How do I debug a certbot problem?

Howdy! I’m having a bunch of trouble renewing a certificate with certbot. The certificate was issued just fine, but I can’t get renewal to work. Operating system is Debian 10.0 “Buster”. Typical error in my logs is as follows:

Aug 25 01:21:17 green certbot[20840]: Attempting to renew cert (www.metzdowd.com) from /etc/letsencrypt/renewal/www.metzdowd.com.conf produced an unexpected error: Failed authorization procedure. www.metzdowd.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.metzdowd.com/.well-known/acme-challenge/EtFGGDI2ekXbUjTM2oO-4wkMcghNPrCHz4sMjk7kUHY: Connection refused. Skipping.
Aug 25 01:21:17 green certbot[20840]: All renewal attempts failed. The following certs could not be renewed:
Aug 25 01:21:17 green certbot[20840]:   /etc/letsencrypt/live/www.metzdowd.com/fullchain.pem (failure)
Aug 25 01:21:17 green certbot[20840]: 1 renew failure(s), 0 parse failure(s)
Aug 25 01:21:17 green systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Aug 25 01:21:17 green systemd[1]: certbot.service: Failed with result 'exit-code'.
Aug 25 01:21:17 green systemd[1]: Failed to start Certbot.
Aug 25 01:40:58 green sshd[20874]: Disconnected from user root 166.84.161.166 port 54370

My domain is: www.metzdowd.com

I ran this command: nightly automated job, plus tried certbot -v renew and can’t figure out what the output means.

It produced this output:
I can cut and paste portions of the output of certbot -v renew if someone wants them. I’m not sure how to interpret them; some parts make sense, some don’t.

My web server is (include version): lighttpd 1.4.53

The operating system my web server runs on is (include version): see above, Debian 10.0 “Buster”

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

Hi @pmetzger

you have ipv4- and ipv6-addresses and a redirect http -> https. But your ipv6 + https doesn’t work ( https://check-your-website.server-daten.de/?q=metzdowd.com ):

Domainname Http-Status redirect Sec. G
http://www.metzdowd.com/
166.84.7.15 301 https://www.metzdowd.com/ 0.203 A
http://www.metzdowd.com/
2001:470:30:84:e276:63ff:fe62:3500 301 https://www.metzdowd.com/ 0.210 A
https://www.metzdowd.com/
166.84.7.15 200 2.807 B
https://www.metzdowd.com/
2001:470:30:84:e276:63ff:fe62:3500 -2 1.313 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2001:470:30:84:e276:63ff:fe62:3500]:443
http://www.metzdowd.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
166.84.7.15 301 https://www.metzdowd.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.203 A
Visible Content:
http://www.metzdowd.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:470:30:84:e276:63ff:fe62:3500 301 https://www.metzdowd.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.206 A
Visible Content:
https://www.metzdowd.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 6.157 A
Not Found
Visible Content: 404 Not Found

Ipv6 + http works, ipv6 + https not. And you have a redirect http -> https, so Letsencrypt checks /.well-known/acme-challenge/validation-file via ipv6 + https.

Your error message:

Fetching https://www.metzdowd.com/.well-known/acme-challenge/EtFGGDI2ekXbUjTM2oO-4wkMcghNPrCHz4sMjk7kUHY: Connection refused.

Fix your ipv6 + https or (not so good) remove the ipv6 address in your DNS.

3 Likes

Excellent! This is something I can debug, then!

2 Likes

That was the problem! Easily fixed, and now everything seems to have worked with the renewal! Thank you so much, @JuergenAuer!

2 Likes

Happy to read that it had worked.

There

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-08-25 2019-11-23 www.metzdowd.com - 1 entries duplicate nr. 1

is your new certificate.

But:

Checked your domain, first with my browser, then online, you don’t use the new certificate:

CN=www.metzdowd.com
	06.06.2019
	04.09.2019
expires in 9 days	www.metzdowd.com - 1 entry

The old certificate is used. Installed? Restartet your server?

That’s peculiar. I’ve restarted the server now; I’m not really sure what was going wrong before, though, because I’m pretty sure I restarted the server earlier. Can you verify that it is now working from your point of view?

1 Like

Use the online tool to check your domain. Then you see if the new certificate is online.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.