Manual certificate renewal freezing after http-01 challenge

nickbaum · October 4, 2017, 1:08am

When attempting to renew a certificate manually, certbot freezes after the following line:

Performing the following challenges:
http-01 challenge for dev.storyworth.com

This command has worked to renew my certificate in the past, and would prompt me to update the values challenge on the server.
Running the command in verbose mode I can see that there is plenty of activity prior to that point, but none after.
Looking at the server logs, I can see that no HTTP requests are made to my server.
Running curl, I can access the challenge without issue.

My domain is: dev.storyworth.com

I ran this command:

sudo certbot certonly --manual --cert-name dev.storyworth.com

It produced this output:

$ sudo certbot certonly --manual --cert-name dev.storyworth.com
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dev.storyworth.com

[CTRL-C after several minutes of inactivity]

$ curl -v http://dev.storyworth.com/.well-known/acme-challenge/REDACTED
*   Trying 52.15.72.79...
* TCP_NODELAY set
* Connected to dev.storyworth.com (52.15.72.79) port 80 (#0)
> GET /.well-known/acme-challenge/REDACTED HTTP/1.1
> Host: dev.storyworth.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Length: 87
< X-Content-Type-Options: nosniff
< Vary: Accept-Encoding
< Server: TornadoServer/4.5.2
< Cache-Control: private
< Date: Wed, 04 Oct 2017 00:43:03 GMT
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host dev.storyworth.com left intact
REDACTED

My web server is Tornado 4.5.2 on localhost behind Ngrok 2.2.8

The operating system my web server runs on is OS X High Sierra 10.13

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

rg305 · October 4, 2017, 2:24am

I'd like to see the contents of the that log file.
Did "sudo certbot certonly --manual" previously work?
if so, what has changed since then?

Additionally, the current config fails to produce the expected site:
https://www.ssllabs.com/ssltest/analyze.html?d=dev.storyworth.com&hideResults=on
showing a cert from another domain that will expire in two days...

nickbaum · October 4, 2017, 4:20am

Thanks for the response, I really appreciate it.

That command did work last time I tried it, which would have been ~75 days ago. The main change since then is that I upgraded from Sierra to High Sierra. If there were any new releases of Certbot during that time, I would also have installed those. I can’t think of any other changes, though it’s certainly possible I’m forgetting something.

ngrok.com is a local proxy, so the site won’t be serving my current cert unless my laptop is open. Furthermore, to renew the certificate I’ve previously had to temporarily disable SSL on the local server, in order for the http challenge to be successful.

Below is the full log, as well as the results of the SSL test when running with the current cert:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator manual and installer None
Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at REDACTED>
Prep: True
Selected authenticator <certbot.plugins.manual.Authenticator object at REDACTED> and installer None
Plugins selected: Authenticator manual, Installer None
Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:nick@storyworth.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x10fd817d0>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/8596961', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), REDACTED, Meta(creation_host=u'nicks-mbp.t-mobile.com', creation_dt=datetime.datetime(2017, 1, 22, 1, 11, 19, tzinfo=<UTC>)))>
Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 561
Replay-Nonce: REDACTED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 04:02:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 04:02:43 GMT
Connection: keep-alive

{
  "REDACTED": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/REDACTED",
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
Should renew, less than 30 days before certificate expiry 2017-10-18 19:17:00 UTC.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: REDACTED
Expires: Wed, 04 Oct 2017 04:02:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 04:02:43 GMT
Connection: keep-alive


Storing nonce: REDACTED
JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "dev.storyworth.com"
  }, 
  "resource": "new-authz"
}
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "protected": "REDACTED", 
  "payload": "REDACTED", 
  "signature": "REDACTED"
}
https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 996
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 996
Boulder-Requester: REDACTED
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/REDACTED
Replay-Nonce: REDACTED
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 04 Oct 2017 04:02:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 Oct 2017 04:02:43 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "dev.storyworth.com"
  },
  "status": "pending",
  "expires": "2017-10-09T20:51:53Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/REDACTED",
      "token": "REDACTED"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/REDACTED",
      "token": "REDACTED"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/REDACTED",
      "token": "REDACTED"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      0
    ],
    [
      2
    ]
  ]
}
Storing nonce: REDACTED
Performing the following challenges:
http-01 challenge for dev.storyworth.com

Results of SSL Test:

Subject dev.storyworth.com
Fingerprint SHA256: ee24d26cfa5bbc90aa6eba187345ba2e18e1928ffb1d20f288ff3c194da4a624
Pin SHA256: BboV/5pywZainB2FejVEXasD7Zt5tv9gic6JfX/S4Q4=
Common names dev.storyworth.com
Alternative names dev.storyworth.com
Serial Number 03ca890499697ab4c1ba0a832d27e593dcfe
Valid from Thu, 20 Jul 2017 19:17:00 UTC
Valid until Wed, 18 Oct 2017 19:17:00 UTC (expires in 14 days, 15 hours)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Let’s Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/
Signature algorithm SHA256withRSA

Patches · October 4, 2017, 6:40am

What version of certbot are you running?

certbot --version

Also, if I’m reading your output correctly, certbot is freezing before it outputs Create a validation file with this data with a new validation file, correct? So this validation file that exists on your server is from a previous issuance attempt then?

Is there any particular reason you cannot use webroot authentication? Are you serving the challenge file directly from Python code instead of from a file?

nickbaum · October 4, 2017, 4:19pm

certbot 0.18.2

You’re correct that it freezes before ‘create a validation file with this data’. In the past, it would prompt me to create a validation file, then ask me to manually confirm before proceeding. Has this behavior changed?

In the meantime, I was able to get it working using webroot authentication, so thank you for that suggestion. I originally had used manual authentication so I could use the same process locally and on Heroku, but now that Heroku added native support for LetsEncrypt, that’s no longer a requirement.

rg305 · October 4, 2017, 4:28pm

I would run “certbot-auto” just to insure that no dependencies have been outdated.

nickbaum · October 4, 2017, 4:54pm

Correct me if I’m wrong, but I believe certbot-auto is deprecated on OS X in favor of brew (which is how I’ve installed it).

rg305 · October 4, 2017, 5:11pm

you got me… I’m not an OS X expert.
Still, I’d check for any updates in anything related.
and rule that out.

Patches · October 4, 2017, 6:13pm

No, this is what it is supposed to do. I was just confirming that this is where it was freezing. It's weird because according to your log it seems to be actually getting the authorization token from the server, but is freezing before outputting it to the screen. There may be some sort of Mac-specific output bug.

At any rate, webroot authentication is probably less work for you anyway, so I'm glad you got it working. We'll keep this thread in mind in case someone else has problems with manual mode on their Mac.

nickbaum · October 5, 2017, 4:13am

Sounds good, I’m all set given that the webroot method worked, but happy to help with any additional info if you realize there’s a broader issue on OS X. In the meantime, thanks for the help troubleshooting!

(One more piece of info, I’m using zsh 5.4.2, not the default bash shell)

system · November 4, 2017, 4:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.