Expired certification


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:portal.dhc.nz

I ran this command: ./letencrypt-auto renew

It produced this output: Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for portal.dhc.nz
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (portal.dhc.nz) from /etc/letsencrypt/renewal/portal.dhc.nz.conf produced an unexpected error: Incomplete authorizations. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Huh. Never seen that one before.

Some information says this can happen if “Certbot times out polling authorizations”.

Can you post the /var/log/letsencrypt/letsencrypt.log file from when this happened?

What happens if you run ./letsencrypt-auto renew again?

How long did it take before?


#3

Maybe is because TLS-SNI-01 ?


#4

thanks mnordhoff for the quick reply

attached is the log file

2018-04-19 00:18:33,127:WARNING:certbot.renewal:Attempting to renew cert (portal.dhc.nz) from /etc/letsencrypt/renewal/portal.dhc.nz.conf produced an unexpected error:
Failed authorization procedure. portal.dhc.nz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate
for tls-sni-01 challenge. Requested 644cb13e85ef1e8dcb39da7d5d10c56f.fb7adb7031e504260558e572f8035a54.acme.invalid from 103.68.58.20:443. Received 3 certificate(s), fi
rst certificate had names “project.dhc.org.nz”. Skipping.
2018-04-19 00:18:33,128:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 422, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1102, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 113, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 297, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 80, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 153, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 224, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. portal.dhc.nz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect vali
dation certificate for tls-sni-01 challenge. Requested 644cb13e85ef1e8dcb39da7d5d10c56f.fb7adb7031e504260558e572f8035a54.acme.invalid from 103.68.58.20:443. Received 3
certificate(s), first certificate had names “project.dhc.org.nz”

2018-04-19 00:18:33,128:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-04-19 00:18:33,128:ERROR:certbot.renewal: /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)
2018-04-19 00:18:33,130:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1179, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)


#5

done the renewal again and:
root@westfield-nas:/letsencrypt# ./letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/portal.dhc.nz.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for portal.dhc.nz
Cleaning up challenges
Attempting to renew cert (portal.dhc.nz) from /etc/letsencrypt/renewal/portal.dhc.nz.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)


#6

apologies noob in the house, but if i install cerbot and renew the certificate will that help?


#7

LetsEncrypt is Certbot (maybe an older version).
Show:
letsencrypt --version

Means it tried to run as standalone and could not start a web service; as one is already running.
So find and show:
cli.ini <or> letsencrypt.ini
all files in /etc/letsencrypt/renewal/


#8

letsencrypt 0.4.1

this is the only file i see at at this path /etc/letsencrypt/renewal# ls
portal.dhc.nz.conf


#9

Did you originally get your certificate with--standalone and then configure your web server to speak HTTPS on port 443?


#10

Show the contents of the file:

Did you find any “cli.ini” file?
try:
find / -name cli.ini

Did you find any “letsencrypt.ini” file?
try:
find / -name letsencrypt.ini

If you do find any, please show their name, location, and content.


#11

hello schoen, i’ve just taken over from a previous it support working on this certificate. no info were handover about the certificate. just so happened it expired a week ago, now im trying to make the certificate valid again

any info you need, will reply at my best capacity


#12

The answer to what @schoen asked is in one of the files I’ve requested…

–Just say NO to HTTP–


#13

this is what i found

root@westfield-nas:/home/letsencrypt/examples# more dev-cli.ini

Always use the staging/testing server - avoids rate limiting

server = https://acme-staging-v02.api.letsencrypt.org/directory

This is an example configuration file for developers

config-dir = /tmp/le/conf
work-dir = /tmp/le/conf
logs-dir = /tmp/le/logs

make sure to use a valid email and domains!

email = foo@example.com
domains = example.com

text = True
agree-tos = True
debug = True

Unfortunately, it’s not possible to specify “verbose” multiple times

(correspondingly to -vvvvvv)

verbose = True

authenticator = standalone


#14

/home/letsencrypt/examples/dev-cli.ini
should be unused.
Please show the contents of the file:
/etc/letsencrypt/renewal/portal.dhc.nz.conf


#15

root@westfield-nas:/etc/letsencrypt/renewal# less portal.dhc.nz.conf
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = False
hsts = False
authenticator = standalone
domains = portal.dhc.nz,
rsa_key_size = 2048
verb = certonly
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = /root/cert.pem
webroot_path = ,
reinstall = False
expand = False
strict_permissions = False
account = 7f918b69102628ecaa2633f7821d1a2f
prepare = False
manual_public_ip_logging_ok = False
chain_path = /root/chain.pem
break_my_certs = False
standalone = False
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = “tls-sni-01,http-01”
webroot = False
os_packages_only = False
func = <function obtain_cert at 0x7f7118e51c80>
user_agent = None
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
configurator = None
[[webroot_map]]
(END)


#16

That answers @schoen question.


#17

Try (whichever you use):
./letencrypt-auto --apache renew
or
./letencrypt-auto --nginx renew

If either works, then edit the config to:
authenticator = apache
or
authenticator = nginx

And while you’re in there, you can also update the v01 to v02:
server = https://acme-v02.api.letsencrypt.org/directory
(which has expanded support)


#18

get this errror

./letsencrypt-auto --nginx renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/portal.dhc.nz.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (portal.dhc.nz) from /etc/letsencrypt/renewal/portal.dhc.nz.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/7f918b69102628ecaa2633f7821d1a2f does not exist. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)


#19

That sometimes happens when changing from v01 to v02.
v02 can’t “renew” what it doesn’t know about.
Just force the renewal; which v02 will then treat as new.
add:
--force-renewal

or go back to using v01 and just test the renewing first/separately.


#20

sorry but still getting an error

root@westfield-nas:/letsencrypt# ./letsencrypt-auto --nginx renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/portal.dhc.nz.conf

Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (portal.dhc.nz) from /etc/letsencrypt/renewal/portal.dhc.nz.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/7f918b69102628ecaa2633f7821d1a2f does not exist. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.dhc.nz/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)