Problem renewing a cert

platyrat · May 2, 2019, 9:14am

I’m totally new to Let’s Encrypt and certbot and trying to renew a cert after receiving a mail about a cert getting old. I have not renewed the cert before nor am I its original installer, so I don’t know any details about how it was set up.

My domain is:
vanilla.puheet.site

I ran this command:
certbot renew

It produced this output:
(I tried the dry-run flag as well and it was able to successfully “renew” other certs that are not yet due for renewal. )

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/vanilla.puheet.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (vanilla.puheet.site) from /etc/letsencrypt/renewal/vanilla.puheet.site.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45). Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pointrsurvey.inputchannel.com/fullchain.pem (failure)
  /etc/letsencrypt/live/vanilla.puheet.site/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/vanilla.puheet.site/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version output: certbot 0.28.0

JuergenAuer · May 2, 2019, 9:18am

Hi @platyrat

please answer the following questions:

–

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

platyrat · May 2, 2019, 10:07am

@JuergenAuer I updated my post accordingly.

JuergenAuer · May 2, 2019, 10:18am

That looks like an error with an outgoing connection. Is your server able to connect Letsencrypt?

Try something like

ping acme-v02.api.letsencrypt.org
curl acme-v02.api.letsencrypt.org

And share

/var/log/letsencrypt/letsencrypt.log

to see, if the error happens when your Cerbot creates a new order or later.

platyrat · May 2, 2019, 11:31am

ping acme-v02.api.letsencrypt.org:

PING e14990.dscx.akamaiedge.net (95.100.12.214) 56(84) bytes of data.
64 bytes from a95-100-12-214.deploy.static.akamaitechnologies.com (95.100.12.214): icmp_seq=1 ttl=58 time=6.03 ms
64 bytes from a95-100-12-214.deploy.static.akamaitechnologies.com (95.100.12.214): icmp_seq=2 ttl=58 time=5.62 ms
64 bytes from a95-100-12-214.deploy.static.akamaitechnologies.com (95.100.12.214): icmp_seq=3 ttl=58 time=5.62 ms
64 bytes from a95-100-12-214.deploy.static.akamaitechnologies.com (95.100.12.214): icmp_seq=4 ttl=58 time=5.62 ms
64 bytes from a95-100-12-214.deploy.static.akamaitechnologies.com (95.100.12.214): icmp_seq=5 ttl=58 time=5.63 ms
^C
--- e14990.dscx.akamaiedge.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 5.623/5.710/6.038/0.164 ms

curl -i acme-v02.api.letsencrypt.org:

HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://acme-v02.api.letsencrypt.org/
Expires: Thu, 02 May 2019 10:23:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 02 May 2019 10:23:44 GMT
Connection: keep-alive

After trying ping and curl I ran certbot renew again to catch only the most recent output from the renewal attempt, and this time the renewal succeeded. I have no idea why. I didn’t change anything and had ran the command probably a dozen times by this point. Maybe ping and curl contain some magic.

Anyway, thanks for the help!

JuergenAuer · May 2, 2019, 12:46pm

Curious.

Perhaps there were wrong cached dns entries.

But happy to read that it works now.

system · June 1, 2019, 12:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with automatic certificate renewal Help	6	2330	February 11, 2018
Unable to renew SSL certificate using certbot Help	19	3921	August 4, 2022
Renew Certs Error Help	20	4147	February 2, 2018
Renewal problems after upgrading certbot Help	13	1879	March 18, 2019
All Renewal attemps failed Help	10	771	May 21, 2019

Problem renewing a cert

Related Topics