I have been able to manually renew my Let’s Encrypt certificate with Certbot for the past month or so—a cron job runs every Sunday. Today the job failed even though I have not really changed anything about my server, NGINX, keys, DNS, etc. I am running FreeBSD 12.0-RELEASE-p8 on a DigitalOcean droplet with NGINX 1.16.1 compiled with OpenSSL 1.1.1c. My authoritative DNS servers and domain are through Cloudflare.
My domain is philomathiclife.com
, and the weekly command I run is
/usr/local/bin/certbot-3.7 certonly -d philomathiclife.com -d www.philomathiclife.com --webroot -w /usr/local/www/philomathiclife.com/html/ -n --agree-tos --must-staple --redirect --hsts --uir --staple-ocsp --csr /usr/local/etc/letsencrypt/csr/csr.pem --disable-hook-validation --no-directory-hooks --disable-renew-updates --no-autorenew -m zacknewman22@gmail.com
Today the command produced the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for philomathiclife.com
http-01 challenge for www.philomathiclife.com
Using the webroot path /usr/local/www/philomathiclife.com/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain philomathiclife.com
Challenge failed for domain www.philomathiclife.com
http-01 challenge for philomathiclife.com
http-01 challenge for www.philomathiclife.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: philomathiclife.com
Type: tls
Detail: Fetching
https://philomathiclife.com/.well-known/acme-challenge/xyKKW7bZ66YIoXKvCZNiRBxqNeP9ED4Byhx_Yda4oPg:
remote error: tls: protocol version not supported
Domain: www.philomathiclife.com
Type: tls
Detail: Fetching
https://www.philomathiclife.com/.well-known/acme-challenge/lAjHNU0oNI76eNVignvAZzESFWwCIDzs3mimijpfzJE:
remote error: tls: protocol version not supported
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
you have an up-to-date TLS configuration that allows the server to
communicate with the Certbot client.
I know that DigitalOcean performed some maintenance on 8/22, but I am able to access my site through curl
and normal web browsers just fine over IPv4 and IPv6.
This happened ≈ 1 month ago, and the “fix” was to temporarily enable TLS 1.2. Upon renewing my certificate, I disabled TLS 1.2; and the challenge has been able to work fine until today. My web server is configured to redirect all HTTP requests to HTTPS. In addition to my site’s being on HSTS Preload, the following is a snippet of my NGINX configuration:
user www;
.
.
.
http {
root /usr/local/www/philomathiclife.com/html/;
.
.
.
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519;
ssl_certificate /usr/local/etc/letsencrypt/live/philomathiclife.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/philomathiclife.com/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/philomathiclife.com/chain.pem;
ssl_early_data on;
ssl_session_tickets on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /usr/local/www/philomathiclife.com/ocsp.der;
add_header Expect-CT "enforce, max-age=31536000" always;
add_header Expect-Staple "max-age=3153600; includeSubDomains; preload" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Public-Key-Pins 'pin-sha256="+hEWUMAjFcv3ugd61E4aC0D5Tnman/w4OJxAG1TiSU0="; pin-sha256="H4qzKcDCMla4HfrSDuKXGAaU049eMfdC76q0qT/1K90="; max-age=604800; includeSubDomains' always;
.
.
.
}
I have not changed the above configuration at all, so I’m perplexed why the challenge is suddenly failing. When I look at the log from last week, I do see that the challenge was fetched over HTTP; but the log today appears to be over HTTPS. I’m not sure why that is though. I can post my logs or anything else that may be of help.