I can not renew , the digital certificate error When renewing

Por favor, preencha todos os campos abaixo para que nós possamos ajudar você. Obs.: você deve indicar seu nome de domínio para receber ajuda. Os nomes de domínio dos certificados emitidos são divulgados nos logs da Transparência de Certificados (por exemplo, https://crt.sh/?q=example.com ). Assim, não indicar seu nome de domínio não o mantém em segredo, mas torna a nossa ajuda mais difícil.

Posso ler respostas em inglês: sim

Meu nome de domínio é: https://monitoramentosatsafecmj.com.br

Executei esse comando: certbot renew --dry-run -v

Processing /etc/letsencrypt/renewal/monitoramentosatsafecmj.com.br.conf


Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for monitoramentosatsafecmj.com.br
Performing the following challenges:
http-01 challenge for monitoramentosatsafecmj.com.br
Waiting for verification...
Challenge failed for domain monitoramentosatsafecmj.com.br
http-01 challenge for monitoramentosatsafecmj.com.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: monitoramentosatsafecmj.com.br
Type: unauthorized
Detail: 104.21.74.33: Invalid response from http://monitoramentosatsafecmj.com.br/.well-known/acme-challenge/ZeBfajtA64PkfX5X0sw2s13P1QdriU0V5FKO-BVhg9Y: 522

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate monitoramentosatsafecmj.com.br with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/monitoramentosatsafecmj.com.br/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Meu servidor web é (com versão): Apache/2.4 (DEBIAN 11 bullseye)

O sistema operacional no meu servidor web é (com versão): DEBIAN 11 bullseye

O serviço de hospedagem do meu site (se aplicável) é: PROPRIO

Posso acessar um shell root na minha máquina (sim ou não, ou não sei): sim

Uso cloudflair como proxy reverso, mas desativei ele para fazer a renovação do mesmo erro

Welcome @fabioeducampos

It looks like you changed your DNS records since you posted. You are missing an A and/or AAAA record when using the Apache authenticator and HTTP Challenge.

Your error shows a 522 error which means Let's Encrypt could find your server with an A record but the response was 522 Bad Gateway error.

This test site is helpful when setting up new sites

3 Likes

thanks for the answer
root@debian:/home/fabio# certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal


Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for monitoramentosatsafecmj.com.br
Performing the following challenges:
http-01 challenge for monitoramentosatsafecmj.com.br
Waiting for verification...
Challenge failed for domain monitoramentosatsafecmj.com.br
http-01 challenge for monitoramentosatsafecmj.com.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: monitoramentosatsafecmj.com.br
Type: connection
Detail:: Fetching http://monitoramentosatsafecmj.com.br/.well-known/acme-challenge/i36IW93RBmAkvef1c3lqJAkQKxcMKs2CWx28e5j5e30: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate monitoramentosatsafecmj.com.br with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/monitoramentosatsafecmj.com.br/fullchain.pem (failure)


-Pn -p80,443 monitoramentosatsafecmj.com.br
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for monitoramentosatsafecmj.com.br (104.21.74.33)
Host is up (0.0016s latency).
Other addresses for monitoramentosatsafecmj.com.br (not scanned): 172.67.196.69

PORT STATE SERVICE
80/tcp open http
443/tcp open https

Sorry but I am completely puzzled. I still do not see an A record in the public DNS. Not from my own test server or unboundtest.com or even dnsviz.net.

I don't understand how the Let's Encrypt server can report seeing IP 177.52.246.189

Which, if you notice, is not the same IP you see from your own nmap test so you likely have a local DNS resolver doing something different than public resolvers. But, that is a different issue.

I am sure some other volunteer will be able to see something.

3 Likes

In my case the dns resolution I use cloudflair , pointed to dns record where I disable , where this error was issued
I redid the process again as it was, that's why my dear collaborator, and I apologize for this error that confused you. I will wait for the dns propagation as soon as it is as it was with cloudflair.

Agora estou vendo

104.21.74.33 (IPv4) e
2606:4700:3036::ac43:c445 (IPv6)

que são endereços CloudFlare. Entretanto a conexão em qualquer um deles demora muito para, por fim, dar o erro 522 (connection timed out, na CDN).

Para que a CloudFlare tenta baixar conteúdo do seu site backend/origem e não consegue, mas ela demora bastante para não conseguir.

Isso quer dizer "em sua própria casa"? Tem certeza de que a CloudFlare possa acessar seu servidor da Internet pública? Pode compartilhar o endereço verdadeiro do servidor origem?

1 Like

Voltei no princípio do erro desabilitei o cloudflair segue abaixo. meu ip real
O SERVIÇO DE HOSPEDAGEM FICA NA MINHA PROPRIA EMPRESA ONDE TRABALHO.

ot@debian:/home/fabio# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/monitoramentosatsafecmj.com.br.conf


Simulating renewal of an existing certificate for monitoramentosatsafecmj.com.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: monitoramentosatsafecmj.com.br
Type: connection
Detail: 177.52.246.189: Fetching http://monitoramentosatsafecmj.com.br/.well-known/acme-challenge/djOEhmHr1WA092wbag0cK46x4WeHj4VNnJ6qE9Wssbk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate monitoramentosatsafecmj.com.br with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/monitoramentosatsafecmj.com.br/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Speak with whomever operates the firewall and have them open port 80 to your server.

Also [unrelated to this problem], your IPs' rDNS entry is misconfigured:

Name:    189-246-52-177.vivasinternet.com.br.246.52.177.in-addr.arpa
Address: 177.52.246.189
3 Likes

É consistente com ambos os erros (com e sem a CloudFlare) que você não tem acesso público (vindo da Internet) permitido para conexões ao seu servidor, por causa de um firewall, roteador, ou até política do provedor de Internet.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.