Failed some CERT renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: drive.mbreich.de

I ran this command: /usr/syno/sbin/syno-letsencrypt renew-all -v

It produced this output: {"error":110,"file":"client_v2-base.cpp","msg":"91.45.153.165: Invalid response from https://drive.mbreich.de/.well-known/acme-challenge/dKoXO3kwEmKPQDyuJIH0nGDnagzmHPGwAgrxTC3QMwY: 404"}

My web server is (include version): Apache Server 2.4

The operating system my web server runs on is (include version): Synology NAS DSM 7.2.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):-

Three of my certificates were renewed, the others were not. When checking the domains with letsdebug, everything looks fine. It has always worked for the last 3 years and no changes have been made. What could help here?

@bereich , welcome to the community!

The IP address of drive.mbreich.de is changed to 91.45.154.141 on the meantime. May be transient problem while DNS data is changing? Is it still failing to renew the certificate?

EDIT: Let'sdebug is failing: Let's Debug
Is the inbound HTTP access blocked by chance?

6 Likes

Hi @bereich,

All of the common ports are CLOSED, including Port 80 (HTTP) & 443 (HTTPS)

Since you are using the HTTP-01 challenge, it states "The HTTP-01 challenge can only be done on port 80." and "It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443." as well as "Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep."

Thus since there is the redirect to HTTPS both Ports 80 & 443 must be accessible.

Best Practice - Keep Port 80 Open

Edit

And from around the world:

Please see about GEO Blocking with Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

And from Oregon, USA this is what I see

$ curl -Ii http://drive.mbreich.de/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to drive.mbreich.de port 80 after 133583 ms: Connection timed out
$ nmap -Pn -p80,443 drive.mbreich.de
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-29 20:08 UTC
Nmap scan report for drive.mbreich.de (91.45.154.141)
Host is up.
rDNS record for 91.45.154.141: p5b2d9a8d.dip0.t-ipconnect.de

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.98 seconds
4 Likes

Hey Bruce5051,

thanks for the quick answer.
Port 80 is always opened beforehand via script, but is now permanently open. Geoblocking was activated for https on the FW, I have also removed it.
The script is currently running daily in the hope of finally receiving new certificates. Unfortunately, since yesterday I get the message: {"error":104, "file": "client_v2-base.cpp", "msg": "too many failed authorizations (5) for "mbreich.de" in the last 1h0m0s, retry after 2024-09-29 22:20:00 UTC: see Failed Validation Limit - Let's Encrypt"}
I always adapt the script so that it only runs again after the specified time. But the error comes back even then. What can I do?

2 Likes

Check is there any different scheduler that may run the script that you are not aware of? Is there another system you upgraded from and still on?

3 Likes

No, there are no other tasks.

Someone else is having simmilar issue, unexpectidly:
too many failed authorizations (5) for "..." in the last 1h0m0s, retry after ...

Here it is:

@lestaff ,there may be an incident going on.

4 Likes

In case you haven't seen yet there was a bug in a recent update that has been resolved (rolled back).

5 Likes

Today I received this error message:
DEBUG: start to renew [/usr/syno/etc/certificate/_archive/71FOGa].
DEBUG: setup acme url https://acme-v02.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v02.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v02.api.letsencrypt.org/acme/new-nonce
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/new-order
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/new-order
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/410665085717
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/410665085717
DEBUG: dns-01 is not support for drive.mbreich.de
DEBUG: Setup challenge for drive.mbreich.de with type http-01
DEBUG: Failed to port map router detect. [1]
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/chall-v3/410665085717/rhRr8Q
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/chall-v3/410665085717/rhRr8Q
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/410665085717
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/410665085717
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/410665085717
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/410665085717
DEBUG: Failed to do challenge for drive.mbreich.de with type http-01.
DEBUG: close port 80.
{"error":110,"file":"client_v2-base.cpp","msg":"91.45.154.141: Invalid response from https://drive.mbreich.de/.well-known/acme-challenge/rwX9Nj-rexDiWX_PY1GKT0TXW4EQLOBCYztfj7f96Ac: 404"}

You have a redirect from HTTP to HTTPS. Is the challenge established by the ACME client accessible via HTTPS too?
That may not be the root cause of you problem, but it might be worth to check.

4 Likes

Yes, you're right.
Now that the rate limit had finally expired, I followed the certificate renewal individually and live in the logs.Now that the rate limit had finally expired, I tracked the certificate renewal individually and live in the logs. I noticed that the http requests were being redirected to the https pages. To work around this, I created a reverse proxy entry for each subdomain that redirects port 80 to localhost:80.

Thanks for your help.

2 Likes

From my perspective on the central Oregon Coast, I am timing out on access and according to my lightweight scans the system seems to be down.
Go Figure.

2 Likes