool to check your raw ipv6 address. Add your domain name in the "Hostname" - field. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.

Now I have removed AAAA record from DNS (managed by 1&1) and will try to renew certificate again.

ddesna · December 3, 2019, 10:05pm

You made my day !!! Finally the problem was with bad IPv6 AAAA record. Just after removing AAAA records from DNS, certificate renews without any problem.
As shown in warning that I posted before, LetsEncrypt prefers IPv6 instead IPv4.

Thanks a lot for your help !!!

system · January 2, 2020, 9:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.