@schoen,
Here is the content of /var/log/letsencrypt/letsencrypt.log
I try the auto updated version of certbot and I come back.
2017-05-11 18:44:56,269:DEBUG:certbot.main:Root logging level set at 20
2017-05-11 18:44:56,271:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-05-11 18:44:56,274:DEBUG:certbot.main:certbot version: 0.10.2
2017-05-11 18:44:56,274:DEBUG:certbot.main:Arguments: ['--apache', '-d', 'mail.thebestplace.ovh']
2017-05-11 18:44:56,276:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-05-11 18:44:56,277:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-05-11 18:44:57,278:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0xb720796c>
Prep: True
2017-05-11 18:44:57,281:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0xb720796c> and installer <certbot_apache.configurator.ApacheConfigurator object at 0xb720796c>
2017-05-11 18:44:57,732:DEBUG:certbot.main:Picked account: <Account(e5bf348ab3ec11be703f8a148ed49800)>
2017-05-11 18:44:57,738:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-05-11 18:44:57,745:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-11 18:44:58,223:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-05-11 18:44:58,225:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: 1bWZzRyr7QxPKzAlBir_XILOsqDC3KHrcXMfbM02Yds
Replay-Nonce: GIMt6oem_WSTNROcOUs9nRp5hQ5DxriY2XBJfhROMDU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 May 2017 18:44:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:44:54 GMT
Connection: keep-alive
{
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-05-11 18:44:58,231:INFO:certbot.main:Obtaining a new certificate
2017-05-11 18:44:58,232:DEBUG:root:Requesting fresh nonce
2017-05-11 18:44:58,232:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-05-11 18:44:58,511:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-05-11 18:44:58,513:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: F-lp7dejazVC8WerXH-7nklX0j7U1pXPXez_qfTmnyA
Replay-Nonce: 2ZTGtkG44AKADDsAPLZ7Ig_A3HVAHJQiAtOo4dM6vh0
Expires: Thu, 11 May 2017 18:44:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:44:54 GMT
Connection: keep-alive
2017-05-11 18:44:58,513:DEBUG:acme.client:Storing nonce: 2ZTGtkG44AKADDsAPLZ7Ig_A3HVAHJQiAtOo4dM6vh0
2017-05-11 18:44:58,516:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "mail.thebestplace.ovh"
},
"resource": "new-authz"
}
2017-05-11 18:44:58,536:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "1T3gaND00JUaZUzByRj5N926Zdgi-woJgigmPLrSYE720zcG_8VVfxobLdeBkQ-OIIfwjND4Q91bD8n1UsGZz6Du-ukkoe3aCrvrw5rB0A3eCkRcTPRINBZcLkhgCClMVwSDXOQ5fjA0DaW_6c5TWcdzxm3AAt8V_XjX_d0cWV54KWhTUxc4BMxjvy9PBraD0JLl-zwBtUog380vuYUUuVe-cs2voOYdZp4vmsMKPhcow4ssR0FvyCMJUhQstn9tI6Sor-GdZKsziRjfohpR2lC_pQE_dQgkzD0z77NN5zzPsL8JA2tagInJrTuexqMfIRZlIX6HNbeYfExxkziquw"
}
},
"protected": "eyJub25jZSI6ICIyWlRHdGtHNDRBS0FERHNBUExaN0lnX0EzSFZBSEpRaUF0T280ZE02dmgwIn0",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAibWFpbC50aGViZXN0cGxhY2Uub3ZoIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
"signature": "WoXTpJFoUE31PrgNAfru5k0CpfwfWnMuA1pW0DbPqp4fUFhXB6YUDPjiFz_ulOcnDTQ6LeBZg44afu6oCAPWM-ACfNQH76iBzhTvdDfhm6tUmJ53S2RFzMTsAIPtHeChVc4kzpFqTRIFaqTtbx4fQcAXMfNZyH2t5Uiv1utLTJBx40U9096L18-SfsX5ugh5ItFvRQc1yoVa_HdZ6TSV_N3QrCsn4LMNKt35STSm5aYXVK8PZFnKhbOLKJcQsC_etbBWLJPJb9NRZySHmXaXmfIALG8fFQJqTsniYZf_rRKhvka0WAj1dtitPaR4Q-v9M_Nh3AoNeymSC9hVLSXpVw"
}
2017-05-11 18:44:59,018:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1009
2017-05-11 18:44:59,020:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1009
Boulder-Request-Id: 9waViuadzuY3h4PkVYDQrrwXIr27-RdnCYl04hv8vnM
Boulder-Requester: 14108585
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU
Replay-Nonce: I6Z2rq5XmXv_hIXPwJbnWqXFT2Ye6FlM6qFqOv9aDEI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 May 2017 18:44:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:44:55 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "mail.thebestplace.ovh"
},
"status": "pending",
"expires": "2017-05-18T18:44:55.239743072Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904",
"token": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494905",
"token": "8uLakEmvO34ffF6pJERFkosX88pMqy9aqsR2T9ZPfyo"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494906",
"token": "Ea5HjZcSd7yZmyIqy3AlHeBGRasjWyfIb-h1NGiyp1M"
}
],
"combinations": [
[
1
],
[
2
],
[
0
]
]
}
2017-05-11 18:44:59,020:DEBUG:acme.client:Storing nonce: I6Z2rq5XmXv_hIXPwJbnWqXFT2Ye6FlM6qFqOv9aDEI
2017-05-11 18:44:59,023:INFO:certbot.auth_handler:Performing the following challenges:
2017-05-11 18:44:59,024:INFO:certbot.auth_handler:tls-sni-01 challenge for mail.thebestplace.ovh
2017-05-11 18:45:00,240:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-05-11 18:45:00,242:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName 2d9485f9b6a57689605d10fd35433fcb.ab88c63566760027f5417fd4d032fc69.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on
LimitRequestBody 1048576
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.crt
SSLCertificateKeyFile /var/lib/letsencrypt/OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.pem
DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>
</IfModule>
2017-05-11 18:45:00,302:DEBUG:certbot.reverter:Creating backup of /etc/apache2/apache2.conf
2017-05-11 18:45:03,722:INFO:certbot.auth_handler:Waiting for verification...
