- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wolke.sout.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wolke.sout.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (wolke.sout.de) from /etc/letsencrypt/renewal/wolke.sout.de.conf produced an unexpected error: Failed authorization procedure. wolke.sout.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://wolke.sout.de/.well-known/acme-challenge/5wqshct85ZGYASEZlG2Wa7URLQW8JxIOMCuUxoX-BGk: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wolke.sout.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wolke.sout.de/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: wolke.sout.de
Type: connection
Detail: Fetching
http://wolke.sout.de/.well-known/acme-challenge/5wqshct85ZGYASEZlG2Wa7URLQW8JxIOMCuUxoX-BGk:
Error getting validation data
My web server is (include version):
nginx-light 1.10.3-1+deb9u2
The operating system my web server runs on is (include version):
Debian 9.8 (Stretch)
I can login to a root shell on my machine (yes or no, or I donât know):
yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youâre using Certbot):
certbot 0.28.0
The domain wolke.sout.de is a KVM virtual machine. It has only a public IPv6 address, no IPv4 address. It is running seafile behind an nginx webserver. It is used for no other purposes that providing seafile. Therefore HTTP is not used.
HTTP is required for (the simplest) authentication.
You have already obtained a cert (presumably by TLS-SNI-01 [HTTPS] authentication).
If you need to continue that method, the easiest workaround is to have an HTTP listener that redirects all HTTP to HTTPS.
Provided that your ISP allows port 80.
Then LE can follow that redirection and renew as you had in the past.
I do the same on other virtual hosts running apache and upgrading the LetsEncrypt certificates works there. So I assume the same is possible with nginx. And as you write
the easiest workaround is to have an HTTP listener that redirects all HTTP to HTTPS.
this seems to be the case.
Still, I have a problem upgrading the certificate...
I have played around with the config and stopped and restarted seafile and nginx.
curl still produces the above mentioned error, but this seems to be a problem with curl, since wget downloads a correct html file and accessing it via browser works, too.
A bold claim ... it's by far the most popular HTTP client in the world. If it doesn't work, it's no surprise that other headless clients (like Let's Encrypt) don't.
h2c is HTTP/2 cleartext. Browsers only support HTTP/2 over TLS.
A reasonable person might expect nginx to downgrade its response to HTTP/1.1 only upgrade its responses to HTTP/2 when the client supports h2c, but thatâs an open bug: https://trac.nginx.org/nginx/ticket/816