Error on sudo certbot renew --dry-run

NTMS2017 · March 2, 2020, 4:51pm

Hi,

I got mail today that my LetsEncrypt SSL will expire in 19 days.

When I install LetsEncrypt using https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx I run the “sudo certbot renew --dry-run” and it was okay. After today mail I rerun again and I get an error.

I checked the all port and find out that my firewall already allow both inbound and outbound for port; 80, 443 and 53.

Any idea why I am getting this error?

sudo certbot renew --dry-run
[sudo] password for ************: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cep.*********************.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cep.*********************.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (cep.*********************.com) from /etc/letsencrypt/renewal/cep.*********************.com.conf produced an unexpected error: Failed authorization procedure. cep.*********************.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cep.*********************.com/.well-known/acme-challenge/vlRDmDbo5x9tnVkw-Xb3kwwNO9GbHuJjDrDS2vrbzn0: Connection reset by peer. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cep.*********************.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cep.*********************.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cep.*********************.com
   Type:   connection
   Detail: Fetching
   http://cep.*********************.com/.well-known/acme-challenge/vlRDmDbo5x9tnVkw-Xb3kwwNO9GbHuJjDrDS2vrbzn0:
   Connection reset by peer

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

stevenzhu · March 2, 2020, 4:53pm

Hi,

First of all, please run sudo certbot certificates and share us your output.
Please also share us your domain name. There’s a low possibility for us to help you without knowing anything to your server. (Since you also didn’t complete the form)

Thank you

NTMS2017 · March 2, 2020, 5:03pm

Thanks @stevenzhu, below is the result of ‘sudo certbot certificates’ and the domain is https://cep.***************.com

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: cep..com
Domains: cep.v.com
Expiry Date: 2020-03-22 12:48:21+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/cep..com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cep..com/privkey.pem

stevenzhu · March 2, 2020, 5:08pm

Hi,

It seems like there’s some issue with your http virtualhost.
Can you check if that virtualhost was configured correctly?

P.S. Your https host works fine.

Thank you

NTMS2017 · March 2, 2020, 5:11pm

I am using nginx and didnt use any virtual host. So where do I have to check the configuration?

NTMS2017 · March 2, 2020, 5:17pm

My conf.d/default.conf

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

server {
    charset UTF-8;
    listen      80;
    listen [::]:80;
    server_name  cep.***************.com;

    # HTTP REDIRECT
    location / {
	return 301 https://cep.***************.com$request_uri;
    }

}


server {
    charset UTF-8;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot

    server_name  cep.***************.com;
    root /var/www/html/;

    # SSL
    ssl_certificate /etc/letsencrypt/live/cep.***************.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cep.***************.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # LOGING	
    access_log  /var/log/nginx/host.access.log  main;
    error_log  /var/log/nginx/host.error.log  warn;

    # index.html fallback
    location / {
	try_files $uri $uri/ /index.html;
    }

    # reverse proxy 
    location /admin1 {
        proxy_http_version	1.1;
	proxy_cache_bypass	$http_upgrade;
	proxy_set_header Upgrade	$http_upgrade;
	proxy_set_header Connection 	"upgrade";
	proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass "http://***************:1234";
        proxy_next_upstream error timeout http_500 http_502 http_503 http_504 http_404;
        proxy_intercept_errors on;
    }

    # redirect error pages to the static page
    error_page 401 402 403 404 405 index.html;
    location = /index.htm {
        root /usr/share/nginx/html;
        internal;
    }


    # redirect server error pages to the static page
    error_page 500 502 503 504 index.html;
    location = /50x.html {
        root /usr/share/nginx/html;
        internal;
    }

    # Deny access to hidden files (beginning with a period)
    location ~ /\. {
         deny all;
    }

    if ($request_method !~ ^(GET|HEAD|POST)$ )
    {
         return 404;
    }

}

MY Nginx.conf

#user nginx;
worker_processes 5;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;


events {
	worker_connections 1024;
}


http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;
      
        sendfile on;
#       tcp_nopush on;

        keepalive_timeout 65;

#	gzip on;
        server_tokens off;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

	include /etc/nginx/conf.d/*.conf;
}

9peppe · March 2, 2020, 5:27pm

This is the problem.

NTMS2017 · March 2, 2020, 5:35pm

so what should I do?

9peppe · March 2, 2020, 5:36pm

Remove those lines, then service nginx configtest and if it says OK, service nginx reload

NTMS2017 · March 2, 2020, 5:37pm

ok will try that and reload nginx

NTMS2017 · March 2, 2020, 5:48pm

I did but I got same error

Attempting to renew cert (cep.***************.com) from /etc/letsencrypt/renewal/cep.***************.com.conf produced an unexpected error: Failed authorization procedure. cep.***************i.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://cep.***************.com/.well-known/acme-challenge/W8mZnUe-RGvVQBpllM-9q_QLn4w0g0zQpxChnXS9u0U: Connection reset by peer. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cep.***************.com/fullchain.pem (failure)

JuergenAuer · March 2, 2020, 5:53pm

Hi @NTMS2017

looks like you block too much ip addresses.

