Please support Renew my SSL

My domain is:
od.cdc.gov.tw
I ran this command:
/usr/bin/letsencrypt renew >> /var/log/le-renew.log
It produced this output:
2019-04-09 18:05:28,505:CRITICAL:letsencrypt.auth_handler:Client does not support any combination of challenges that will satisfy the CA.
2019-04-09 18:05:28,506:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/od.cdc.gov.tw.conf produced an unexpected error: Client does not support any combination of challenges that will satisfy the CA… Skipping.
1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Ubuntu 16.04.6
The operating system my web server runs on is (include version):
i don’t know how was that
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

error log:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1017, in renew
obtain_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 706, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 457, in _auth_from_domains
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 252, in obtain_certificate
return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 225, in obtain_certificate_from_csr
authzr = self.auth_handler.get_authorizations(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 76, in get_authorizations
self._choose_challenges(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 99, in _choose_challenges
self.authzr[dom].body.combinations)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 390, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 430, in _find_smart_path
raise errors.AuthorizationError(msg)
AuthorizationError: Client does not support any combination of challenges that will satisfy the CA.

2019-04-09 08:52:02,047:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1034, in renew
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

Without more information, it’s impossible to be sure, but letsencrypt 0.4.1 is quite old, and Let’s Encrypt recently deprecated the TLS-SNI-01 validation method. If you’re using letsencrypt’s apache or nginx plugins, you should upgrade to a newer version that supports the HTTP-01 validation method.

“letsencrypt” was renamed to “Certbot” around the same time Ubuntu 16.04 was first released. Certbot 0.23.0 was recently made available in the Ubuntu 16.04 repositories. If you sudo apt update and sudo apt upgrade, you should be able to upgrade to a version that will work.

You can also enable the Certbot PPA to upgrade all the way to version 0.31.0:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
1 Like

how can i know my certbot is upgrade success.
I try run yuor command and ran this command /usr/bin/letsencrypt renew >> /var/log/le-renew.log
get same error log:

2019-04-09 11:59:08,891:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2019-04-09 11:59:09,074:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 995
2019-04-09 11:59:09,076:DEBUG:root:Received <Response [201]>. Headers: {‘Content-Length’: ‘995’, ‘Expires’: ‘Tue, 09 Apr 2019 11:59:09 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘4536782’, ‘Date’: ‘Tue, 09 Apr 2019 11:59:09 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘8B3_K23QZTXXokWBevUE2jU0UhIwHT0B4FX8-qobSkk’}. Content: ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “od.cdc.gov.tw”\n },\n “status”: “pending”,\n “expires”: “2019-04-14T18:30:05Z”,\n “challenges”: [\n {\n “type”: “tls-alpn-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991880”,\n “token”: “XkJOr7NZJQ7fBHm8IWX9dHJSgF__M0mq5t7lHIU8fac”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991882”,\n “token”: “X1tl75zXtPX0nmP0H9WuqweyWM5edTDQsi4OduB2udo”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991883”,\n “token”: “v3mu5sOy_ghuIltuwx4CEdsUTJrY46WVbkL-oCAB4o4”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}’
2019-04-09 11:59:09,077:DEBUG:acme.client:Storing nonce: ‘\xf0\x1d\xff+m\xd0e5\xd7\xa2E\x81z\xf5\x04\xda54R\x120\x1d=\x01\xe0U\xfc\xfa\xaa\x1bJI’
2019-04-09 11:59:09,077:DEBUG:acme.client:Received response <Response [201]> (headers: {‘Content-Length’: ‘995’, ‘Expires’: ‘Tue, 09 Apr 2019 11:59:09 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘4536782’, ‘Date’: ‘Tue, 09 Apr 2019 11:59:09 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘8B3_K23QZTXXokWBevUE2jU0UhIwHT0B4FX8-qobSkk’}): ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “od.cdc.gov.tw”\n },\n “status”: “pending”,\n “expires”: “2019-04-14T18:30:05Z”,\n “challenges”: [\n {\n “type”: “tls-alpn-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991880”,\n “token”: “XkJOr7NZJQ7fBHm8IWX9dHJSgF__M0mq5t7lHIU8fac”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991882”,\n “token”: “X1tl75zXtPX0nmP0H9WuqweyWM5edTDQsi4OduB2udo”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991883”,\n “token”: “v3mu5sOy_ghuIltuwx4CEdsUTJrY46WVbkL-oCAB4o4”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}’
2019-04-09 11:59:09,078:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {u’status’: u’pending’, u’token’: u’XkJOr7NZJQ7fBHm8IWX9dHJSgF__M0mq5t7lHIU8fac’, u’type’: u’tls-alpn-01’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991880’}
2019-04-09 11:59:09,078:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u’status’: u’pending’, u’token’: u’X1tl75zXtPX0nmP0H9WuqweyWM5edTDQsi4OduB2udo’, u’type’: u’dns-01’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/QfPLUmY-tJNejvzKYWKiyxmCKMUOr2vi3rx90NF7Wlw/14503991882’}
2019-04-09 11:59:09,079:INFO:letsencrypt.auth_handler:Performing the following challenges:
2019-04-09 11:59:09,079:CRITICAL:letsencrypt.auth_handler:Client does not support any combination of challenges that will satisfy the CA.
2019-04-09 11:59:09,079:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/od.cdc.gov.tw.conf produced an unexpected error: Client does not support any combination of challenges that will satisfy the CA… Skipping.
2019-04-09 11:59:09,080:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1017, in renew
obtain_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 706, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 457, in _auth_from_domains
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 252, in obtain_certificate
return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 225, in obtain_certificate_from_csr
authzr = self.auth_handler.get_authorizations(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 76, in get_authorizations
self._choose_challenges(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 99, in _choose_challenges
self.authzr[dom].body.combinations)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 390, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 430, in _find_smart_path
raise errors.AuthorizationError(msg)
AuthorizationError: Client does not support any combination of challenges that will satisfy the CA.

