Failed to renew cert for mail.solnikgarden.com

Hi!

Prior to the renew problem I moved my mailserver to new a server and moved certificates from the old to the new one. I guess I managed to run on the new server as long as the certificate was valid on the old one. Yesterday was the last date of validity. I the tried to renew but got this error.

I’m running web server (solnikgarden.com) on a different server on the same public ip.

I managed to install both web and mail server with minor knowledge. Will appreciate help.

My domain is: mail.solnikgarden.com

I ran this command: sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.solnikgarden.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.solnikgarden.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.solnikgarden.com) from /etc/letsencrypt/renewal/mail.solnikgarden.com.conf produced an unexpected error: Failed authorization procedure. mail.solnikgarden.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.solnikgarden.com/.well-known/acme-challenge/VJXSEyoHjGUslZ_kzRbqIfBOzuCeYPBndEOSiOevN-Y [51.175.238.26]: "\r\n<html lang=“nb-NO”>\r\n\r\n<meta charset=“UTF-8”>\r\n<meta name=“viewport” content=“width=device-width, initial”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.solnikgarden.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.solnikgarden.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-76-generic x86_64)
The operating system my web server runs on is (include version):
Linux 4.15.0-76-generic x86_64
My hosting provider, if applicable, is:
Running on own server : IP- 51.175.238.26
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi,

What do you mean by ‘running different server from same IP’?

How’s your setup?
Did you use a port forward in your router that forward the mail ports to a different server and all http/https in the other server?

Thank you

Hi and thanks for answering. And sorry for bad explanation.
I have two internal servers (mail and web) with two different internal ip’s, but on same public ip. I port forward typical mail ports to mail server and http/s to web server. I use specific port to reach web client on mail server, so all this is working fine. Also certificates on both server worked fine until yesterday. I was aware that this would become a problem since my attempts to renew cert on mailserver did not work prior to cert end.
I have tried to search forum but I get confused with all information and terms.
I can set up remote ssh if this will help or try to send more information if needed,
Thanks

regards
Roar

It may be difficult to do this in exactly the way you want, since the validation method you’re using typically requires an inbound connection from the Internet on port 80 to reach the machine running the Let’s Encrypt client.

There are a lot of options to make this work, depending on what kind of relationship you want to set up between the two machines. One example is the “remote webroot” concept if you can place files from the mail server onto the web server. Another idea is to make the webserver itself get the certificate for the mailserver (which it will be able to do because it’s receiving the incoming connections), and then use a script to copy the resulting certificate and key over onto the mailserver.

Ok, that’s the problem.
Is it possible to forward http/s (on my router/firewall) temporary to mail server, then update cert and after the update, put the firewall setting back again. If so, will auto renew be working normally, or is this also depending on port 80? Hope you understand ans sorry for stupid questions:-)

It’s possible to do this, but it’s not very compatible with automated renewal, because both automated and manual renewals will require the use of port 80. So if the automated renewal is happening without human intervention, the port forwarding won’t be updated properly unless it’s also done by the automated renewal software.

Thanks for help. I just changed NAT for port 80 to mail server and updated cert succesfully. I will do the same every time of renewal. I have struggled with squid proxy on pfsense for a while to be able to route port 80 to both servers, but this has been not successful so far.

Can I ask a last questions? When struggling with this problem I created the .well-known folder like this: /var/www/html/.well-known/acme-challenge.
Is this folders necessary or can I remove it? (except “/var/www/html” of course)

Let’s Encrypt client software generally creates .well-known/acme-challenge for you automatically if it doesn’t exist at the time of a Let’s Encrypt validation. It doesn’t specifically need to exist at other times.

Thanks, then I’m back online again. I hope it will be possible some time in the future to renew certs using other ports than port 80, specially in my case spitting web and mail server and the big drawback of routers not dealing with dns layers.

Anyway, thanks a lot:-)

As another option, if you forward port 80 to your web server, you can configure the web server to reverse proxy requests for the mail server’s hostname to the mail server itself.

The mail server would be able to automatically renew its certificates. It would require that the web server be running but you wouldn’t have to continually change its configuration.

For security reasons, CAs are unlikely to ever support validating with completely arbitrary ports. :slightly_frowning_face:

It would be lovely if it were possible, but there are too many networks that are poorly configured and/or have mutually untrusted services running on the same IP.

Say you have, I don’t know, an IoT refrigerator with a built-in camera, and you forward port 8080 to it. If Let’s Encrypt could validate using port 8080, then your fridge could get a certificate for mail.solnikgarden.com because it would effectively control http://mail.solnikgarden.com:8080/.

Or if your network has UPnP enabled, your printer could forward port 54321 to itself, and then get a certificate because it would control http://mail.solnikgarden.com:54321/.

(Those examples are a little ridiculous, but it’s more of an issue on corporate or university networks with NAT, and shared web hosting is another kettle of fish.)

The inconvenience you’re dealing with assures that the network administrator (you) and the web administrator (also you) approve of what the mail administrator (you again) is doing. You wouldn’t want to get into an inter-departmental fight and have to fire yourself.

2 Likes

Thanks for this explanation,
I was not thinking of arbitrary ports, but ports like 993 or 587, that is used for mail servers. Anyway, I fully understand the challenge and problem of this the way you explain it. I really appreciate you taking time to explain in practical terms the complexity and problem with of this. :slight_smile:
Do you know where I can find good information about how to use the web server as reverse proxy for mail server?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.