How can I renew my issued certificate?


#1

I received a certificate using the following method.

I do not know what to do to renew that certificate.

./certbot-auto renew
./letsencrypt-auto renew

The renew failed.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.xxxxxxxxxx.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.xxxxxxxxxx.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.xxxxxxxxxx.net) from /etc/letsencrypt/renewal/www.xxxxxxxxxx.net.conf produced an unexpected error: Failed authorization
 procedure. www.xxxxxxxxxx.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certi
ficate for tls-sni-01 challenge. Requested 33b0c7a80b2a1910f2656077ea70fdf9.5bb55265ba73ec2d9402b03aff58282f.acme.invalid from yyy.yyy.yyy.yyy:443
. Received 2 certificate(s), first certificate had names "www.xxxxxxxxxx.net". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.xxxxxxxxxx.net/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.xxxxxxxxxx.net/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.xxxxxxxxxx.net
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   33b0c7a80b2a1910f2656077ea70fdf9.5bb55265ba73ec2d9402b03aff58282f.acme.invalid
   from yyy.yyy.yyy.yyy:443. Received 2 certificate(s), first
   certificate had names "www.xxxxxxxxxx.net"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The settings of the server are as follows.

Only ports 80 and 443 are open.
If you connect to 80 port, you will connect to 443 port.

What should I do to renew my certificate?


#2

Hi @asdf,

The standalone authenticator (with --standalone) is meant for use on a machine that is not running a web server. Perhaps you were not yet running a web server when you first obtained the certificate, or perhaps you stopped the server temporarily? Right now, your web server is probably conflicting with the standalone plugin, which is trying unsuccessfully to create its own temporary web server to satisfy the certificate authority’s challenges.

You can stop the web server temporarily when renewing (which can be automated with --pre-hook and --post-hook options), or switch to use a different authenticator plugin instead of the standalone plugin.

Edit: Apparently I gave you almost the same advice about this issue in the previous thread. Did you follow that advice in this case?


#3

only 80 ports open, 443 Port closed.
And after I shut down the web server, I ran “./letsencrypt-auto renew”.
However, the following error occurs.

IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: www.xxxxxxx.net
   Type:   connection
   Detail: Timeout
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

#4

Unless you don’t reveal the affected domain name, helping you will be hard. Please show the domain name.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.