2019-04-09 11:59:09,081:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1034, in renew
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

Btw I can login to a root shell on my machine (yes or no, or I don’t know): yes
and thanks for your help!

You can run /usr/bin/letsencrypt --version to see the version number you're using when you run /usr/bin/letsencrypt renew.

Thx your
It’s version number still letsencrypt 0.4.1 …

My version 0.31.0 is upgrade success,
but i got a new parse failure
the message is :
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/od.cdc.gov.tw.conf


Renewal configuration file /etc/letsencrypt/renewal/od.cdc.gov.tw.conf (cert: od.cdc.gov.tw) produced an unexpected error: ‘Namespace’ object has no attribute ‘apache_enmod’. Skipping.


No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/od.cdc.gov.tw.conf (parsefail)


0 renew failure(s), 1 parse failure(s)

that’s mean i have to fix my config? have something odd parameter or add
what for new version.

Hm… This is only a guess, but are you sure that all of Certbot’s components have been updated?

What is the traceback in /var/log/letsencrypt/letsencrypt.log?

What does “dpkg -l '*certbot*' '*letsencrypt*'” show?

2 Likes

Here is the show
dpkg_certbot_letsencrypt
and my log is https://drive.google.com/file/d/1l0yriVpO0ZA2yh8fCXOnmPRZnqfT8UXX/view?usp=sharing

i try to apt install python-certbot-apache
now, i have get this
/usr/bin/letsencrypt renew >> /var/log/le-renew.log
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for od.cdc.gov.tw
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (od.cdc.gov.tw) from /etc/letsencrypt/renewal/od.cdc.gov.tw.conf produced an unexpected error: Failed authorization procedure. od.cdc.gov.tw (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: query timed out looking up A for od.cdc.gov.tw. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/od.cdc.gov.tw/fullchain.pem (failure)

(I haven't clicked on the Google Drive links.)

It looks like your domain has severe DNS problems.

http://dnsviz.net/d/od.cdc.gov.tw/dnssec/
http://dnsviz.net/d/cdc.gov.tw/dnssec/

https://unboundtest.com/m/A/od.cdc.gov.tw/ZRFVOOMF
https://unboundtest.com/m/A/od.cdc.gov.tw/BPAI7PFO
https://unboundtest.com/m/A/od.cdc.gov.tw/MGJIXHTW

https://ednscomp.isc.org/ednscomp/79f37ed345

cdc.gov.tw's nameservers have 5 IP addresses and 3-4 of them are inaccessible.

(The one accessible server is also buggy, but if I were to guess, I think it's only in ways that don't break Let's Encrypt yet.)

The unboundtest results may show issues with gov.tw or tw as well. I'm not sure.

You can try repeatedly, but things won't work reliably during a severe DNS outage.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.