Let's Encrypt certificate expiration notice for domain appztb.cn2401.com&&app.cn2401.com

Help
1

we are domain will expire.

so i execute ./certbot-auto renew --force-renew
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/appztb.cn2401.com.conf

Renewing an existing certificate
/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for appztb.cn2401.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (appztb.cn2401.com) from /etc/letsencrypt/renewal/appztb.cn2401.com.conf produced an unexpected error: Failed authorization procedure. appztb.cn2401.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://appztb.cn2401.com/.well-known/acme-challenge/IefUzLQBb6x-QlxYA8X6xELNUooDWId3LCl-oKZjLuA: "

400 The plain HTTP request was sent to HTTPS port

400 B". Skipping.

Processing /etc/letsencrypt/renewal/app.cn2401.com.conf

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for app.cn2401.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (app.cn2401.com) from /etc/letsencrypt/renewal/app.cn2401.com.conf produced an unexpected error: Failed authorization procedure. app.cn2401.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://app.cn2401.com/.well-known/acme-challenge/S6zyzRkdSSQTvIMZURAsfeBFSmO2PzcI5Jw03xiA3XI: "

400 The plain HTTP request was sent to HTTPS port

400 B". Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/appztb.cn2401.com/fullchain.pem (failure)
/etc/letsencrypt/live/app.cn2401.com/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: app.cn2401.com
    Type: unauthorized
    Detail: Invalid response from
    http://app.cn2401.com/.well-known/acme-challenge/S6zyzRkdSSQTvIMZURAsfeBFSmO2PzcI5Jw03xiA3XI:
    "

    400 The plain HTTP request was sent to HTTPS port

    400 B"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: appztb.cn2401.com
    Type: unauthorized
    Detail: Invalid response from
    http://appztb.cn2401.com/.well-known/acme-challenge/IefUzLQBb6x-QlxYA8X6xELNUooDWId3LCl-oKZjLuA:
    "

    400 The plain HTTP request was sent to HTTPS port

    400 B"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    [root@web2 letsencrypt]# mkdir -p /data/tomcat-cn2401app/tomcat/webapps/cn2401/.well-known/acme-challenge
    [root@web2 letsencrypt]# mkdir -p /data/tomcat/webapps/cn2401/.well-known/acme-challenge
    [root@web2 letsencrypt]# ./certbot-auto renew
    /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
    DeprecationWarning
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

what’s the problem? thanks.

2

The error appears that you're forwarding the port 80 auth requests to an SSL listener.

But I can't confirm it:
wget http://app.cn2401.com
--2017-09-04 11:15:27-- http://app.cn2401.com/
Resolving app.cn2401.com (app.cn2401.com)... 124.232.152.8
Connecting to app.cn2401.com (app.cn2401.com)|124.232.152.8|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2017-09-04 11:15:29 ERROR 404: Not Found.

wget https://app.cn2401.com
--2017-09-04 11:15:41-- https://app.cn2401.com/
Resolving app.cn2401.com (app.cn2401.com)... 124.232.152.8
Connecting to app.cn2401.com (app.cn2401.com)|124.232.152.8|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

3

@derekdyj, I agree with @rg305 about the meaning of the error, and I also can’t confirm it.

Could you post the log from /var/log/letsencrypt showing what Certbot tried to do in order to renew your certificate?

Another option would be to add --debug-challenges. With this option, Certbot will pause after setting up the challenges, before telling the certificate authority to come check them. At that point, you could try to check for yourself in a web browser whether the file that Certbot created under /.well-known/acme-challenge appears to be accessible.

There might be something strange about your web server configuration that generates an unusual and invalid redirection, but perhaps this error condition only occurs under very specific situations.

You could also try to create a file at /data/tomcat-cn2401app/tomcat/webapps/cn2401/.well-known/acme-challenge/test.txt and see if it’s accessible on your site via a web browser.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.