Letsencrypt-auto renew no longer works


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: koinonia.co.nz, bayunited.org.nz mail.koinonia.co.nz

I ran this command: sudo ~/Downloads/letsencrypt/letsencrypt-auto renew

It produced this output:
Attempting to renew cert (koinonia.co.nz) from /etc/letsencrypt/renewal/koinonia.co.nz.conf produced an unexpected error: Failed authorization procedure. mail.koinonia.co.nz (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.koinonia.co.nz/.well-known/acme-challenge/0csmzDZoNBiM8NLBulPkff7RFOzJtL06cN67zl63P3A: Connection refused, bayunited.org.nz (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://bayunited.org.nz/.well-known/acme-challenge/HgcDA04GHV33rIzh96pbiwhHBYrIUw59gXSZMLQ0hzI: Connection refused, koinonia.co.nz (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://koinonia.co.nz/.well-known/acme-challenge/M5ROxw6KQ7Tb5LZVejIBGCiIcoqM0Xez0R6XC3CpUWo: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/koinonia.co.nz/fullchain.pem (failure)

My web server is (include version): Apache 2.2.15-69.el6

The operating system my web server runs on is (include version): CentOS 6

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No - command line via ssh connection

The above command has worked fine for 18 months, renewing every 3 months - except today it is not happy. I suspect this is due to it trying an http request rather than https.
Our internet service provider uses port 80 to access their radio equipment, hence it never gets to connect to the server. port 443 22 etc are fine - just 80 is unavailable.

I see that there is some discussion about using port 443 being a problem in hosting environments … now it has left me with a problem.
Any solutions??


#2

It’s possible that you were previous relying on the TLS-SNI authentication method (over port 443). Unfortunately that method had a problem and is being permanently disabled.

There is a replacement method (TLS-ALPN), but it is not compatible with Certbot or Apache.

Do you mean to say that traffic to tcp/80 is not routed to your server at all? It’s odd that the response is “connection refused” - that indicates that the port is not being used by anyone at at all.

For example, what happens when you run:

sudo ~/Downloads/letsencrypt/letsencrypt-auto renew --cert-name koinonia.co.nz -a standalone --dry-run

#3

Attempting to renew cert (koinonia.co.nz) from /etc/letsencrypt/renewal/koinonia.co.nz.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/koinonia.co.nz/fullchain.pem (failure)


#4

Hi @robkampen

checking your domain via https://check-your-website.server-daten.de/?q=koinonia.co.nz I don’t see a “Connection refused”, instead an active block:

Domainname Http-Status redirect Sec. G
• http://koinonia.co.nz/
202.49.165.204 -2 2.387 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 202.49.165.204:80
• http://www.koinonia.co.nz/
202.49.165.204 -2 2.493 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 202.49.165.204:80
• https://koinonia.co.nz/
202.49.165.204 200 9.810 B
• https://www.koinonia.co.nz/
202.49.165.204 200 9.930 N
Certificate error: RemoteCertificateNameMismatch
• http://koinonia.co.nz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
202.49.165.204 -2 2.880 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 202.49.165.204:80
• http://www.koinonia.co.nz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
202.49.165.204 -2 3.194 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 202.49.165.204:80

If you habe a “home server”, port 80 is sometimes blocked. So you have three options:

  • Change the place of your server, so it’s not longer a home server and you have a working port 80
  • use dns-01 - validation. But then your dns provider should support an API, I don’t see something on godzone.net.nz. Or you have to create a new dns txt entry every 60 - 85 days.
  • use tls-alpn-01 as replacement of the tls-sni-01 - validation. Some clients have now support, see Which client support tls-alpn challenge?

But there - https://www.godzone.net.nz/ - I don’t find informations that port 80 is generally blocked.


#5

This seems to indicate that you issued the alast cert using --standalone
If so, you would have to either:

  • follow the same steps you took to get the last cert issued.
  • update the current renewal to NOT use --standalone

To update/force the current renewal you can use either:

  • an explicit --webroot
  • a plugin that matches your webserver like --nginx or --apache

[edit] on re-reading, I may not have read back far enough…
Can you show the renewal.conf file associated to this domain?


#6

Thanks for that info. I have contacted the Internet Service Provider to see if they have made changes I am unaware of. I seem to recall that previously I had an auto redirect from 80 to 443 in place and that is clearly not the case now.

Will let you know once they respond.


#7

If I do not get a response from the ISP in the next 24 hours, I’ll try to do it standalone / manually.
Kind regards
Rob


#8

SOLVED
Our ISP has made port 80 available to us and now it all just works.
Thanks all, for your ideas and support.
Rob