Help, please! I cannot get certificate for Zimbra


#1

Hello, I try to renew certificate for my Zimbra (7 ver) mail server (mail.benta.spb.ru), but letsencrypt-auto say that problem with authorization. I try some times and now it say that too many times with bad authorization and I cannot renew my certificate! Oh! All mail in our company is stopped… =( Where I can take off block?

3 month ago I normally renew my certificate, but now error with some authorization. Where I can to fix it?

I want ask:

  1. How long I am blocking?
  2. What th e problem with authorization?
    I have so message from log of letsencrypt:

[root@mail letsencrypt]# ./letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.benta.spb.ru.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.benta.spb.ru
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.benta.spb.ru) from /etc/letsencrypt/renewal/mail.benta.spb.ru.conf produced an unexpected error: Failed authorization procedure. mail.benta.spb.ru (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.benta.spb.ru/.well-known/acme-challenge/9-sLvAJ3qR-Qg0XWzDdWylqGvdLv1BiBogge8J9ci7s: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.benta.spb.ru/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.benta.spb.ru/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.benta.spb.ru
    Type: connection
    Detail: Fetching
    http://mail.benta.spb.ru/.well-known/acme-challenge/9-sLvAJ3qR-Qg0XWzDdWylqGvdLv1BiBogge8J9ci7s:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


What I can doing that authorizating will pass?

Whith best regards, Raulina.


#2

Hello @Raulinka,

There is a Failed Validation limit of 5 failures per account, per hostname, per hour, so 1 hour.

Lets Encrypt can’t reach your site to validate the challenge… me too.

$ curl -v4IkL -m 10 http://mail.benta.spb.ru/.well-known/acme-challenge/9-sLvAJ3qR-Qg0XWzDdWylqGvdLv1BiBogge8J9ci7s
*   Trying 195.182.147.38...
* TCP_NODELAY set
* Connection timed out after 10000 milliseconds
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (28) Connection timed out after 10000 milliseconds

You should double check there is no firewall rules blocking the connection, that your web server is up and running…

Cheers,
sahsanu


#3

Hi @Raulinka

checking your connections:

http://mail.benta.spb.ru/ -14 10.030 T
Timeout - The operation has timed out
http://www.mail.benta.spb.ru/ -1 0.043 U
NameResolutionFailure - The remote name could not be resolved: ‘www.mail.benta.spb.ru
https://mail.benta.spb.ru/ -2 1.117 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.182.147.38:443
http://mail.benta.spb.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.026 T
Timeout - The operation has timed out

The timeout is normal because you use the standalone option. So Certbot creates a new webserver, starts and stops it. So we can’t check your permanent running webserver.

But: Your port 443 is blocked.

So it looks that your colleagues had added a firewall or something else in the last three months.

PS: Your certificate ends Sunday:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:mail.benta.spb.ru&lu=cert_search

So you want to renew it today. Do you have access to your dns entries? If yes, you can use

sudo certbot certonly --manual --preferred-challenges dns -d mail.benta.spb.ru

and create a dns txt entry

_acme-challenge.mail.benta.spb.ru

with the value certbot creates.


#4

Dear JuergenAuer! Thank you for answer.

Can you check my server again? I stopped Apache, maybe server not working for that? Now I restart all and ask you, please try check connection again.

I want to renew certificate today, but my sudo writting: “sudo: certbot: command not found”. I havn’t certbot or anything yet?

With best regards, Raulina


#5

@Raulinka,

All the connections timeout, I tried port 80, port 443, port 25 … are you sure there isn’t a firewall blocking the connections or a misconfigured router?.

As @JuergenAuer said, you are using standalone method to validate the lets encrypt challenge, that means that your client (letsencrypt-auto) will start a simple web server on port 80 to serve the challenge and validate that you control your domain. If there is another web server listening on port 80, letsencrypt-auto client can’t bind to port 80 but you would receive a different error.

You should not use certbot, you should use letsencrypt-auto, that is the name of your client (at least you said that on your first post).

As I said previously, you should double check that you can access to your server from internet.

Cheers,
sahsanu


#6

Certbot = certbot-auto = letsencrypt-auto.

The program is the same, the output is the same. So if I write certbot, use your ./letsencrypt-auto.

http://mail.benta.spb.ru/ -14 10.034 T
Timeout - The operation has timed out
http://www.mail.benta.spb.ru/ -1 0.046 U
NameResolutionFailure - The remote name could not be resolved: ‘www.mail.benta.spb.ru
https://mail.benta.spb.ru/ 200 5.934 N
Certificate error: RemoteCertificateChainErrors
http://mail.benta.spb.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.027 T
Timeout - The operation has timed out

Now it’s better, your https is working. But your http has a timeout again. Can you create / start a http webserver?


#7

Please have a look at: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate


#9

Hello, dear @JuergenAuer and @sahsanu!
Thank you very much for help to me!
I disabled suricata, adding new rule to NAT on firewall, where I passing 80 port and http protocol, but not any changes in answer from script.

After I remember that we adding new sftp-server to DNS resolver. This is one rule, that was added for last 3 month. I removing this rule and my letsencrypt-auto earned!
I am happy!!! =) Thank you, dear friends!!! I love you!