Error message - renewing Lets Encrypt via Terminal

Thanks rg305.

Permission denied trying to access /var/log/letsencrypt/letsencrypt.log

Any other ideas please?

Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
Attempting to renew cert (www.twintec.com) from /etc/letsencrypt/renewal/www.twintec.com.conf produced an unexpected error: Failed authorization procedure. sample.twintec.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://sample.twintec.com/.well-known/acme-challenge/K2GYYHamDNAF9ZDnXQX2cjEmEqGycLAVu6Wf62N3QK4: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
_ /etc/letsencrypt/live/www.twintec.com/fullchain.pem (failure)_

IMPORTANT NOTES:
_ - The following errors were reported by the server:_

_ Domain: sample.twintec.com_
_ Type: connection_
_ Detail: Fetching_
_ https://sample.twintec.com/.well-known/acme-challenge/K2GYYHamDNAF9ZDnXQX2cjEmEqGycLAVu6Wf62N3QK4:_
_ Error getting validation data_

Where did you get that message?

To identify this problem, please show the output of the command sudo certbot certificates.

Ah, here we go:

2018-05-08 08:50:13,152:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-05-22 09:23:53 UTC.
2018-05-08 08:50:13,152:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-05-08 08:50:13,152:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-05-08 08:50:13,153:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f732058e050>
Prep: True
2018-05-08 08:50:13,153:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f732058e050> and installer None
2018-05-08 08:50:13,153:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
_2018-05-08 08:50:13,156:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u’mailto:aaron+twintec@impression.co.uk’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa.RSAPublicKey object at 0x7f732537c990>)>)), uri=u’https://acme-v01.api.letsencrypt.org/acme/reg/15503936’, new_authzr_uri=u’https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), d8c51f04178196414fad759ff6ef2140, Meta(creation_host=u’ip-172-31-19-55.eu-west-1.compute.internal’, creation_dt=datetime.datetime(2017, 5, 24, 23, 19, 43, tzinfo=)))>
2018-05-08 08:50:13,156:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-05-08 08:50:13,173:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-05-08 08:50:13,479:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2018-05-08 08:50:13,480:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: Q2T4bkEG8EpIxNhkyQJD0p6mEXwv0awH4cUa4jDs3_Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 08 May 2018 08:50:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 08 May 2018 08:50:13 GMT
Connection: keep-alive

{
_ “aP-qAGWzlas”: “Adding random entries to the directory”,_
_ “key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,_
_ “meta”: {_
_ “caaIdentities”: [_
_ “letsencrypt.org”_
_ ],_
_ “terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,_
_ “website”: “https://letsencrypt.org”_
_ },_
_ “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,_
_ “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,_
_ “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,_
_ “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”_
}
2018-05-08 08:50:13,481:INFO:certbot.main:Renewing an existing certificate
2018-05-08 08:50:13,482:DEBUG:acme.client:Requesting fresh nonce
2018-05-08 08:50:13,482:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2018-05-08 08:50:13,674:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
2018-05-08 08:50:13,674:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: 4UYyNbKrlj4LeQxG2sN-MeCP0SqWwYU2Afu6EqnUCzI
Expires: Tue, 08 May 2018 08:50:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 08 May 2018 08:50:13 GMT
Connection: keep-alive

