Problem with certificate renew in AWS


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.privacyaudit.me

I ran this command:
/usr/bin/certbot-auto renew --deploy-hook ‘docker restart nginx’

It produced this output:
Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Failed authorization procedure. www.privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.privacyaudit.me/.well-known/acme-challenge/3RYTe56-xcWDN5Aawv-1jKetIWe4Ms3no6WB_5n66gA: Timeout during connect (likely firewall problem), privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://privacyaudit.me/.well-known/acme-challenge/HllQHIUrN19vu973bWtSipqeC9vWztB0I59jMXKYDUA: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)

My web server is (include version):
no web server, standalone

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The problem is to renew certificate - error message provided in output. Can anyone help me?


#2

I will try…

Please show file:
/etc/letsencrypt/renewal/{your.domain}.conf

In the meantime, try:
/usr/bin/certbot-auto renew --standalone --deploy-hook ‘docker restart nginx’


#3

renew_before_expiry = 30 days

version = 0.27.1
archive_dir = /etc/letsencrypt/archive/privacyaudit.me
cert = /etc/letsencrypt/live/privacyaudit.me/cert.pem
privkey = /etc/letsencrypt/live/privacyaudit.me/privkey.pem
chain = /etc/letsencrypt/live/privacyaudit.me/chain.pem
fullchain = /etc/letsencrypt/live/privacyaudit.me/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = standalone
account = e3bcc36768d2eef824f58ad408447ab6
server = https://acme-v02.api.letsencrypt.org/directory


#4

There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:

Limits fired…


#5

All docker containers was down when i performed tests. And system 80 port was not busy (netstat -ltnp | grep -w ‘:80’)


#6

Try:
/usr/bin/certbot-auto renew --dry-run --standalone --deploy-hook ‘docker restart nginx’
and
/usr/bin/certbot-auto renew --dry-run --standalone --preferred-challenges tls-sni --deploy-hook ‘docker restart nginx’


#7

Did you expose port 80 to this container?
or port 443?


#8

/usr/bin/certbot-auto renew --dry-run --standalone -

Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Failed authorization procedure. privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://privacyaudit.me/.well-known/acme-challenge/RTbL-T_6jpmtUzzQw7BpdkHVUxGbbmaAUE248DPkQIo: Timeout during connect (likely firewall problem), www.privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.privacyaudit.me/.well-known/acme-challenge/yWCZ31VBi4Yyzv090wJx2wjDnctv52aBVQIe-SbQZy0: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)

/usr/bin/certbot-auto renew --dry-run --standalone --preferred-challenges tls-sni -
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)


#9

Yes, but all containers now is down. If nessesary, i can stop docker daemon


#10

port 443 is out of the question…


#11

OK.
Follow me closely:
cd /usr/bin
/usr/bin/certbot-auto renew --dry-run --standalone


#12

netstat -ltnp | grep -w ‘:443’ - same empty output, port not used


#13

root@web_site:/usr/bin# /usr/bin/certbot-auto renew --dry-run --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/privacyaudit.me.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for privacyaudit.me
http-01 challenge for www.privacyaudit.me
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Failed authorization procedure. privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://privacyaudit.me/.well-known/acme-challenge/aC7sndlIOXQok9Vy7OGn6XR9GHK6jb28lhre9qYD0s0: Timeout during connect (likely firewall problem), www.privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.privacyaudit.me/.well-known/acme-challenge/jFOKqVJiPIN2ittxX8xvWvE7MDCz4Lso2mlXFvnmI-E: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#14

OK.
I’m out of ideas…

It looks like it really is a “firewall”/routing problem.
AWS runs a firewall (must allow port 80 in)
Then your server runs a firewall (must allow port 80 in)
Then your server must forward port 80 to proper docker instance (docker settings).


#15

No no, here was (and is) our site, so it was accesseble by 80 and 443 port. Now certificate was expired, so renew process was started…


#16

Can you test that port 80 service (turn it on) from the Internet?

Do you remember the exact command you used to get the last cert?


#17

Yes, now i start docker containers with site, and curl -v to http://privacyaudit.me/ return 302 status (it’s ok). So 80 port can be accesseble from Internet.
And no, exact command to get cert i do not remember, sorry


#18

Was that a different container?


#19

docker config ls
docker config inspect {config}

docker network ls
docker network inspect {name}


#20

If you talk about certbot-auto script environment, it was started not from container. It’s started from host AWS VM, where we start docker containers.