Linux web server renewal of ssl certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: crm.cashesoftware.com

I ran this command: certbot renew

It produced this output: the client lacks sufficient authorization during secondary validation. invalid response from "domain"/.well-known/acme-challenge

My web server is (include version):

The operating system my web server runs on is (include version): not sure?

My hosting provider, if applicable, is: not sure

I can login to a root shell on my machine (yes or no, or I don't know): yes i believe so

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no ssh command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): version 0.31.0

I am not the most proficient with linux and cmd line....It is a renewal so it is pretty urgent. Any help would greatly be appreciated. I am desperate to get this renewed and up today. I checked public DNS, the public IP that dns record points to goes to the public IP on the firewall....with a port forward to the LAN ip of the linux server.....I have ports 443 and 80 forwarding. Please help

2

Hi @ITthisisDrew
This is what I see:

PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  open     http
443/tcp closed   https

EDIT: and

3 Likes
3

[quote="ITthisisDrew, post:1, topic:218029"]
eng
[/quote]be

does 443 need to open for it to work automatically? How can i enabled 443 to be listening on the server? the firewall is allowing it

4

Yes that is the desired effect. Keep Port 80 and 443 open..
Take a look at the link I posted above.

curl -I https://crm.cashesoftware.com
curl: (7) Failed to connect to crm.cashesoftware.com port 443 after 106 ms: Connectionrefused

Trace:
@0ms: Making a request to http://crm.cashesoftware.com/.well-known/acme-challenge/letsdebug-test (using initial IP 216.206.113.109)
@0ms: Dialing 216.206.113.109
@278ms: Server response: HTTP 403 Forbidden
3 Likes
5

how do i enable port 443 to listen on the server? is there a command....i checked and the server ports listed as listening are only 80 and 22

6

or is it failing because of geo ip filtering?

7

Can you give us this information? It will make the process much easier

3 Likes
8

I’m sorry I’m a windows sys admin. Are there commands I can run to get you that information you need? Thanks for helping

2 Likes
9

So please tell us what OS, server and version you are running your public facing website on... That will help.
I think you are in the us. But validation servers appear from all over the globe. lets not go there quite yet.

3 Likes
10

EXTREMELY out of date. Time to upgrade!

3 Likes
11

server is running Ubuntu 18.04 LTS

so from your lines, it seems like 443 being closed is the issue? How can I turn that on on the server?

1 Like
12

Does your firewall block requests from outside the USA? Because there was a recent change that would prevent renewal if you did.

I can see your Apache server just fine from the US. It even looks setup to recognize the ACME HTTP Challenge.

But, the "Secondary validation" is a strong indicator of a firewall problem from this

5 Likes
13

Your problem with HTTPS and port 443 is not related to that secondary failure. You need that to work to get a fresh cert.

But, something else is wrong possibly with Apache config.

Can you show output of this

sudo apachectl -t -D DUMP_VHOSTS
4 Likes
14

i just turned off geo ip filtering....it went to work but now i get hit with error : to many failed authorizations

2 Likes
15

image
image933×165 38.2 KB

16

Just wait about an hour and then try

Was that really all the output from that apachectl command? Because lots seems missing and incorrect.

Also do you manage the other subdomains of cashesoftware.com ?

Because there are a large number of certs with various subdomains. See public cert log here. Just trying to understand the whole scope of issues.
https://tools.letsdebug.net/cert-search?m=domain&q=crm.cashesoftware.com&d=4320

4 Likes
17

that was really the only output from that command...and yes we manage aton of subdomains of cashesoftware.com....only issue we are having is with crm.cashesoftware.com

18

I need to step away but your responses will be helpful to other volunteers (or maybe even me a bit later)

3 Likes
19

Where did the VirtualHost for port 443 go? Your Apache is only listening on port 80

3 Likes
20

I am really not sure? I didn’t set this up. Just trying to get the renewal to work my friend