Need help getting/renewing certs


#1

I have been trying to get/renew certs for the last month with my current setup. One cert is expired now and the other has a month left on it. My servers are sitting behind HAProxy (with SSL passthrough) and I’m getting tls-sni-01 and http-01 connection failures. This used to work mid last year but suddenly doesn’t anymore since I’ve tried to renew. You can successfully connect to https://www.htcloud.duckdns.org, but https://hickstruckinginc.duckdns.org is dead because I need to load the snakeoil cert so I could restart nginx.

HAProxy does a 301 redirect on port 80 to https on port 443, and my servers behind it do a 301 redirect from port 80 too. Here’s the error log for my renewal for www.htcloud.duckdns.org

Domain: www.htcloud.duckdns.org
Type: connection
Detail: Failed to connect to 67.168.170.25:443 for TLS-SNI-01 challenge

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-01-14 23:10:52,764:INFO:letsencrypt.auth_handler:Cleaning up challenges
2017-01-14 23:10:53,611:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/www.htcloud.duckdns.org-0001.conf produced an unexpected error: Failed authorization procedure. www.htcloud.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 67.168.170.25:443 for TLS-SNI-01 challenge. Skipping.
2017-01-14 23:10:53,613:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1017, in renew
obtain_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 706, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 457, in _auth_from_domains
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 252, in obtain_certificate
return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 225, in obtain_certificate_from_csr
authzr = self.auth_handler.get_authorizations(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 84, in get_authorizations
self._respond(cont_resp, dv_resp, best_effort)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 142, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 204, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.htcloud.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 67.168.170.25:443 for TLS-SNI-01 challenge

** DRY RUN: simulating ‘letsencrypt renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.htcloud.duckdns.org-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.htcloud.duckdns.org-0001/fullchain.pem (failure)
** DRY RUN: simulating ‘letsencrypt renew’ close to cert expiry
** (The test certificates above have not been saved.)
2017-01-14 23:10:53,615:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1034, in renew
len(renew_failures), len(parse_failures)))
Error: 2 renew failure(s), 0 parse failure(s)

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.htcloud.duckdns.org
Type: connection
Detail: Failed to connect to 67.168.170.25:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

  • The following errors were reported by the server:

Domain: www.htcloud.duckdns.org
Type: connection
Detail: Failed to connect to 67.168.170.25:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.


#2

I know it’s not optimal for many people but if you have a cert expiring and you need to renew it urgently just stop nginx first, then run certbot-auto with the --standalone flag (and rest of flags), do your renewal quickly (5 secs) and then restart nginx. Then you can look later why it is failing on the challenge. I had the same issue yesterday, commands I have run for months no longer work due to some change in certbot 0.10.1, haven;t had chance to look into why but for me stopping nginx, generating my certs using the standalone authenticator and restarting nginx was a quick nasty fix


#3

I also think it’s now necessary to add --preferred-challenges http into your command line where it was not needed in 0.9 but 0.10.1 seems to need the auth method specified. Thanks to @jmorahan for pointing that out in another thread.


#4

Hi there MitchellK, I think what I’m doing to do is renew my one functioning cert now and get my nginx wordpress server a cert now so they’re at least functioning and continue to fight with authorization. I’m going to try that preferred-challenges argument and see what I can find out from that


#5

I’m going to have to grab letsencrypt from source. Ubuntu 16.04 is using a scary old version (0.4.1)


#6

Okay here’s my update: on my nginx server I can successfully do a “certbot certonly --webroot -w /var/www/html -d hickstruckinginc.duckdns.org” command and fetch a certificate.

My problem now is with my apache server, which still fails the tls-sni-01 challenge. My apache config starts out like this:

ServerName www.htcloud.duckdns.org

And my HAProxy configs looks like this (I only left the important parts, this isn’t the full config):

frontend localhost443
    bind *:443
    option tcplog
    mode tcp

    tcp-request inspect-delay 15s
    tcp-request content accept if { req_ssl_hello_type 1 }

    acl is_wordpress req_ssl_sni -i hickstruckinginc.duckdns.org   #10.0.0.165
    acl is_nextcloud req_ssl_sni -i www.htcloud.duckdns.org               #10.0.0.160

    use_backend nextcloud_cluster if is_nextcloud
    use_backend wordpress_cluster if is_wordpress


backend nextcloud_cluster
    mode tcp

    stick-table type binary len 32 size 30k expire 30m


    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    tcp-response content accept if serverhello

    stick on payload_lv(43,1) if clienthello
    stick store-response payload_lv(43,1) if serverhello

    option ssl-hello-chk

    server is_nextcloud 10.0.0.160:443 check

Anything missing?


#7

So you direct hickstruckinginc.duckdns.org to wordpress and www.htcloud.duckdns.org to nextcloud, but where do you direct the TLS-SNI challenge domain names (*.*.acme.invalid)?


#8

Yes scary how Ubuntu lacks in keeping repo’s up to date


#9

Ubuntu 16.04 is an LTS release, stability is prioritised over non-essential updates.


#10

Yip I do understand that, I only stick to LTS releases myself. There are however many non essential updates that are perfectly stable on LTS releases and could be updated in the repo’s from time to time. It would solve a lot of problems for people who download something through apt-get and get software 6 major versions too old, case in point letsencrypt.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.