Letsencrypt certificate broken after server plan upgrade

Help
1

So, My domain is given below. I was upgrading my plan so that I can have email accounts associated with my server. After the upgrade the certificate seems broken. I am using standalone method. Now when I rerun certbot renew it says the expiration date is 2021-04-02. So, it doesnt attempt to renew.

My domain is: patarboi.com

I ran this command: certbot renew --standalone / certbot renew -a standalone --dry-run

It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/patarboi.com/fullchain.pem expires on 2021-04-02 (skipp
d)
No renewals were attempted.

and the second command says

Attempting to renew cert (patarboi.com) from /etc/letsencrypt/renewal/patarboi.c
om.conf produced an unexpected error: Failed authorization procedure. patarboi.c
om (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks suffic
ient authorization :: Invalid response from http://patarboi.com/.well-known/acme
-challenge/oyvpCAxhdD6ZUu7FH-PxFBqudWVB7zmWpXqkhp_qVKE [67.195.197.24]: 400. Ski
pping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/patarboi.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/patarboi.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Ubuntu

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Yahoo-bf1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2

Hi @theAlphaActual

your configuration can't work, see https://check-your-website.server-daten.de/?q=patarboi.com

First, your www / non-www have different ip addresses:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
patarboi.com A 67.195.197.24 New York/United States (US) - Oath Holdings Inc. Hostname: p9ats-rhel.geo.vip.bf1.yahoo.com yes 1 0
AAAA yes
www.patarboi.com A 159.65.5.34 Singapore//Singapore (SG) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA yes

Ok, may not be critical if you don't use the www version.

But critical: http://patarboi.com/ has a frame.

> <frame src="https://159.65.5.34">

A frame with an ip address -> you need a certificate with an ip address. So that's always bad.

And it's your www ip address.

So first step: Change your non-www A record, so the 159.* address is used.

2 Likes
3

Thanks for your response. The change is made accordingly. now I find the site has turned to https. Thanks a lot!

Capture

4

Now you should fix your certificate error, see the #url-checks and #connections - part.

Your certificate has only the non-www, so your www version is insecure.

Create one certificate with both domain names.

5

I am using standalone mode. The certificate is issued against the non www. How to issue against www? or add into existing?

6

Read the documentation.

https://certbot.eff.org/docs/using.html

And use --cert-name to overwrite your existing certificate.

7

Thanks man! I updated for the www one. Though documentation missed the part that I have to mention new one with the existing domains, but could do it. Thanks again!

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.