My certificate has expired and i can't renew it

Banzaika · July 30, 2023, 3:00pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: safiya-mylo.ru

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/safiya-mylo.ru.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for safiya-mylo.ru
Failed to renew certificate safiya-mylo.ru with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/safiya-mylo.ru/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: timeweb.cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): with ssh and with panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

my nginx file for my server:

server {
    server_name safiya-mylo.ru;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /root/Safya-soapshop/config;
    }
    location /media/ {
        root /root/Safya-soapshop/config;
    }	

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sck;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/safiya-mylo.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/safiya-mylo.ru/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = safiya-mylo.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name safiya-mylo.ru;
    return 404; # managed by Certbot


}

I run certbot certificates:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: safiya-mylo.ru
    Serial Number: 31c85260ad315d76e58db5a892bdac944de
    Key Type: ECDSA
    Domains: safiya-mylo.ru
    Expiry Date: 2023-07-30 05:19:16+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/safiya-mylo.ru/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/safiya-mylo.ru/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

my domain belongs to my address... I'm at a loss, because I did not work with let's encrypt (((

MikeMcQ · July 30, 2023, 3:14pm

You should try

certbot renew --dry-run

The error you showed was for too many failures in an hour so you are temporarily blocked from further production requests. The --dry-run uses the Let's Encrypt staging system and will show the reason for the original failures.

But, it is probably related to this DNS setting ...

Banzaika · July 30, 2023, 4:05pm

I run certbot renew --dry-run and got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/safiya-mylo.ru.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for safiya-mylo.ru

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: safiya-mylo.ru
  Type:   unauthorized
  Detail: 2a03:6f00:5:1::30e4: Invalid response from http://safiya-mylo.ru/.well-known/acme-challenge/AVAZ2uBR60foRQ78oCyYaW6xpD7IkWjf8jLPw1EeUUc: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate safiya-mylo.ru with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/safiya-mylo.ru/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

MikeMcQ · July 30, 2023, 4:11pm

As the Let's Debug test showed you have both IPv4 and IPv6 addresses in your DNS. That is fine but your nginx server does not process them the same.

You should make sure these addresses are correct. And, make sure you have correct listen clauses in your nginx server blocks for both IPv4 and IPv6

You can check your public IP using

curl -4 http://ifconfig.io
curl -6 http://ifconfig.io

And make sure these are the values in your DNS

Bruce5051 · July 30, 2023, 10:16pm

This online tool SSL Server Test (Powered by Qualys SSL Labs) is "Unable to connect to the server" for the IPv6 Address.

rg305 · July 31, 2023, 2:26am

Please show this file:

Banzaika · July 31, 2023, 1:11pm

thanks for helping me. curl -6 http://ifconfig.io matches the AAAA entry in the DNS, and curl -4 http://ifconfig.io matches the A entry.

Banzaika · July 31, 2023, 1:14pm

Thanks for helping me! You're welcome:

server {
    server_name safiya-mylo.ru;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /root/Safya-soapshop/config;
    }
    location /media/ {
        root /root/Safya-soapshop/config;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sck;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/safiya-mylo.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/safiya-mylo.ru/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = safiya-mylo.ru) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name safiya-mylo.ru;
    return 404; # managed by Certbot


}

MikeMcQ · July 31, 2023, 1:19pm

You don't have a listen clause for IPv6. You should add something like this in your HTTP server block

listen [::]:80;

and this in HTTPS server block

listen [::]:443 ssl ipv6only=on;

Bruce5051 · July 31, 2023, 3:14pm

I see this now

IPv4 both HTTP and HTTPS respond

>curl -4 -Ii http://safiya-mylo.ru/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Mon, 31 Jul 2023 15:09:51 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://safiya-mylo.ru/.well-known/acme-challenge/sometestfile

>curl -4 -k -Ii https://safiya-mylo.ru/.well-known/acme-challenge/sometestfile
HTTP/1.1 502 Bad Gateway
Server: nginx/1.14.0 (Ubuntu)
Date: Mon, 31 Jul 2023 15:09:55 GMT
Content-Type: text/html
Content-Length: 182
Connection: keep-alive

>nmap -4 -Pn -p80,443 safiya-mylo.ru
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 15:13 UTC
Nmap scan report for safiya-mylo.ru (46.19.67.220)
Host is up (0.16s latency).
Other addresses for safiya-mylo.ru (not scanned): 2a03:6f00:5:1::30e4

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 2.88 seconds

IPv6 HTTP responses HTTPS does not respond

>curl -6 -Ii http://safiya-mylo.ru/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.14.0 (Ubuntu)
Date: Mon, 31 Jul 2023 15:10:48 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

>curl -6 -k -Ii https://safiya-mylo.ru/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to safiya-mylo.ru port 443 after 154 ms: Couldn't connect to server

>nmap -6 -Pn -p80,443 safiya-mylo.ru
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 15:13 UTC
Nmap scan report for safiya-mylo.ru (2a03:6f00:5:1::30e4)
Host is up (0.15s latency).
Other addresses for safiya-mylo.ru (not scanned): 46.19.67.220

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

MikeMcQ · July 31, 2023, 4:58pm

Correct. They are missing the listen clause in those server blocks.

So, the IPv6 is handled by some default server not shown.

Notice the HTTP request for IPv6 does not redirect like IPv4 does and like shown in the port 80 server block

Banzaika · August 1, 2023, 9:48am

thanks everyone, in the end my nginx file looks like this:

server {
    listen 80;
    listen [::]:80;
    server_name safiya-mylo.ru;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name safiya-mylo.ru;

    ssl_certificate /etc/letsencrypt/live/safiya-mylo.ru/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/safiya-mylo.ru/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /root/Safya-soapshop/config;
    }
    location /media/ {
        root /root/Safya-soapshop/config;
    }	

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }
}

MikeMcQ · August 1, 2023, 10:04am

You still need to add an IPv6 listen for Port 443 server block

rg305 · August 1, 2023, 2:30pm

IIRC, you can only use that once in the entire config.
So, use that part with caution.

MikeMcQ · August 1, 2023, 2:47pm

Yes, I agree. In fact, it is the default for modern nginx so can just leave it off so you have:

listen 443 ssl;
listen [::]:443 ssl;

There are various ways to specify IPv4 and IPv6 listen on nginx. It is good practice to be consistent in your server blocks.

system · August 31, 2023, 2:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.