I'm done, here it ends... nginx debian stretch and letsencrypt crashes

#1

My domain is: www.e-d-i-t.nl, www.roda71.nl, wms-zimbra.e-d-i-t.nl and a lot more…

I ran this command: certbot automatic renew process

It produced this output: all kind of different errors, eventually killing nginx, so rev proxy is offline and every site unreachable.

My web server is (include version): nginx in rev proxy

The operating system my web server runs on is (include version): Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.10.2


Okay, that being said,…
I am getting al kind of errors when trying to renew certs. Eventually I disabled pre- and post-hook commands restarting nginx, cause in the end nginx cannot bind anymore putting the rev-proxy offline.

Some work, some don’t…

Works:
certbot renew --cert-name www.e-d-i-t.nl -a nginx --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.e-d-i-t.nl.conf

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.e-d-i-t.nl
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0058_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0058_csr-certbot.pem


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/www.e-d-i-t.nl/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.e-d-i-t.nl/fullchain.pem (success)

Fails:
certbot renew --cert-name wms-zimbra.e-d-i-t.nl -a nginx --force-renewal

Attempting to renew cert from /etc/letsencrypt/renewal/wms-zimbra.e-d-i-t.nl.conf produced an unexpected error: Failed authorization procedure. wms-zimbra.e-d-i-t.nl (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 247d3f23b4054c09a493b50052302d86.880550cec6e9d054c943d7a3e1ba4a72.acme.invalid from 212.78.210.99:443. Received 2 certificate(s), first certificate had names “dav.e-d-i-t.nl”. Skipping.

I had the authenticator in the config changed from standalone to nginx, but it makes no difference at the moment.

I’m out, have no clue what to do.

Kill current rev-proxy server running nginx and debian and just install ubuntu 16.04 instead with apache2? Seems to be less errors when Googling…

#2

Hi @e-d-i-t

tls-sni-01 validation is deprecated, support ends in the next days. So you have to switch to another validation method.

Your certbot is very old. Perhaps update.

http-01 validation requires an open port 80 to validate a domain. Or you use dns-01 validation or tls-alpn-01. acme.sh supports that (certbot doesn’t).

1 Like
#3

Thanks, I will first digg into acme.sh and otherwise switch to Ubuntu or something supporting a higher version of the certbot.

#4

Backports repo for Stretch contains a sufficiently up to date Certbot version to use http-01 with Nginx.

#5

Okay, I am not that good in linux so where to go?
It seems I have downloaded certbot installer from the website cause in my sources.list there is nothing for backports listed. So an apt-get update/upgrade will not fix it.

Do I need to get the latest version from the website and just install it on top of the old one?

#6

Oh, I forgot, we finished the process to push Certbot 0.28.0 on stable repos!

If you installed certbot from the OS packages, a simple apt-get update && apt-get upgrade certbot should do the trick. Try that first.

What is the result of this command: command -v certbot? It will help to understand from which installation source you installed certbot.

1 Like
#7

It states: /usr/bin/certbot.
I can update with apt-get update && apt-get upgrade certbot
But I hope it does it in place, so configs remain working.
Ah well. snapshot VM and find out…

#8

Check, working again!
After updating, run the commands to update and those which stalled are updated again.
Thanks for preventing the headache!

3 Likes
closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.