Issue to renew?


#1

Hi,

i was wondering if someone else has had the same issue currently have a subdomain working with letsencrypt. The issue is that when i try to renew im getting this error

Attempting to renew cert (platform.mydomain.cloud) from /etc/letsencrypt/renewal/platform.mydomain.cloud.conf produced an unexpected error: Failed authorization procedure. platform.mydomain.cloud (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/platform.mydomain.cloud/fullchain.pem (failure)

odd because i have not made any A records new and i can access the site with no issue. i was looking though google Most people has this issue was because they were using IPV6, i did a curl platform.mydomain.cloud and works fine. at the end i was reading that i should update cert bot but not sure what repository i should use?

This is the command when i initially run the cert

 sudo certbot --nginx --agree-tos --redirect --staple-ocsp --email myemail@mydomain.cloud -d platform.mydomain.cloud

then this to run the update cron task

30 2 * * 1 certbot renew --post-hook "systemctl reload nginx" >> /var/log/le-renew.log

#2

Hi @killmasta93

is this a new domain?

tls-sni-01 is deprecated and you can’t use it with new domains.

Support ends 2019-02.


#3

What else does “sudo certbot renew” output?

What’s the real domain?


#4

Thanks for the reply its not a new domain. the domain is platform.syncbox.cloud


#5

Thanks for the reply this is what i ge t

Processing /etc/letsencrypt/renewal/platform.syncbox.cloud.conf

   Cert is due for renewal, auto-renewing...
  Plugins selected: Authenticator nginx, Installer nginx 
  Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for platform.syncbox.cloud
Waiting for verification...
Cleaning up challenges
    Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/platform.syncbox.cloud.conf produced an unexpected error: Failed authorization procedure.   platform.syncbox.cloud (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
     All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)

#6

Then try it with

sudo certbot renew --preferred-challenges http

#7

Thanks for the reply im getting this

 Cert is due for renewal, auto-renewing...
 Plugins selected: Authenticator nginx, Installer nginx
  Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
  Renewing an existing certificate
  Performing the following challenges:
 http-01 challenge for platform.syncbox.cloud
  Using default address 80 for authentication.
   Waiting for verification...
 Cleaning up challenges
 Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/                                                                                        platform.syncbox.cloud.conf produced an unexpected error: Failed authorization p                                                                                        rocedure. platform.syncbox.cloud (http-01): urn:ietf:params:acme:error:unauthori                                                                                        zed :: The client lacks sufficient authorization :: Invalid response from http:/                                                                                        /platform.syncbox.cloud/.well-known/acme-challenge/q0Ih1Cbr4OtYk18wv-fMbtXjdd-S8                                                                                        Qw4kzIV2e_MPRQ [190.145.225.174]: 404. Skipping.
    All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)

#8

Please share your complete log under

/var/log/letsencrypt/letsencrypt.log

You have a redirect http -> https (checked via https://check-your-website.server-daten.de/?q=platform.syncbox.cloud ).

So the Letsencrypt - validation is redirected to https. Is this the server Certbot creates the /.well-known/acme-challenge directory and saves the validation file?

Add

--debug-challenges    After setting up challenges, wait for user input
                        before submitting to CA

and check, where this file is created and if this file is visible via port 80 or the redirect.


#9

Thanks for the reply, i currently have HAproxy which does the redirect from http to https but whats odd is that i have never had this issue before prob because tls-sni-01 is deprecated

https://pastebin.com/mjXa04yQ


#10

There you have your error:

Detail: Invalid response from http://platform.syncbox.cloud/.well-known/acme-challenge/_kOdRDfX_OZRIedqRGLZl08gniThfEslAYuejRE5P8Q [190.145.225.174]: 404

Letsencrypt doesn’t find the validation file.

Did you use --debug-challenges to check where certbot creates such a file?

Or has your http version another webroot as your https version?


#11

Thanks for the reply i ran this

           certbot renew --preferred-challenges http --debug-challenges --dry-run

then got this

              Cleaning up challenges
    Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/platform.syncbox.cloud.conf produced an unexpected error: Failed authorization procedure. platform.syncbox.cloud (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://platform.syncbox.cloud/.well-known/acme-challenge/hn9_Xr_p-fH9QKL8Jw-u0gkwDyYo6jQc93tvgL7kp3g [190.145.225.174]: 404. Skipping.
  All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/account.syncbox.cloud/fullchain.pem (failure)
   /etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)

i installed using this commands

apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update
apt install certbot python-certbot-nginx
sudo certbot --nginx --agree-tos --redirect --staple-ocsp --email myemail@syncbox.cloud -d platform.syncbox.cloud

what odd is that i have another server which is running ubuntu 14 instead i used this

sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto
certbot-auto certonly -a webroot --webroot-path=/var/www/html -d mydomain.com -d www.mydomain.com

and it works with no issue so i guess its not an HAproxy issue


#12

Did you check where Certbot has saved the validation file? --debug-challenges waits so you can check this.

Don’t hit “Return” (or “Space”) before you didn’t found the file in the directory.


#13

Thanks for the quick reply
this is the whole outcome

root@users:~# certbot renew --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/account.syncbox.cloud.conf
Cert not yet due for renewal
Processing /etc/letsencrypt/renewal/platform.syncbox.cloud.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for platform.syncbox.cloud
Waiting for verification…
Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.
Cleaning up challenges
Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/platform.syncbox.cloud.conf produced an unexpected error: Failed authorization procedure. platform.syncbox.cloud (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)
The following certs are not due for renewal yet:
/etc/letsencrypt/live/account.syncbox.cloud/fullchain.pem expires on 2018-12-17 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: platform.syncbox.cloud
Type: connection
Detail: Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

i found a folder inside of /var/www/html the folder which is the .well-known but its empty
(see picture)

08-002

Thank you again


#14

If you use the tls-sni-01 - validation, then there is no file created.


#15

thanks for the reply, so the question is what is the correct command to run to renew the ssl? or what do i need to do?


#16

As written:

sudo certbot renew --preferred-challenges http --debug-challenges --dry-run

The tls is deprecated, dead. No chance to debug / fix that. So http or dns.


#17

Thanks for the reply, what i needed was this on the NGINX config

 location ~ /.well-known {
            allow all;
    }

#18

so this is to renew,

      sudo certbot renew --preferred-challenges http --debug-challenges

what about when its the first time?
be something like this?

          certbot --preferred-challenges http

#19

Your first command must have all informations.

So you can try

sudo certbot -d yournewdomain

and answer the questions certbot asks. Then these informations are saved in your configuration file.

Or you use something like

sudo certbot -d yournewdomain --nginx --preferred-challenges http

–debug-challenges requires manual action, so you don’t want to use it in a cron job.


#20

Thanks for the reply, will use this in the future on a new domain.
so for the cronjob would be something like this?

       30 2 * * 1      certbot renew --preferred-challenges http "systemctl reload nginx" >> /var/log/le-renew.log