Let's encrypt after server migration


#1

Please fill out the fields below so we can help you better.

My domain is: bleudiamant.fr

I ran this command: certbot --apache

It produced this output:

Domain: www.bleudiamant.fr
Type: connection
Detail: Failed to connect to 163.172.173.31:443 for TLS-SNI-01
challenge
Domain: www.********.bleudiamant.fr
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
bad9bafe04fec2d98d220ae85c34f550.565f99c2640877e368a8339d491f24c4.acme.invali

My operating system is (include version):
Debian Jessie (GNU/Linux 4.5.7-std-3 x86_64 )

My web server is (include version):
Server version: Apache/2.4.10 (Debian)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Yesterday I conducted a migration of my server after reinstall all service and change ip of my domain name on my new server i have revoke my certs and i have launch certbot but i get this error
Thank for advance and sorry for my bad english


#2

Just a question: what’s the reason you’ve revoked your certificate?


#3

I thought is the best to do because i have change server and ip


#4

Since you changed IP Address, the problem could be in DNS resolution, and could go away in a few hours.

In the future, you don’t need to revoke the certificates for this scenario. You can just trash them or migrate them to the new server.


#5

Oh ok i see.
I tried this morning at 09h10 nothing change :confused:
the dns change have been proceed the 09/08


#6

Always nothing i have tried everything nothing work :frowning:


#7

There’s an OpenSSH daemon running on port 443…?

osiris@desktop ~ $ telnet www.bleudiamant.fr 443
Trying 163.172.173.31...
Connected to www.bleudiamant.fr.
Escape character is '^]'.
GET / HTTP/1.1
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
Protocol mismatch.
Connection closed by foreign host.
osiris@desktop ~ $ 

And:

osiris@desktop ~ $ ssh -p 443 root@www.bleudiamant.fr
root@www.bleudiamant.fr's password: 
Permission denied, please try again.
root@www.bleudiamant.fr's password: 

osiris@desktop ~ $ 

There’s something seriously wrong with your server configuration…


#8

I wonder if it would be worth writing a warning into certbot when a user uses the revoke command–we’ve seen so many threads here where people clearly had no understanding of what revocation does, or when (or why) do to it, and it’s so rare that there is actually a need to do it, that it seems like this might be a good idea.

@BleuDiamant, the only reason to revoke a certificate is if you believe your private key has been compromised. If you’re just not going to use the certificate any more, just let it expire–there’s no reason to revoke it in that case.


#9

@danb35 Oh ok i see yeah the documentation is not clear on this thing

@Osiris I have a multiplexer on my server (sslh) to redirect openvpn ssh and https on 443 i can try to disable it if you think is a problem
edit : nothing change with multiplexer off


#10

HTTPS uses port 443 by default. If anything else is listening on port 443, it will interfere with certbot.

Now that you’ve turned the multiplexer off, what happens if you try to SSH to your server? Apache should be the only thing responding on port 80 or 443 in order for certbot to work.

If you’re sure that your DNS is working, you can try one of the bash clients instead of certbot. Clients such as acme.sh can authorise via DNS. However, it does appear you’re server is misconfigured. You should probably concentrate on having SSH listen on a more appropriate port (such as 22 instead of 443).

Also, you list your domain as bleudiamant.fr but certbot is trying to reach www.bleudiamant.fr. Are you sure your DNS is configured for both domains? Maybe OpenSSH is only listening on one domain and not the other (I’m not sure how your multiplexer is configured).


#11

Ok i have news
finaly i can get certificate but i have new error


Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.
apache2: Syntax error on line 219 of /etc/apache2/apache2.conf:
Syntax error on line 12 of
/etc/apache2/sites-enabled/nicolas.bondoux.fr-le-ssl.conf: Expected
but saw

Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.
apache2: Syntax error on line 219 of /etc/apache2/apache2.conf:
Syntax error on line 12 of
/etc/apache2/sites-enabled/nicolas.bondoux.fr-le-ssl.conf: Expected
but saw
Rolling back to previous server configuration…


And in my error.log (apache2) i have only this


[Thu Aug 18 18:51:26.573998 2016] [mpm_prefork:notice] [pid 24383] AH00163: Apache/2.4.10 (Debian) configured – resuming normal operations
[Thu Aug 18 18:51:26.574105 2016] [core:notice] [pid 24383] AH00094: Command line: ‘/usr/sbin/apache2’
[Thu Aug 18 18:51:54.033239 2016] [mpm_prefork:notice] [pid 24383] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
[Thu Aug 18 18:51:54.140249 2016] [mpm_prefork:notice] [pid 24383] AH00163: Apache/2.4.10 (Debian) configured – resuming normal operations
[Thu Aug 18 18:51:54.140280 2016] [core:notice] [pid 24383] AH00094: Command line: ‘/usr/sbin/apache2’


thank for your help


#12

That’s a major misconfiguration. You’re either missing the ServerName directive or you have DNS issues. Your servername setting is the easiest to check, so start there.

Apache config files are named and organised differently depending on your platform, so forgive me if I use FreeBSD names.

Does your main conf file (httpd.conf) have a servername line? This should be the name of the server, not the domain (let vhosts handle that). For example, while your actual domain is www.bleudiamant.fr you server might be called robin.sherwood or asterix.gaul. It might also be called www.bleudiamant.fr, but it’s unlikely.

(If I’ve said something wrong and anyone else can correct me, please do! I’ll edit out any misinformation!)


#13

Hello sorry for the delay,
I have reinstall my server to back on clean install and nothing work let’s encrypt continue to use my old ip adress
thank for your help


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.