Found the following certs:
_ Certificate Name: www.twintec.com_
_ Domains: www.twintec.com acolinesofteners.co.uk aquasoft.twintec.com banburywatersofteners.co.uk basingstokewatersofteners.co.uk bathandwestwatersofteners.co.uk humberwatersofteners.co.uk humberwatersofteners.com londonwater.net meridian.twintec.com meridianwatersofteners.co.uk misterwatersoftener.co.uk morrisforwatersofteners-twintec.co.uk morrissofteners.co.uk northeastwatersofteners.co.uk northern.twintec.com patmoresofteners.co.uk patmoresofteners.com patmorewatersofteners.co.uk patmorewatersofteners.com ramsden.twintec.com sample.twintec.com sapphirewatersofteners.com sites.twintec.com southernsoftflow.co.uk thamesvalleysofteners.co.uk twintec.com twintecsouthcoast.co.uk twintecsoutheast.co.uk watersoftenersuk.com wealdwatersofteners.co.uk westcountrywatersofteners.co.uk www.acolinesofteners.co.uk www.aquasafe.twintec.com www.banburywatersofteners.co.uk www.basingstokewatersofteners.co.uk www.bathandwestwatersofteners.co.uk www.humberwatersofteners.co.uk www.humberwatersofteners.com www.londonwater.net www.meridianwatersofteners.co.uk www.misterwatersoftener.co.uk www.morrisforwatersofteners-twintec.co.uk www.morrissofteners.co.uk www.northeastwatersofteners.co.uk www.patmoresofteners.co.uk www.patmoresofteners.com www.patmorewatersofteners.co.uk www.patmorewatersofteners.com www.sapphirewatersofteners.com www.softflowsofteners.co.uk www.southernsoftflow.co.uk www.thamesvalleysofteners.co.uk www.twintecsouthcoast.co.uk www.twintecsoutheast.co.uk www.watersoftenersuk.com www.wealdwatersofteners.co.uk www.westcountrywatersofteners.co.uk_
_ Expiry Date: 2018-05-22 09:23:53+00:00 (VALID: 14 days)_
_ Certificate Path: /etc/letsencrypt/live/www.twintec.com/fullchain.pem_
_ Private Key Path: /etc/letsencrypt/live/www.twintec.com/privkey.pem_

Name: sample.twintec.com
Addresses: 2400:cb00:2048:1::681b:a65f
2400:cb00:2048:1::681b:a75f
104.27.166.95
104.27.167.95

Name: twintec.com
Address: 34.251.208.22

So, you created one certificate for many domain names (including sample.twintec.com). On renewal, the whole set of domain names must be authorized for. If only one domain cannot be authorized, the certificate cannot be renewed.

I would recommend splitting this up, there is almost no reason to combine so many domains in one certificate.

In all honesty I have no idea why it has been set up in the way that it has (I’ve inherited the problem).

Given my lack of experience with both CLI and Let’s Encrypt, what do you suggest the easiest way would be to get these certifications renewed? I’m conscious they expire very soon.

Edit - Business wise they are all sub-domains of one parent entity, and they all share the same server.

Thanks

Does this make any difference?

Name: sample.twintec.com
Addresses: 2400:cb00:2048:1::681b:a65f
2400:cb00:2048:1::681b:a75f
104.27.166.95
104.27.167.95

Name: twintec.com
Address: 34.251.208.22

Name: sites.twintec.com
Address: 34.251.208.22
Aliases: ramsden.twintec.com

I have a theory - the IP above (34.251.208.22) works, whilst hitting sites.twintec.com does not.

Could this boil down to a DNS issue i.e the iP>site mapping? I am aware somebody was changing DNS not too long ago which caused other issues.

Thanks

Sorry - make a difference where?

In that you can't validate the sample.twintec.com site
May be due to the alternate IP (path).

OK I understand - where is it getting the “sample.twintec.com” from?

I can see it’s an old test site (sits on WP) and can just get rid of it, assuming that would fix the issue.

Thanks

From here ..........:

And is that held in some form of configuration file somewhere, which I can amend?

  • To exclude the sample.twintec

There is a not well-known parameter to renew and exclude any failing names thus reducing the list…
Trying to find that info now…

thanks so much - I appreciate your help here.

from: https://certbot.eff.org/docs/using.html

--allow-subset-of-names tells Certbot to continue with certificate generation if only some of the specified domain authorizations can be obtained. This may be useful if some domains specified in a certificate no longer point at this system.

But you have to be very careful with that parameter as it will permanently remove any names that fail form the list.
So make a copy of the current list of names before you use it.
Then compare the list after it renews
certbot certificates
before and after each use.
DO NOT INCLUDE THAT PARAMETER IT IN ANY SCRIPT - that’s just asking for trouble!

OK, the list is in the thread above. So should be fine on that front.

Will give this a go now.

I am questioning this now, after just running another certbot renew command.

Following output:

Processing /etc/letsencrypt/renewal/www.twintec.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (www.twintec.com) from /etc/letsencrypt/renewal/www.twintec.com.conf produced an unexpected error: (4, ‘Interrupted system call’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.twintec.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.twintec.com/fullchain.pem (failure)

Doesn’t this suggest a bigger problem than the sample-twintec.com standalone?