Issue to renew?

killmasta93 · November 8, 2018, 2:22pm

Hi,

i was wondering if someone else has had the same issue currently have a subdomain working with letsencrypt. The issue is that when i try to renew im getting this error

Attempting to renew cert (platform.mydomain.cloud) from /etc/letsencrypt/renewal/platform.mydomain.cloud.conf produced an unexpected error: Failed authorization procedure. platform.mydomain.cloud (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/platform.mydomain.cloud/fullchain.pem (failure)

odd because i have not made any A records new and i can access the site with no issue. i was looking though google Most people has this issue was because they were using IPV6, i did a curl platform.mydomain.cloud and works fine. at the end i was reading that i should update cert bot but not sure what repository i should use?

This is the command when i initially run the cert

 sudo certbot --nginx --agree-tos --redirect --staple-ocsp --email myemail@mydomain.cloud -d platform.mydomain.cloud

then this to run the update cron task

30 2 * * 1 certbot renew --post-hook "systemctl reload nginx" >> /var/log/le-renew.log

JuergenAuer · November 8, 2018, 2:46pm

Hi @killmasta93

is this a new domain?

tls-sni-01 is deprecated and you can't use it with new domains.

Support ends 2019-02.

mnordhoff · November 8, 2018, 2:48pm

What else does “sudo certbot renew” output?

What’s the real domain?

killmasta93 · November 8, 2018, 3:36pm

Thanks for the reply its not a new domain. the domain is platform.syncbox.cloud

killmasta93 · November 8, 2018, 3:38pm

Thanks for the reply this is what i ge t

Processing /etc/letsencrypt/renewal/platform.syncbox.cloud.conf

   Cert is due for renewal, auto-renewing...
  Plugins selected: Authenticator nginx, Installer nginx 
  Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for platform.syncbox.cloud
Waiting for verification...
Cleaning up challenges
    Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/platform.syncbox.cloud.conf produced an unexpected error: Failed authorization procedure.   platform.syncbox.cloud (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
     All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)

JuergenAuer · November 8, 2018, 3:41pm

Then try it with

sudo certbot renew --preferred-challenges http

killmasta93 · November 8, 2018, 4:52pm

Thanks for the reply im getting this

 Cert is due for renewal, auto-renewing...
 Plugins selected: Authenticator nginx, Installer nginx
  Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
  Renewing an existing certificate
  Performing the following challenges:
 http-01 challenge for platform.syncbox.cloud
  Using default address 80 for authentication.
   Waiting for verification...
 Cleaning up challenges
 Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/                                                                                        platform.syncbox.cloud.conf produced an unexpected error: Failed authorization p                                                                                        rocedure. platform.syncbox.cloud (http-01): urn:ietf:params:acme:error:unauthori                                                                                        zed :: The client lacks sufficient authorization :: Invalid response from http:/                                                                                        /platform.syncbox.cloud/.well-known/acme-challenge/q0Ih1Cbr4OtYk18wv-fMbtXjdd-S8                                                                                        Qw4kzIV2e_MPRQ [190.145.225.174]: 404. Skipping.
    All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)

JuergenAuer · November 8, 2018, 5:00pm

Please share your complete log under

/var/log/letsencrypt/letsencrypt.log

You have a redirect http -> https (checked via https://check-your-website.server-daten.de/?q=platform.syncbox.cloud ).

So the Letsencrypt - validation is redirected to https. Is this the server Certbot creates the /.well-known/acme-challenge directory and saves the validation file?

Add

--debug-challenges    After setting up challenges, wait for user input
                        before submitting to CA

and check, where this file is created and if this file is visible via port 80 or the redirect.

killmasta93 · November 8, 2018, 7:24pm

Thanks for the reply, i currently have HAproxy which does the redirect from http to https but whats odd is that i have never had this issue before prob because tls-sni-01 is deprecated

https://pastebin.com/mjXa04yQ

JuergenAuer · November 8, 2018, 9:33pm

There you have your error:

Detail: Invalid response from http://platform.syncbox.cloud/.well-known/acme-challenge/_kOdRDfX_OZRIedqRGLZl08gniThfEslAYuejRE5P8Q [190.145.225.174]: 404

Letsencrypt doesn't find the validation file.