Letsencrypt has a new multi perspective validation.

The error says: The Letsencrypt data center is able to connect your domain. The other servers can't connect your domain.

Check your firewall configuration and don't block ip addresses.

NTMS2017 · March 2, 2020, 6:01pm

This my firewall settings:

 sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere                  
80/tcp (Nginx HTTP)        ALLOW IN    Anywhere                  
443/tcp (Nginx HTTPS)      ALLOW IN    Anywhere                  
53/tcp                     ALLOW IN    Anywhere                  
53/udp                     ALLOW IN    Anywhere                  
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)             
80/tcp (Nginx HTTP (v6))   ALLOW IN    Anywhere (v6)             
443/tcp (Nginx HTTPS (v6)) ALLOW IN    Anywhere (v6)             
53/tcp (v6)                ALLOW IN    Anywhere (v6)             
53/udp (v6)                ALLOW IN    Anywhere (v6)

JuergenAuer · March 2, 2020, 6:10pm

You have to find that blocking instance.

NTMS2017 · March 2, 2020, 6:22pm

When I run this “http://cep.************.com/.well-known/acme-challenge/W8mZnUe-RGvVQBpllM-9q_QLn4w0g0zQpxChnXS9u0U” on my laptop safari says:

Safari can’t open page because the server unexpectedly dropped the connection.

In my nginx config I redirect everything to https. Can this be a problem? If so how to test “http://cep.************.com/.well-known/acme-challenge/W8mZnUe-RGvVQBpllM-9q_QLn4w0g0zQpxChnXS9u0U” ?

NTMS2017 · March 3, 2020, 6:45am

Can anyone tell me where is this file in ubuntu?

.well-known/acme-challenge/

I might not have this file and I am not sure

NTMS2017 · March 3, 2020, 6:52am

Also in my nginx config I have only this cep.***************.com. But in stackowerflow it says I have to put www. as well. Is that the problem that I am having?

server {
    charset UTF-8;
    listen      80;
    listen [::]:80;
    server_name  cep.***************.com;

I found the answer! My first server in my nginx.conf only went to the site without "www." in front of it, also adding "www." as a server name solved the issue.

NTMS2017 · March 3, 2020, 7:29am

I found my certbot version is 0.31.0 but no auto version. I also run sudo find /etc/letsencrypt/live/ -type l* which shows the certificate. But when I run sudo tail -f /var/log/letsencrypt/letsencrypt.log I have an error on line 477.

Any idea or should I open a new questions?

niyazi@niyazi-virtual-machine:~$ certbot --version
**certbot 0.31.0**
niyazi@niyazi-virtual-machine:~$ certbot-auto --version
**certbot-auto: command not found**
niyazi@niyazi-virtual-machine:~$ 


niyazi@niyazi-virtual-machine:~$ **sudo tail -f  /var/log/letsencrypt/letsencrypt.log**
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)


niyazi@niyazi-virtual-machine:~$ **sudo find /etc/letsencrypt/live/ -type l**
/etc/letsencrypt/live/cep.niyazibankasi.com/fullchain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/chain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/privkey.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/cert.pem
niyazi@niyazi-virtual-machine:~$

NTMS2017 · March 3, 2020, 8:59am

I found my certbot version is 0.31.0 but no auto version. I also run sudo find /etc/letsencrypt/live/ -type l* which shows the certificate. But when I run sudo tail -f /var/log/letsencrypt/letsencrypt.log I have an error on line 477.

Any idea ?

niyazi@niyazi-virtual-machine:~$ certbot --version
**certbot 0.31.0**
niyazi@niyazi-virtual-machine:~$ certbot-auto --version
**certbot-auto: command not found**
niyazi@niyazi-virtual-machine:~$ 


niyazi@niyazi-virtual-machine:~$ **sudo tail -f  /var/log/letsencrypt/letsencrypt.log**
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)


niyazi@niyazi-virtual-machine:~$ **sudo find /etc/letsencrypt/live/ -type l**
/etc/letsencrypt/live/cep.niyazibankasi.com/fullchain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/chain.pem
/etc/letsencrypt/live/cep.niyazibankasi.com/privkey.pem

NTMS2017 · March 3, 2020, 9:11am

In this site https://www.tmn.io/posts/lets-encrypt-with-nginx-auto-renewal its talkin about adding

# letsencrypt acme challenge for domain verification
location '/.well-known/acme-challenge/' {
     root /usr/local/etc/nginx/letsencrypt;
}

to nginx config. I am using ubuntu 18.04. where is the /.well-known/acme-challenge/?