How can I renew my cert? I throw error, is it because I use CDN?

ichiee · 2018-10-27 21:12:37 UTC

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ichimura.uk
www.ichimura.uk

I ran this command: sudo certbot certonly --force-renew -d ichimura.uk -d www.ichimura.uk
(also tried sudo ./certbot-auto certonly --force-renew -d ichimura.uk -d www.ichimura.uk)

It produced this output:

$ sudo certbot certonly --force-renew -d ichimura.uk -d www.ichimura.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ichimura.uk
tls-sni-01 challenge for www.ichimura.uk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.ichimura.uk (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 62beb7b6df2dd90714393d7d43730e64.c6cde69247651550fec682ac07e2063d.acme.invalid from 151.101.70.217:443. Received 2 certificate(s), first certificate had names "e.sni.fastly.net", ichimura.uk (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a5f8b06233c3aa8bf4760a05a20aee10.2aea1664f31dec266d3b50e5806ce677.acme.invalid from 151.101.194.217:443. Received 2 certificate(s), first certificate had names "e.sni.fastly.net"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.ichimura.uk
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   62beb7b6df2dd90714393d7d43730e64.c6cde69247651550fec682ac07e2063d.acme.invalid
   from 151.101.70.217:443. Received 2 certificate(s), first
   certificate had names "e.sni.fastly.net"

   Domain: ichimura.uk
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   a5f8b06233c3aa8bf4760a05a20aee10.2aea1664f31dec266d3b50e5806ce677.acme.invalid
   from 151.101.194.217:443. Received 2 certificate(s), first
   certificate had names "e.sni.fastly.net"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

$ sudo ./certbot-auto certonly --force-renew -d ichimura.uk -d www.ichimura.uk
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit:1 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:2 http://ppa.launchpad.net/certbot/certbot/ubuntu xenial InRelease
Hit:3 http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu xenial InRelease
Hit:4 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Hit:5 http://ppa.launchpad.net/ondrej/php/ubuntu xenial InRelease
Hit:6 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
gcc is already the newest version (4:5.3.1-1ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
augeas-lenses is already the newest version (1.4.0-0ubuntu1.1).
ca-certificates is already the newest version (20170717~16.04.1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1.1).
python is already the newest version (2.7.12-1~16.04).
python-dev is already the newest version (2.7.12-1~16.04).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
libssl-dev is already the newest version (1.1.0h-2.0+ubuntu16.04.1+deb.sury.org+1).
openssl is already the newest version (1.1.0h-2.0+ubuntu16.04.1+deb.sury.org+1).
The following packages were automatically installed and are no longer required:
  linux-aws-headers-4.4.0-1062 linux-aws-headers-4.4.0-1065 linux-aws-headers-4.4.0-1066
  linux-headers-4.4.0-1062-aws linux-headers-4.4.0-1065-aws linux-headers-4.4.0-1066-aws
  linux-image-4.4.0-1062-aws linux-image-4.4.0-1065-aws linux-image-4.4.0-1066-aws
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 105 not upgraded.
Creating virtual environment...
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1

My web server is (include version):
nginx 1.15.0

The operating system my web server runs on is (include version):
Ubuntu 16.04.4

My hosting provider, if applicable, is:
go daddy

I can login to a root shell on my machine (yes or no, or I don’t know):
i dont know - I don’t think so

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

stevenzhu · 2018-10-27 21:43:42 UTC

Hi,

Yes. It’s because of the CDN (as well as a depreciated protocol in Let’s Encrypt)

Since you are using a TLS binding CDN as well as the protocol, the best way to change this is to add this flag after the command. (--preferred-challenges http) It would process that in http instead of TLS-SNI-01.

The command you run (at this time) should be:
sudo certbot certonly --force-renew -d ichimura.uk -d www.ichimura.uk --preferred-challenges http

For renewals after this time, run sudo certbot renew

Thank you

ichiee · 2018-10-27 21:55:15 UTC

Thank you for your quick response.
It still returns

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

At the moment, apex domain points at anycast ips of CDN. And www cnamed map name of the CDN.
Do you have any other suggestions by any chance?

Full output is below.
Thank you in advance!

$ sudo certbot certonly --force-renew -d ichimura.uk -d www.ichimura.uk --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ichimura.uk
http-01 challenge for www.ichimura.uk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ichimura.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ichimura.uk/.well-known/acme-challenge/GSaXSnDv7u69tr7jUFdrpDnfqn75cMQ9Lz0EhjNsB2U: "<!DOCTYPE html>\n<html lang=\"en-GB\" class=\"no-js no-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=devi", www.ichimura.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.ichimura.uk/.well-known/acme-challenge/o7jnTqb-dwBGTU5y4fZorsb9hi_3dxSTL_sVJxR4W5s: "<!DOCTYPE html>\n<html lang=\"en-GB\" class=\"no-js no-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=devi"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ichimura.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://ichimura.uk/.well-known/acme-challenge/GSaXSnDv7u69tr7jUFdrpDnfqn75cMQ9Lz0EhjNsB2U:
   "<!DOCTYPE html>\n<html lang=\"en-GB\" class=\"no-js
   no-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta
   name=\"viewport\" content=\"width=devi"

   Domain: www.ichimura.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://www.ichimura.uk/.well-known/acme-challenge/o7jnTqb-dwBGTU5y4fZorsb9hi_3dxSTL_sVJxR4W5s:
   "<!DOCTYPE html>\n<html lang=\"en-GB\" class=\"no-js
   no-svg\">\n<head>\n<meta charset=\"UTF-8\">\n<meta
   name=\"viewport\" content=\"width=devi"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

stevenzhu · 2018-10-27 22:01:56 UTC

Hi,

I’m sorry but I have no experience with fastly…

There might be a possible way to archive validation by set a no-cache to the /.well-known/acme-challenge/ folder… But I’m not sure wheather this will work or not…

Apologize…

rg305 · 2018-10-28 03:10:42 UTC

Neither the CDN, nor the redirections, should make any significant impact.
The content is new and must be retrieved from the original source and LE should follow the redirections.

You need to ensure that things placed into the acme-challenge folder can be correctly reached from the Internet.
To that end, please place a test.txt file in the /.well-known/acme-challenge/ folder:
https://www.ichimura.uk/.well-known/acme-challenge/test.txt

Also…
Given:

The Internet clients will be connecting to the CDN.
The CDN establishes the client TLS connection and will use its’ own cert (as example see: https://www.ssllabs.com/ssltest/analyze.html?d=www.ichimura.uk&s=151.101.130.217).

You will only be securing the connection form the CDN to your server - which can probably be done in other ways (maybe even simpler).