Letsencrypt with nginx - renew failed

Help
1

Hello,

since one month i receive an error from letsencrypt renewal cronjob. Before it runs ~2 years without problems.
I tried to renew it also manually after reading many tickets here and on other forums, tried multiple things. But nothing helps.

Any ideas?

My domain is:
https://industrial-legends.metzler.pro/

I ran this command (via cronjob each day):
@daily letsencrypt renew >> /cronjobs/cert/daily-renew.log && /etc/init.d/nginx reload

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing… Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for industrial-legends.metzler.pro Waiting for verification… Cleaning up challenges Attempting to renew cert (industrial-legends.metzler.pro) from /etc/letsencrypt/renewal/industrial-legends.metzler.pro.conf produced an unexpected error: Failed authorization procedure. industrial-legends.metzler.pro (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://industrial-legends.metzler.pro/ .well-known/acme-challenge/xBayMX4s20Avrx2E3Au_EjYNcYszni0tAtAskZTo6ms: Connection refused. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/industrial-legends.metzler.pro/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.6 xenial

My hosting provider, if applicable, is:
hetzner.com

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes (Dedicated Root Server)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.23.0

Thanks and best regards
dmetzler1988

2

Hi,

The issue here is you have an IPV6 address on the https://industrial-legends.metzler.pro [2a01:4f8:171:2aae::2]. Unfortunately, the IPV6 address is not working, might be a result of misconfiguration.

You could either fix the IP addressing issue or remove that IPV6 address from your domain AAAA record.

P.S. Let’s Encrypt prefer IPV6 address over IPV4, and if your IPV6 validation failed, the whole authorization will fail and it will not fall back to IPV4.

Thank you

3

I had added the IPv6 to the missing part on NGINX (thought it was correct).
So now this is my NGINX config:

# port 443 IPv4 with http2 and ssl
listen 443 ssl http2;
# port 443 IPv6 with http2 and ssl
listen [::]:443 ssl http2;
# port 80 IPv4 and IPv6
listen [::]:80;

But now i receive this error after try to renew it manually again (sudo letsencrypt renew)

sudo letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

 Attempting to renew cert (industrial-legends.metzler.pro) from /etc/letsencrypt/renewal/industrial-legends.metzler.pro.conf produced an unexpected error: Failed authorization procedure. industrial-legends.metzler.pro (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://industrial-legends.metzler.pro/.well-known/acme-challenge/P7W6Yc7Lo9MlF0SKSgEY1YWNm4Y8vbJ3hCCIFG5egck [2a01:4f8:171:2aae::2]: "<html>\r\n<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 B". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/industrial-legends.metzler.pro/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/industrial-legends.metzler.pro/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

Whats now wrong?
The AAAA Records seems to be correct after my tests with various tools (like this one http://ipv6-test.com/validate.php).

Thank you for informations.

4

Hi,

It seems that now your nginx is also listening to IPV6 port 80 (for this virtual host), but the nginx configuration is wrong.

If you have another virtual host (that listens to port 80 on IPV4 for this domain), you should add the listen [::]:80; onto that virtual host, not adding it on the https (port 443) virtual host file.

Thank you

1 Like
5

Hi,

It seems that your IPV6 HTTPS virtual host is not working again. (It was working during my last post)

Thank you

6

Ok. Thank you a lot. This solved my problem. But now i can’t reach the other website :frowning:.
Any ideas? :see_no_evil:

And does letsencrypt changed something, that this won’t work sind beginning of April? Because perviously all works fine.

Thank you again for you great and fast help!

7

Additional Information:
added also a new certificate for new domain:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/industrial-legends.metzler.pro.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/daniel.metzler.pro.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

I think my nginx config is not working.

8

Hi,

I’m not really sure about your Daniel site though…
It seems that besides the HTTPS not working for the other site, that site is also returning 500 errors. (Which normally is returned due to some PHP issue)

Could you share your full Nginx config?
(Just paste it in a Pastebin or some online clipboard and post the link here)

Also, your Nginx is a little bit outdated, might consider upgrading to a newer version?

9

Hi,

tried to update - but no newer version is found (also after sudo apt-get update)

$ sudo apt-get install nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
nginx is already the newest version (1.10.3-0ubuntu0.16.04.3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Here is the NGINX conf for daniel subdomain.
https://pastebin.com/aUw3hEyz

Thanks again.

10

ah.
I see the issue now.

From line 2 to line 8, you uncommented all other listens (for 80 and 443 except the IPV6 HTTP listen).

Nginx is smart enough to listen on port 80/443 and determine which website it should serve based on the server name clients send during connection (handshaking).

In this case, you should use the following for each virtual hosts:
listen 80; listen [::]:80; listen 443 ssl http2; listen [::]:443 ssl http2;

And for your Nginx version… That might be the latest from any PPAs, so you could use that directly and don’t need to change anything. But the most recent stable version of Nginx is 1.16.0. If you want to upgrade, you’ll need to compile it from source (which might be a pain in the ***) and there’s a lot of tutorials available online on how to do that.

Thank you

1 Like
11

Hi,

ähm… thats crazy. I commented in these lines (on this time you told that the IPv6 doesn’t work again) and need to comment it out.
The only difference is the order of the listener. But i read that my order should be the way to do. I am confused now. But all works.

Great help!! Thanks you a lot!

Yes, i saw same methods to update it directly with the source repository. I am not sure if i should update. Maybe if i have more time to check it.

Thank you a lot again!

Best regards

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.