Let's encrypt reewal for Kerio Failing


#1

Hello Community, I need some help please.

  1. I configured letsencrypt for my kerio mail box using the guide here (I host this inhouse) https://herrbischoff.github.io/security/2016/02/02/Using-Lets-Encrypt-with-Kerio-Connect.html
  2. I had had three successful renewals however this morning when I try to run
    /etc/init.d/kerio-connect stop
    ./certbot-auto renew
    I get the following error:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.health.go.ug
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.health.go.ug) from /etc/letsencrypt/renewal/mail.health.go.ug.conf produced an unexpected error: Failed authorization procedure. mail.health.go.ug (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.health.go.ug/.well-known/acme-challenge/-NyfCJevDIJXCPC1PdFL6pAz27TA0yvvvZ7JqW4DPzg: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.health.go.ug/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.health.go.ug/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.health.go.ug
    Type: connection
    Detail: Fetching
    http://mail.health.go.ug/.well-known/acme-challenge/-NyfCJevDIJXCPC1PdFL6pAz27TA0yvvvZ7JqW4DPzg:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I will apprecaite some guidance to help sort it.


#2

Webroot means you keep your server running.

Since you’re stopping your server, perhaps this is what you are after:

./certbot-auto renew --cert-name mail.health.go.ug -a standalone

#3

Thank you for your comment on this @_az
I am aware that Kerio is using port 80 and 443 that’s why I turn it off because with it on I get a Unauthorised as below.

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.health.go.ug.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.health.go.ug
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.health.go.ug) from /etc/letsencrypt/renewal/mail.health.go.ug.conf produced an unexpected error: Failed authorization procedure. mail.health.go.ug (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.health.go.ug/.well-known/acme-challenge/HHIpxnwtCTHgpqA8E_Wlp2vLzsrJxy9K6hGvELejSQI: “Error 401 Unauthorized

401 Unauthorized

You are not authorized to access URI /.we”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.health.go.ug/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.health.go.ug/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Please advise on what you think I can do differently
Thanks


#4

Indeed … my suggestion was to stop the Kerio server (as per usual), and use the modified renewal command from my first response.


#5

Alright _az let me try that shortly and let you know.

Many Thanks


#6

@ -az I did try the stand alone option and it worked perfectly.

I appreciate your support on this.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.