Having trouble renewing


#1

Hello All,

My cert is expired. I had thought I set it up to auto renew but I must have messed it up somehow. I am a middling novice at best with Linux.

I tried to renew today and ran into the error listed below.

Thanks in advance for any replies.

My domain is: stinkinhippie.com

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/stinkinhippie.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for stinkinhippie.com
tls-sni-01 challenge for www.stinkinhippie.com
Cleaning up challenges
Attempting to renew cert (stinkinhippie.com) from /etc/letsencrypt/renewal/stinkinhippie.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stinkinhippie.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stinkinhippie.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx 1.10.3-0ubuntu0.16.04.2

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

My hosting provider, if applicable, is: Self Hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

First, it appears that you first issued this certificate using the “standalone” plugin. This attempts to start a temporary webserver to respond to the challenges. However, since then, it appears you have started running your own webserver on this system. That’s normal, but it means that Certbot can’t start it’s own anymore as the port is already in use.

A second issue is that your configuration still appears to be using the tls-sni-01 challenge type, which has been deprecated. It will still work for most renewals, but since you’re already needing to fix something, I think now would probably be a good time to go ahead and freshen up this configuration.

I think the best/easiest thing would be to upgrade your Certbot version, and start again so that the renewal config file is set up properly for future renewals. It’s possible to edit it yourself now, but might as well get things started how they’ll be running “in production”.


#3

thanks for the quick response jared.m

First off sorry for the noob question but :smile: what do you mean by “start again”? I assume you mean obtaining a new cert, not renewing the current expired one, and if so, is there anything I need to do with the old to prepare for the new?

I just ran an update after your response so I should be running the latest certbot now.


#4

No problem! I mean instead of running certbot renew, start off with a new issuance command as though you hadn’t issued a certificate before. Something like certbot --nginx, but possibly with more command-line options if needed. Note, this may take a bit of tweaking if you have a non-standard Nginx config or some other things going on, but we want to iron that out before you have to renew manually every couple months for forever. Done correctly, you shouldn’t have to tweak this again. =]


#5

Understood (I think…haha) and setting it up correctly so I do not have to keep doing this would be great!

Not sure if my setup is standard or considered non-standard. I am hosting just this domain on this box, using a ddns service to point to it and have set up reverse proxy for the web apps I am running.

Does any of that affect the command-line options I need to utilize?

Would this be where to start:

              sudo certbot --nginx -d stinkinhippie.com -d www.stinkinhippie.com

#6

Well I tried that and got the following in return:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for stinkinhippie.com
tls-sni-01 challenge for www.stinkinhippie.com
Cleaning up challenges
Could not automatically find a matching server block. Set the server_name directive to use the Nginx installer.


#7

It looks like Ubuntu hasn’t updated their package to the latest Certbot yet. Try sudo certbot -i nginx -a webroot -w /path/to/your/web/root -d stinkinhippie.com -d www.stinkinhippie.com (replacing that path with wherever your website files live.


#8

The Certbot PPA currently has the latest version, though.


https://launchpad.net/~certbot/+archive/ubuntu/certbot


#9

Hm, strange. I’m not sure why the nginx plugin is using tls-sni-01 then. @Pooka, could you post the output of certbot --version ?


#10

certbot --version returned: certbot 0.22.2


#11

I tried:

sudo certbot -i nginx -a webroot -w /var/www/html -d stinkinhippie.com -d www.stinkinhippie.com

It returned:

sudo certbot -i nginx -a webroot -w /var/www/html -d stinkinhippie.com -d www.stinkinhippie.com
[sudo] password for pirate:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stinkinhippie.com
http-01 challenge for www.stinkinhippie.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.stinkinhippie.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.stinkinhippie.com/.well-known/acme-challenge/[A LONG STRING OF ALPHANUMERIC CHARACTERES]: Timeout, stinkinhippie.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://stinkinhippie.com/.well-known/acme-challenge/[A LONG STRING OF ALPHANUMERIC CHARACTERES]: Timeout

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.stinkinhippie.com
    Type: connection
    Detail: Fetching
    http://www.stinkinhippie.com/.well-known/acme-challenge/[A LONG STRING OF ALPHANUMERIC CHARACTERES]:
    Timeout

    Domain: stinkinhippie.com
    Type: connection
    Detail: Fetching
    http://stinkinhippie.com/.well-known/acme-challenge/[A LONG STRING OF ALPHANUMERIC CHARACTERES]:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#12

Your website doesn’t seem to be accessible from the outside internet. That is required in order to perform validation to issue your certificate.

Do you have a web server running on 73.223.172.135 ?


#13

Yes I have ngnix running and configured for reverse proxy on 73.223.172.135

It is my home media box, it is running plex, sonarr, radarr, transmission, nzbget, headphones, ombi, nzb hydra.

Prior to my cert expiring the services were all available from outside my network such as stinkinhippie.com/sonarr


#14

Currently the connection just times out for me (which is a totally unrelated issue to certificates), tested from multiple networks, so you’d need to sort that out first.

Most often it is because of a firewall issue or your ISP blocking port 80.


#15

okay thanks…I was assuming the expired cert was what was blocking the connection


#16

forgive the formatting issues, I do not know how to post the terminal text without the forum taking it as formatting…

okay, so I have a router issue to solve. If I put the box in dmz I solve my connectivity issues. When I run:

sudo certbot -i nginx -a webroot -w /var/www/html -d stinkinhippie.com -d www.stinkinhippie.com

I get the following returned:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stinkinhippie.com

Preformatted texthttp-01 challenge for www.stinkinhippie.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.stinkinhippie.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.stinkinhippie.com/.well-known/acme-challenge/{long string of alpanumeric charicters}: "

401 Authorization Required

401 Authorization Required</", stinkinhippie.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://stinkinhippie.com/.well-known/acme-challenge/{long string of alpanumeric charicters}: " 401 Authorization Required

401 Authorization Required</"

IMPORTANT NOTES:

Starting to think I would be better off completely tossing the old certs and starting over. Is there a guide for that?


#17

You have basic authentication setup in nginx.

You need to exclude /.well-known/acme-challenge/ from it.


#18

@_az, thanks for the quick reply. Any chance you could point me to a resource that could teach me how to exclude /.well-known/acme-challenge/ ?


#19

That depends on how you setup the Basic Authentication to begin with, I don’t have a generalized answer for you.

You could try something like this to make

location /.well-known/acme-challenge {
    root /var/www/html;
    auth_basic off;
}

but it’s just a guess.


#20

I simply turned off auth_basic, restarted nginx, ran the certbot renew prompt and my certs renewed.

I’ll look into how to turn it off for just the authorization challenge so that my renewals can happen automatically with a chron job.

Thanks again for your replies and if anyone else has some advice please reply…

Cheers.