Issue Installing New SSL Cert For New Domain


#1

Hey all!

I’m running into an issue when I try to automatically install a new SSL cert for a new domain on my webserver. This seems to be happening for all new domains I try to activate.

We’re running into the follow error: (snippet from log):

2018-11-21 15:39:06,623:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 989
2018-11-21 15:39:06,623:DEBUG:acme.client:Received response:
HTTP 201
Date: Wed, 21 Nov 2018 15:39:06 GMT
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Content-Length: 989
Content-Type: application/json
Cache-Control: max-age=0, no-cache, no-store
X-Frame-Options: DENY
Replay-Nonce: 9ClDSwjtgW1VPVefpprhMHg7Zn2N5Z5We_Q5nbRgd7k
Pragma: no-cache
Boulder-Requester: 31009878
Location: https://acme-v01.api.letsencrypt.org/acme/authz/09NLYOH4PyDtX_DA47LpciUmLLx69IohtM4ZTdJ7YSs
Expires: Wed, 21 Nov 2018 15:39:06 GMT
Strict-Transport-Security: max-age=604800
Connection: keep-alive
Server: nginx

b'{\n  "identifier": {\n    "type": "dns",\n    "value": "surtex.com"\n  },\n  "status": "pending",\n  "expires": "2018-11-28T15:39:06Z",\n  "challenges": [\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/09NLYOH4PyDtX_DA47LpciUmLLx69IohtM4ZTdJ7YSs/9510600557",\n      "token": "Qxk7R1N1rePnzuXV2Xj9Wk0yV-3XPhFFNa7NYsKyPdI"\n    },\n    {\n      "type": "tls-alpn-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/09NLYOH4PyDtX_DA47LpciUmLLx69IohtM4ZTdJ7YSs/9510600558",\n      "token": "1fo7p1fgAIzZYwc-uenZ6wSOIqHMP1S6Fyj6tdZY2KA"\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/09NLYOH4PyDtX_DA47LpciUmLLx69IohtM4ZTdJ7YSs/9510600559",\n      "token": "RcHBwOpfIJK00EyIAs5KME_45LaKznO8UTSUl5Bj96g"\n    }\n  ],\n  "combinations": [\n    [\n      0\n    ],\n    [\n      1\n    ],\n    [\n      2\n    ]\n  ]\n}'
2018-11-21 15:39:06,624:DEBUG:acme.client:Storing nonce: 9ClDSwjtgW1VPVefpprhMHg7Zn2N5Z5We_Q5nbRgd7k
2018-11-21 15:39:06,624:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {'type': 'tls-alpn-01', 'status': 'pending', 'token': '1fo7p1fgAIzZYwc-uenZ6wSOIqHMP1S6Fyj6tdZY2KA', 'uri': 'https://acme-v01.api.letsencrypt.org/acme/challenge/09NLYOH4PyDtX_DA47LpciUmLLx69IohtM4ZTdJ7YSs/9510600558'}
2018-11-21 15:39:06,624:INFO:certbot.auth_handler:Performing the following challenges:
2018-11-21 15:39:06,625:INFO:certbot.auth_handler:http-01 challenge for www.surtex.com
2018-11-21 15:39:06,625:INFO:certbot.auth_handler:http-01 challenge for surtex.com
2018-11-21 15:39:06,626:DEBUG:acme.standalone:Failed to bind to :80 using IPv6
2018-11-21 15:39:06,626:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2018-11-21 15:39:06,627:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 65, in run
address, self.http_01_resources)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 175, in __init__
BaseDualNetworkedServers.__init__(self, HTTP01Server, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 94, in __init__
raise socket.error("Could not bind to IPv4 or IPv6.")
OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 115, in _solve_challenges
resp = self.auth.perform(self.achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 221, in perform
return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 221, in <listcomp>
return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 228, in _try_perform_single
_handle_perform_error(error)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 226, in _try_perform_single
return self._perform_single(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 232, in _perform_single
servers, response = self._perform_http_01(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 241, in _perform_http_01
servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 67, in run
raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

2018-11-21 15:39:06,627:DEBUG:certbot.error_handler:Calling registered functions
2018-11-21 15:39:06,627:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-21 15:39:06,628:INFO:certbot.hooks:Running post-hook command: systemctl start apache2
2018-11-21 15:39:07,875:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 65, in run
address, self.http_01_resources)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 175, in __init__
BaseDualNetworkedServers.__init__(self, HTTP01Server, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 94, in __init__
raise socket.error("Could not bind to IPv4 or IPv6.")
OSError: Could not bind to IPv4 or IPv6.

This exception continues on until Apache stalls and fails to reboot.

Any ideas?


#2

Hi @blancast

what’s the problem? surtex.com has a new certificate, created today with two names (www + non-www).

CN=www.surtex.com
	21.11.2018
	19.02.2019
	surtex.com, www.surtex.com - 2 entries

So all looks good.


#3

@JuergenAuer

Oh hey - sorry I forgot to mention that we ended up creating the certificate manually after it failed.


#4

Hi,

It seems that you are using standalone in certbot when there is a client that already binding the server… (Possibly nginx or Apache)…

You could either stop the web server when certbot is running, or to use the built-in plugin for the web server ( if there is one…)

Thank you