Problem with automatic certificate renewal


#1

Hello,
I have a problem when testing the automatic renewal of my certificate.
Manual creation of the certificate is not a problem but when I execute the command :
certbot-auto renew --dry-run

An error message appears :

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mydomain.net) from /etc/letsencrypt/renewal/mydomain.net.conf produced an unexpected error: Failed authorization procedure. mydomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.net/.well-known/acme-challenge/8YO8FAJ98ZDiLHqoUaof3XnemDAXNQsEXWL6cPswEq0: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.net.net/fullchain.pem (failure)

On the access.log I have a I have a code 200 from the Let’s Encrypt servers :

52.29.173.72 - - [12/Jan/2018:12:00:06 +0100] “GET /.well-known/acme-challenge/8YO8FAJ98ZDiLHqoUaof3XnemDAXNQsEXWL6cPswEq0 HTTP/1.1” 200 118 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” "-"
66.133.109.36 - - [12/Jan/2018:12:00:06 +0100] “GET /.well-known/acme-challenge/8YO8FAJ98ZDiLHqoUaof3XnemDAXNQsEXWL6cPswEq0 HTTP/1.1” 200 118 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” “-”

Could you help me ?

Best regards


#2

Please provide the real domain name. There are a number of potential issues relating to e.g. DNS and networking that are really hard to help you with unless we know what the domain is.


#3

Hello thank’s for your answer
Unfortunately the domain is not accessible from the internet, it’s a pre-production environment that I can’t open to the internet.
However, I have allowed Let’s Encrypt ips on the firewall.


#4

You can’t whitelist Let’s Encrypt IPs, the pool of IPs used by the VA is not stable and will change.

In a behind-the-firewall scenario you should use the dns-01 challenge.

What IP addresses will the Let’s Encrypt servers use to validate my web server? The Let’s Encrypt CA doesn’t publish a list of IP addresses it uses to validate, because they may change at any time. In the future, it may validate from multiple IP addresses at once.


#5

So far I’ve only seen 3 IPs querying my servers for renewals, I’ve allowed them on the firewall and it worked for other servers.

But the dns method is available with the command the certbot-auto renew ?


#6

It’s hard to know why a timeout is being experienced without knowing the domain. It could also be AAAA records, if they exist, but a staff member may be able to check the exact reason for you once they become available.

Certbot does have support for dns-01 auto-renewal, yes, provided that your domain has its DNS hosting with a supported provider, or you can write a manual auth hook to update the TXT record (https://certbot.eff.org/docs/using.html):

  --dns-cloudflare      Obtain certificates using a DNS TXT record (if you are
                        using Cloudflare for DNS). (default: False)
  --dns-cloudxns        Obtain certificates using a DNS TXT record (if you are
                        using CloudXNS for DNS). (default: False)
  --dns-digitalocean    Obtain certificates using a DNS TXT record (if you are
                        using DigitalOcean for DNS). (default: False)
  --dns-dnsimple        Obtain certificates using a DNS TXT record (if you are
                        using DNSimple for DNS). (default: False)
  --dns-dnsmadeeasy     Obtain certificates using a DNS TXT record (if you
                        areusing DNS Made Easy for DNS). (default: False)
  --dns-google          Obtain certificates using a DNS TXT record (if you are
                        using Google Cloud DNS). (default: False)
  --dns-luadns          Obtain certificates using a DNS TXT record (if you are
                        using LuaDNS for DNS). (default: False)
  --dns-nsone           Obtain certificates using a DNS TXT record (if you are
                        using NS1 for DNS). (default: False)
  --dns-rfc2136         Obtain certificates using a DNS TXT record (if you are
                        using BIND for DNS). (default: False)
  --dns-route53         Obtain certificates using a DNS TXT record (if you are
                        using Route53 for DNS). (default: False)

#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.