How do I renew my certificate?


#26

Renewal fails because letsencrypt times out trying to reach my pi. It gets
as far as my isp router. I’ve called them to come and give me access
because the user and pass written on their modem are incorrect so I can’t
get to its configuration panel. Once I get through that I’ll post back


#27

Ok ive got access to my ISP router. Here is the deal.

Ive forwarded my ISP router’s port 443 to my linksys 443
My public IP according to Google.com = 65.182.7.170
My ISP router’s WAN IP = 172.30.141.272

But I dont know how to finish this because I dont understand why my router’s assigned IP is 172… but my public ip address according to google is 65…So what IP do I route my www.domain.com in my DNS file?


#28

172.30 is a private subnet, so that’s most likely the WAN IP on the ISP’s network, not the actual public internet. I’d enter the public IP according to Google, but bear in mind that depending on your ISP, this can change frequently unless you specifically request (and usually pay for) a static IP address.

Also, depending on authorization method, you may need to forward 80 to your Pi as well.


#29

ok I tried using the public one I get from Google.com and it doesnt work either, I get this:

Requesting root privileges to run certbot…
/home/pi/.local/share/letsencrypt/bin/letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/butler.santiapps.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/butler.santiapps.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/butler.santiapps.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)


#30

You’re hitting Let’s Encrypt rate limits. You can only fail so many authorizations before it starts refusing attempts. This limit is 5 per account and hostname per hour. https://letsencrypt.org/docs/rate-limits/

Try again in a while. I believe you can run certbot with the --dry-run flag to avoid this until you get successful responses, but I’m not positive about that not counting towards the failed auth rate limit.

Cyclic quotation from @mnordhoff (Thanks for the confirmation!)


#32

--dry-run uses staging, which has separate – and higher – rate limits from production. Go wild.


#34

Ok now I get the Timeout error I was getting before. Here is my setup. Hitron router is from my isp and Linksys router is downstream.


#35

Depending on where the web server is located…
You may need to forward port 443 from the first router directly to the web server or to the second router and then from the second router to the server. (For the dual router method to continue to work, both routers external IPs can not change).


#37

Yes the first router has its 443 routed to 192.168.0.11 port 443. 192.168.0.11 is the ip assigned to the Linksys router by the Hitron router.

Then the Linksys router has its 443 routed to the pi which is 192.168.1.53


#38

Testing I would do:
All must pass, so all failures must be corrected before continuing

Test1 from an IP on 192.168.1.x connect to 192.168.1.53:443 (pass? / fail?)
If Test1 pass then:
Test2 from an IP on 192.168.0.x connect to 192.168.0.11:443 (pass? / fail?)
if Test2 pass then:
Test3 from an IP on Internet connect to 65.182.7.170:443 (pass? / fail?)
When Test3 passes then you should be ready.


#40

Ok Im ready to test. When you say connect, how should I make those tests? Because for example:

  1. An 192.168.1.x would be my macbook air. So do you mean open a browser window or ping?
  2. An 192.168.0.x I guess I would have to connect my macbook air to the other router directly.
  3. What about from an internet IP to 65.182…? I guess I could use my mobile on my cellular network instead of wifi. But again, what do you mean “connect” to those?

So for example:

Im on my macbook air on wifi connected to my linksys router which is 192.168.1.1.
My macbook air’s IP is 192.168.1.52 and from it I can ping 192.168.0.1 which should be the hitron router.

Im SSHd into my pi from my macbook air and the pi is hard-wired to the linksys router and its IP is 192.168.1.52 and from it I can ping my macbook air and the hitron router.


#41

A1. From a browser window - https://192.168.1.53/
A2. From a browser window - https://192.168.0.11/
A2. From a browser window - https://65.182.7.170/


#43

A1 From
192.168.1.52 to 192.168.1.53 = nginx 502 bad gateway
192.168.1.52 to 192.168.1.53:443 = your connection is not private (NET::ERR_CERT_COMMON_NAME_INVALID) but that makes sense…so
PASS

A2 From
192.168.0.22 to 192.168.0.12 = no ping (this is the linksys router
192.168.0.22 to 192.168.0.1 = ping ok
192.168.0.22 to 192.168.1.1 = ping ok
192.168.0.22 to 192.168.1.53:443 = window wont load… ERR_CONNECTION_TIMED_OUT
FAIL

Wait I just tried
192.168.0.22 to 192.168.0.12:443 = NET::ERR_CERT_COMMON_NAME_INVALID and it displays my invalid certificate as in A1, so it IS reading through…
PASS

A3…This still fails…ERR_CONNECTION_TIMED_OUT


#44

There seems to be a TYPO for the 443 access:
first line has 192.168.0.11
second line has 192.168.0.12

OR that may explain why you can’t reach it from the Internet.
As I stated in an earlier post: "For the dual router method to continue to work, both routers external IPs can not change."
DO not use DHCP for the external IP on the second router as that may change over time and break the port forwarding.


#46

The 192.168.0.12 or 11 is assigned to the Linksys router by the Hitron router. When I first posted it had .11 assigned but after some fiddling it now has .12. I know, I need to reserve that ip for the Mac. I’ll look I to how to do that later.

So right now the issue seems to be the access from the Hitron to the Linksys.


#47

If this is still the case, then the port forwarding will no longer reach your web server.

Please confirm all current forwarding is correct.


#48

No, when I saw the Linksys had a new ip (.12), I modified the Hitron to route to .12 as well.


#49

well, this link (https://65.182.7.170/) is still unreachable.
you may need to go through the router logs to determine where the failure is.


#51

Oh well I didn’t know you were gonna try it. :grin: I fibbed a bit for security’s sake…It’s actually

https://65.182.7.190


#52

That one (https://65.182.7.190/) also fails to connect.