Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for stinkinhippie.com
tls-sni-01 challenge for www.stinkinhippie.com
Cleaning up challenges
Attempting to renew cert (stinkinhippie.com) from /etc/letsencrypt/renewal/stinkinhippie.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stinkinhippie.com/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stinkinhippie.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
My web server is (include version): nginx 1.10.3-0ubuntu0.16.04.2
The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)
My hosting provider, if applicable, is: Self Hosted
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
First, it appears that you first issued this certificate using the “standalone” plugin. This attempts to start a temporary webserver to respond to the challenges. However, since then, it appears you have started running your own webserver on this system. That’s normal, but it means that Certbot can’t start it’s own anymore as the port is already in use.
A second issue is that your configuration still appears to be using the tls-sni-01 challenge type, which has been deprecated. It will still work for most renewals, but since you’re already needing to fix something, I think now would probably be a good time to go ahead and freshen up this configuration.
I think the best/easiest thing would be to upgrade your Certbot version, and start again so that the renewal config file is set up properly for future renewals. It’s possible to edit it yourself now, but might as well get things started how they’ll be running “in production”.
First off sorry for the noob question but what do you mean by “start again”? I assume you mean obtaining a new cert, not renewing the current expired one, and if so, is there anything I need to do with the old to prepare for the new?
I just ran an update after your response so I should be running the latest certbot now.
No problem! I mean instead of running certbot renew, start off with a new issuance command as though you hadn’t issued a certificate before. Something like certbot --nginx, but possibly with more command-line options if needed. Note, this may take a bit of tweaking if you have a non-standard Nginx config or some other things going on, but we want to iron that out before you have to renew manually every couple months for forever. Done correctly, you shouldn’t have to tweak this again. =]
Understood (I think…haha) and setting it up correctly so I do not have to keep doing this would be great!
Not sure if my setup is standard or considered non-standard. I am hosting just this domain on this box, using a ddns service to point to it and have set up reverse proxy for the web apps I am running.
Does any of that affect the command-line options I need to utilize?
Well I tried that and got the following in return:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for stinkinhippie.com
tls-sni-01 challenge for www.stinkinhippie.com
Cleaning up challenges
Could not automatically find a matching server block. Set the server_name directive to use the Nginx installer.
It looks like Ubuntu hasn’t updated their package to the latest Certbot yet. Try sudo certbot -i nginx -a webroot -w /path/to/your/web/root -d stinkinhippie.com -d www.stinkinhippie.com (replacing that path with wherever your website files live.
sudo certbot -i nginx -a webroot -w /var/www/html -d stinkinhippie.com -d www.stinkinhippie.com
[sudo] password for pirate:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stinkinhippie.com
http-01 challenge for www.stinkinhippie.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.stinkinhippie.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.stinkinhippie.com/.well-known/acme-challenge/[A LONG STRING OF ALPHANUMERIC CHARACTERES]: Timeout, stinkinhippie.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://stinkinhippie.com/.well-known/acme-challenge/[A LONG STRING OF ALPHANUMERIC CHARACTERES]: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Currently the connection just times out for me (which is a totally unrelated issue to certificates), tested from multiple networks, so you’d need to sort that out first.
Most often it is because of a firewall issue or your ISP blocking port 80.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stinkinhippie.com
Preformatted texthttp-01 challenge for www.stinkinhippie.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.stinkinhippie.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.stinkinhippie.com/.well-known/acme-challenge/{long string of alpanumeric charicters}: "
401 Authorization Required
401 Authorization Required</", stinkinhippie.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://stinkinhippie.com/.well-known/acme-challenge/{long string of alpanumeric charicters}: "
401 Authorization Required
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Starting to think I would be better off completely tossing the old certs and starting over. Is there a guide for that?
what do you mean by “start again”? I assume you mean obtaining a new cert, not renewing the current expired one, and if so, is there anything I need to do with the old to prepare for the new?