My first letsencrypt renew.... attempt failed!


#1

Hello community, I’m new on letsencrypt, I installed it about 3 months ago (cert is not expired right now, it will expire in the next days). I installed on Raspbian OS for Home Assistant personal purpose. It works perfect, but now it’s time to renew. What I did is the following:

root@hanode1:/home/pi/letsencrypt# ./letsencrypt-auto renew

And the result is:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mydomain.duckdns.org) from /etc/letsencrypt/renewal/mydomain.duckdns.org.conf produced an unexpected error: Failed authorization procedure. mydomain.duckdns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b04b480520f4fc19643be6f3865a7cdb.3c7c15f5c03a32cd76ad985ffa47f214.acme.invalid from xxx.xxx.xxx.249:443. Received 2 certificate(s), first certificate had names "mydomain.duckdns.org". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain.duckdns.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   b04b480520f4fc19643be6f3865a7cdb.3c7c15f5c03a32cd76ad985ffa47f214.acme.invalid
   from xxx.xxx.xxx.249:443. Received 2 certificate(s), first
   certificate had names "mydomain.duckdns.org"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain

What’s wrong? How can I renew the certificate?

Thank you
Lucas


#2

DAMN! Solved. Sorry for wasting forum space.
My issue is related to port forwarding. 443 is actually forwarded to another port (8123), so that’s the reason because the cert renew fails. I modify the port forwarding in 443 to 443 and now it works.
Unfortunately in this way I can’t use the crontab to auto renew every 3 months, since I have to manually modifiy my port forwarding every time I need to renew.


#3

Depending on your configuration you might be able to use --tls-sni-01-port 8123

However I wouldn’t really recommend that (even if it works): the TLS-SNI-01 challenge is deprecated so ideally you should switch to one of the other challenges. If your port 80 is open you can use the HTTP-01 challenge. You can probably do this by:

./letsencrypt-auto renew --cert-name mydomain.duckdns.org --force-renewal --preferred-challenges http-01

(Just run that once, then the normal letsencrypt-auto renew command should work in cron from then on). If you’ve forwarded port 80 to a different port, add --http-01-port 1234 or whatever the port number is.

If you don’t have port 80 open and forwarded, or for whatever other reason the above doesn’t work, you can try the DNS challenge. Remember to add a --deploy-hook if you want it to automatically reload your webserver after renewal.


#4

The --tls-sni-port is only used for testing, and will only work if the CA is configured with the same port (which won’t be true in production).


#5

Right, the (production) CA will never connect to a port other than 80 or 443, but if you have those ports on your router forwarded to different ports on the machine running certbot, you can use those options to tell certbot to listen on the target port and the router will forward the incoming port 80 or 443 connection from the CA to the right place.


#6

Oh, I see your point now. Yes, that’s true, but I suspect 443 on @LucasRey’s router is forwarded to 8123 because there’s a service running on the port, so they would additionally need to take down that service when renewing.


#7

Correct. Home Assistant is listening on port 8123, so the router will forward 443 to 8123. And yes, if I modify this port forwarding I can’t access anymore my Home Assistant, but just the time to renew the certificate. At least I’ll not be able to switch on my home domotic devices for some minutes (like lights, air conditioner, etcc…), btw, that’s not a big problem :slight_smile:


#8

Yep. I was guessing the service might have been Apache, and I believe Certbot’s apache plugin also respects --tls-sni-01-port. If Home Assistant is listening directly on 8123 however, then you’re right, it would have to be temporarily stopped.

Either way, switching to HTTP-01 or DNS-01 is probably a better long-term solution :slight_smile:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.