Letsencrypt-auto not working any more

I’ve been using letsencrypt-auto forever and a day on my Ubuntu box at home. Ubuntu 16 lts. For the past year, at least. Port 80 is blocked and has been blocked forever and a day too, but I “was” able to Let’s Encrypt to get a certificate. It worked flawlessly. Now I can no longer get a certificate to install. 443 is and always has been open. What’s going wrong? What do I need to do? I’ve got 9 days. Please help. Why did it suddenly stop working? What did I miss?

Hi @rogueangel2k

if you have an old configuration, then you have used tls-sni-01 - validation via port 443.

But tls-01-validation is deprecated, support ends 2019-02-13.

So you must switch to http-01 - validation, this requires an open port 80.

Or you use dns-01 - validation, then a dns txt entry is required.

1 Like

Also, some ACME clients support the new port 443 challenge type, TLS-ALPN-01, but Certbot doesn't.

@JuergenAuer's and @mnordhoff's comments are both completely correct.

The announcements of the changed behavior on this forum are at

and the underlying motivation is the TLS-SNI-01 end-of-life announcement that @JuergenAuer linked to (which would cause a more abrupt failure in mid-February if we didn't take steps to switch people over before then).

As @erica mentioned in the former post,

Between November and February (when the TLS-SNI-01 challenge type is deprecated at the server end ), users who have been relying on TLS-SNI-01 can use the flag --preferred-challenges tls-sni-01 as a temporary patch to get a certificate quickly, before correcting the configuration.

So you might want to do this now and then investigate DNS challenge options or a client that supports TLS-ALPN-01 before February 19.

2 Likes

Are the below errors related? I’m trying the new/suggestion option, and I have a simple redirect in the Apache httpd.conf file. This is on Fedora 29, certbot is version 0.29.1

<VirtualHost *:80>
  ServerName kopernik.dsm.fordham.edu
  ServerAlias kopernik.dsm.fordham.edu
  Redirect permanent / https://kopernik.dsm.fordham.edu/
</VirtualHost>


certbot renew --debug --dry-run --preferred-challenges http-01,dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kopernik.dsm.fordham.edu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kopernik.dsm.fordham.edu
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (kopernik.dsm.fordham.edu) from /etc/letsencrypt/renewal/kopernik.dsm.fordham.edu.conf produced an unexpected error: Failed authorization procedure. kopernik.dsm.fordham.edu (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kopernik.dsm.fordham.edu/.well-known/acme-challenge/uXy6Fs_AT0LZHtXpEDnJQyBCuxNR_Ye5pr8e7MTXmjI: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/kopernik.dsm.fordham.edu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/kopernik.dsm.fordham.edu/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.29.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1352, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 1259, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3.7/site-packages/certbot/renewal.py", line 457, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: kopernik.dsm.fordham.edu
   Type:   connection
   Detail: Fetching
   http://kopernik.dsm.fordham.edu/.well-known/acme-challenge/uXy6Fs_AT0LZHtXpEDnJQyBCuxNR_Ye5pr8e7MTXmjI:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Yes, it seems like a firewall or router is indeed blocking port 80 connections to this machine from outside of your network.

Am I seeing double (or is there a reason to relist the same name)?

Also, does this redirect all requests to https://kopernik.dsm.fordham.edu/
or does it allow for the full path to remain?
So that:
http://kopernik.dsm.fordham.edu/.well-known/acme-challenge/uXy6F...
goes to:
https://kopernik.dsm.fordham.edu/.well-known/acme-challenge/uXy6F...
NOT to:
https://kopernik.dsm.fordham.edu/

Those are both great things to double-check in the configuration, but I’m pretty sure that neither of them is causing the immediate problem (since we have a connection timeout rather than connection refused or incorrect validation content returned).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.