2017-05-11 18:45:03,723:DEBUG:acme.client:JWS payload:
{
"keyAuthorization": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.toR2333-OiMJaHacIxHHz3ujGr_tDdrEM5jOR_UeNjQ",
"type": "tls-sni-01",
"resource": "challenge"
}
2017-05-11 18:45:03,742:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "1T3gaND00JUaZUzByRj5N926Zdgi-woJgigmPLrSYE720zcG_8VVfxobLdeBkQ-OIIfwjND4Q91bD8n1UsGZz6Du-ukkoe3aCrvrw5rB0A3eCkRcTPRINBZcLkhgCClMVwSDXOQ5fjA0DaW_6c5TWcdzxm3AAt8V_XjX_d0cWV54KWhTUxc4BMxjvy9PBraD0JLl-zwBtUog380vuYUUuVe-cs2voOYdZp4vmsMKPhcow4ssR0FvyCMJUhQstn9tI6Sor-GdZKsziRjfohpR2lC_pQE_dQgkzD0z77NN5zzPsL8JA2tagInJrTuexqMfIRZlIX6HNbeYfExxkziquw"
}
},
"protected": "eyJub25jZSI6ICJJNloycnE1WG1Ydl9oSVhQd0pibldxWEZUMlllNkZsTTZxRnFPdjlhREVJIn0",
"payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIk94UUlFM3VYbnMwV1d6UFpvc3pmOEdSV29Bbmp0WWpHaEpIbVFRRHhCbW8udG9SMjMzMy1PaU1KYUhhY0l4SEh6M3VqR3JfdERkckVNNWpPUl9VZU5qUSIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
"signature": "Scffkld08aapteyFXsnJ8aS0_pVZAJ52TEkahgLKJAd-yI2LxxMiMZ4FTD-7u7N97dPrZYZVz87dBszYrxImFAHwHRWUjodnnuu_nU98fqms_YRKnoe-RFK1YzXSuLaB9d3GlTcRZifwa-M1jQ7LjF0R4B0zOr1z5yx1yNDo_VQKnn7Qnm6ydkLiFTsp1Li2uCHTm95TTNTK2CwIGdg6bY1nTaVAH2wYTPDiwApQi6T0GI_twjpN1WUp64-cqYXzMtcIo69v47WpnNjzoQjJ1OS0JduzXwgEcRM_pcn73LzP_1a8xlzJcB02v-wPli0FjkVhJdIXf5GySVnpbukK4A"
}
2017-05-11 18:45:04,006:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904 HTTP/1.1" 202 339
2017-05-11 18:45:04,009:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 339
Boulder-Request-Id: qK5KIaeDv51YZEWz9645Al0ZTQZqTDaAMRfRHV3xVaI
Boulder-Requester: 14108585
Link: <https://acme-v01.api.letsencrypt.org/acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904
Replay-Nonce: z_pGyDOZB2rS2C0KIJrqnlSgl_uRQExmvwi68cliiLE
Expires: Thu, 11 May 2017 18:45:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:45:00 GMT
Connection: keep-alive
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904",
"token": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo",
"keyAuthorization": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.toR2333-OiMJaHacIxHHz3ujGr_tDdrEM5jOR_UeNjQ"
}
2017-05-11 18:45:04,009:DEBUG:acme.client:Storing nonce: z_pGyDOZB2rS2C0KIJrqnlSgl_uRQExmvwi68cliiLE
2017-05-11 18:45:07,013:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU.
2017-05-11 18:45:07,600:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU HTTP/1.1" 200 1603
2017-05-11 18:45:07,602:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1603
Boulder-Request-Id: 1ClB3-fdIFGwvKBDKlMbJy6lDBLkl77lzXhl9qQD73Q
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: F7EiV_rVDkaV2bPcApUutTYYDdAQkZhKjLnm5ONAxIA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 May 2017 18:45:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:45:03 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "mail.thebestplace.ovh"
},
"status": "invalid",
"expires": "2017-05-18T18:44:55Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:malformed",
"detail": "Failed to connect to 109.25.226.10:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS",
"status": 400
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904",
"token": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo",
"keyAuthorization": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.toR2333-OiMJaHacIxHHz3ujGr_tDdrEM5jOR_UeNjQ",
"validationRecord": [
{
"hostname": "mail.thebestplace.ovh",
"port": "443",
"addressesResolved": [
"109.25.226.10"
],
"addressUsed": "109.25.226.10",
"addressesTried": []
}
]
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494905",
"token": "8uLakEmvO34ffF6pJERFkosX88pMqy9aqsR2T9ZPfyo"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494906",
"token": "Ea5HjZcSd7yZmyIqy3AlHeBGRasjWyfIb-h1NGiyp1M"
}
],
"combinations": [
[
1
],
[
2
],
[
0
]
]
}
2017-05-11 18:45:07,606:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: mail.thebestplace.ovh
Type: malformed
Detail: Failed to connect to 109.25.226.10:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS
To fix these errors, please make sure that you did not provide any invalid information to the client, and try running Certbot again.
2017-05-11 18:45:07,607:INFO:certbot.auth_handler:Cleaning up challenges
2017-05-11 18:45:08,324:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 575, in run
action, lineage = _auth_from_available(le_client, config, domains, certname)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. mail.thebestplace.ovh (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Failed to connect to 109.25.226.10:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS