Help with certificate renewal


#1

My domain is: malamut.es

I ran this command: ./certbot-auto renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/malamut.es.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Attempting to renew cert (malamut.es) from /etc/letsencrypt/renewal/malamut.es.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/malamut.es/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/malamut.es/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache version 2.2.15

The operating system my web server runs on is (include version):
CentOS 6

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

This error just indicates that you’ve been experiencing a lot of errors recently.

Try

./certbot-auto renew --dry-run

to get a meaningful error, and then post back with that, along with the contents of /etc/letsencrypt/renewal/malamut.es.conf .


#3

after running --dry-run i got this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/malamut.es.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for malamut.es
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/malamut.es/fullchain.pem


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/malamut.es/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

the contents of /etc/letsencrypt/renewal/malamut.es.conf are:

renew_before_expiry = 30 days

version = 0.22.2
cert = /etc/letsencrypt/live/malamut.es/cert.pem
privkey = /etc/letsencrypt/live/malamut.es/privkey.pem
chain = /etc/letsencrypt/live/malamut.es/chain.pem
fullchain = /etc/letsencrypt/live/malamut.es/fullchain.pem
archive_dir = /etc/letsencrypt/archive/malamut.es

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = 96ea11448018ab34e15e22f81797da6d


#4

That’s strange. It should succeed.

Do you have any other domains on that server being managed by Certbot? If they were failing, they could have “eaten up” the failed authorization rate limit before malamut.es had a chance to run.

ls -l /etc/letsencrypt/renewal/

#5

thanks for the reply, there’s no other domain on the server, just malamut.es

total 4
-rw-r–r--. 1 elmaxx elmaxx 453 Mar 22 22:52 malamut.es.conf


#6

Wait out the rate limit window (60 minutes) and try again without --dry-run. If you still get an error (and it isn’t the rateLimited error), post back.

Alternatively if you can find the right log file in /var/log/letsencrypt/ before the rate limits occurred, that would also reveal the issue.

Do you have a cron job setup for certbot-auto? What does it look like?


#7

I don’t have a cron job (anymore), i do get an email reminder to renew, which i prefer to do manually

thanks, i’ll wait it out a bit before trying renew again, i’ll post the error along with the log file

thank you so much for taking the time to help me with this


#8

This is the error for renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/malamut.es.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for malamut.es
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (malamut.es) from /etc/letsencrypt/renewal/malamut.es.conf produced an unexpected error: Failed authorization procedure. malamut.es (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1e0d08e268fdd842630c71397284485c.04c0ed968224109d7dd6f3131bcfbc7d.acme.invalid from 209.153.127.192:443. Received 2 certificate(s), first certificate had names “malamut.es”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/malamut.es/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/malamut.es/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: malamut.es
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    1e0d08e268fdd842630c71397284485c.04c0ed968224109d7dd6f3131bcfbc7d.acme.invalid
    from 209.153.127.192:443. Received 2 certificate(s), first
    certificate had names “malamut.es”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

    This is the pastebin link for the log file : https://pastebin.com/PrufuPhW

Thanks so much for your time


#9

You are using sni-01-challenge.

Do you know this:

Isn’t it possible to switch to http-01 or dns-01 - challenge?


#10

Hi, thanks for your reply, the recommended step there is to use certbot-auto which i have.


#11

Hi @elmaxx,

Force renew to use http challenge:

./certbot-auto renew --preferred-challenges http

Cheers,
sahsanu


Debian 9.4 + kernel backports - Cannot renew certificat
#12

you are a true gentleman and scholar

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/malamut.es/fullchain.pem (success)

thanks a bunch!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.