Did you use --debug-challenges to check where certbot creates such a file?

Or has your http version another webroot as your https version?

killmasta93 · November 8, 2018, 11:29pm

Thanks for the reply i ran this

           certbot renew --preferred-challenges http --debug-challenges --dry-run

then got this

              Cleaning up challenges
    Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/platform.syncbox.cloud.conf produced an unexpected error: Failed authorization procedure. platform.syncbox.cloud (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://platform.syncbox.cloud/.well-known/acme-challenge/hn9_Xr_p-fH9QKL8Jw-u0gkwDyYo6jQc93tvgL7kp3g [190.145.225.174]: 404. Skipping.
  All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/account.syncbox.cloud/fullchain.pem (failure)
   /etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)

i installed using this commands

apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update
apt install certbot python-certbot-nginx
sudo certbot --nginx --agree-tos --redirect --staple-ocsp --email myemail@syncbox.cloud -d platform.syncbox.cloud

what odd is that i have another server which is running ubuntu 14 instead i used this

sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto
certbot-auto certonly -a webroot --webroot-path=/var/www/html -d mydomain.com -d www.mydomain.com

and it works with no issue so i guess its not an HAproxy issue

JuergenAuer · November 8, 2018, 11:33pm

Did you check where Certbot has saved the validation file? --debug-challenges waits so you can check this.

Don't hit "Return" (or "Space") before you didn't found the file in the directory.

killmasta93 · November 9, 2018, 12:00am

Thanks for the quick reply
this is the whole outcome

root@users:~# certbot renew --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/account.syncbox.cloud.conf
Cert not yet due for renewal
Processing /etc/letsencrypt/renewal/platform.syncbox.cloud.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for platform.syncbox.cloud
Waiting for verification...
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
Cleaning up challenges
Attempting to renew cert (platform.syncbox.cloud) from /etc/letsencrypt/renewal/platform.syncbox.cloud.conf produced an unexpected error: Failed authorization procedure. platform.syncbox.cloud (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)
The following certs are not due for renewal yet:
/etc/letsencrypt/live/account.syncbox.cloud/fullchain.pem expires on 2018-12-17 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/platform.syncbox.cloud/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: platform.syncbox.cloud
Type: connection
Detail: Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

i found a folder inside of /var/www/html the folder which is the .well-known but its empty
(see picture)

08-002

Thank you again

JuergenAuer · November 9, 2018, 12:02am

If you use the tls-sni-01 - validation, then there is no file created.

killmasta93 · November 9, 2018, 12:06am

thanks for the reply, so the question is what is the correct command to run to renew the ssl? or what do i need to do?

JuergenAuer · November 9, 2018, 9:30am

As written:

sudo certbot renew --preferred-challenges http --debug-challenges --dry-run

The tls is deprecated, dead. No chance to debug / fix that. So http or dns.

killmasta93 · November 11, 2018, 8:51pm

Thanks for the reply, what i needed was this on the NGINX config

 location ~ /.well-known {
            allow all;
    }

killmasta93 · November 11, 2018, 9:11pm

so this is to renew,

      sudo certbot renew --preferred-challenges http --debug-challenges

what about when its the first time?
be something like this?

          certbot --preferred-challenges http

JuergenAuer · November 11, 2018, 9:26pm

Your first command must have all informations.

So you can try

sudo certbot -d yournewdomain

and answer the questions certbot asks. Then these informations are saved in your configuration file.

Or you use something like

sudo certbot -d yournewdomain --nginx --preferred-challenges http

--debug-challenges requires manual action, so you don't want to use it in a cron job.

killmasta93 · November 13, 2018, 3:26am

Thanks for the reply, will use this in the future on a new domain.
so for the cronjob would be something like this?

       30 2 * * 1      certbot renew --preferred-challenges http "systemctl reload nginx" >> /var/log/le-renew.log

Topic		Replies	Views
Issue in updating cert Help	3	595	March 14, 2019
HomeAssistant & Cert Renew Issues Help	13	4406	September 23, 2017
Unable to renew certificates - expiring 10/03/17! Help	7	2539	April 9, 2017
Failure To Renew Certificate Help	6	668	December 27, 2018
Cannot Renew Some Certificates Help	11	2645	February 10, 2017

Issue to renew?

Related topics