Problem with renewal of certificates


#1

Hey Guys!

first of all: sorry, i am not a pro with the certificate-stuff. so maybe my question will be dumb. but… i cant help it by myself.
i have a problem with the renewal of my certificate.
The certificate needs to be installed on raspbian, its used for nextcloud.

when trying to renew the certificates, the following error shows up:
Failed authorization procedure. elberthome.dnshome.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://elberthome.dnshome.de/.well-known/acme-challenge/TxwoH5rxd6Cm3fFAT0stlsUBOpBNyHLhLiyau3Y69cE: Error getting validation data

problem is, i deleted the .well-known folder, i had to during the nextcloud-update.
how can i generate a complete new one?
is there any help?

EDIT!

Juergen asked me to update my Thread (sorry for that!)
more information here:

my domain is: elberthome.dnshome.de

i ran this command:
certbot certonly --webroot -w /var/www/html/ -d elberthome.dnshome.de -m simonelbert@gmx.de --agree-tos

it produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for elberthome.dnshome.de

Using the webroot path /var/www/html for all unmatched domains.

Waiting for verification…

Cleaning up challenges

Failed authorization procedure. elberthome.dnshome.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://elberthome.dnshome.de/.well-known/acme-challenge/TxwoH5rxd6Cm3fFAT0stlsUBOpBNyHLhLiyau3Y69cE: Error getting validation data

my webserver is: nextcloud

my operating system is: raspbian

i can login to a root shell on my machine: yes

Thank you in Advance!!

warm (cold) regards from germany,

Simon


#2

Hi @noomiis

please answer all of the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Moved to “Help”, there is this template.


#3

Hi @JuergenAuer,

sorry for that, i just edited my post.

Thank you!


#4

Your server is invisible ( https://check-your-website.server-daten.de/?q=elberthome.dnshome.de ):

Domainname Http-Status redirect Sec. G
http://elberthome.dnshome.de/
217.247.35.79 -14 10.027 T
Timeout - The operation has timed out
https://elberthome.dnshome.de/
217.247.35.79 -14 17.173 T
Timeout - The operation has timed out
http://elberthome.dnshome.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
217.247.35.79 -14 10.036 T
Timeout - The operation has timed out

The first and the second timeout aren’t critical.

But Certbot creates a file under /.well-known/acme-challenge, Letsencrypt want’s to fetch this file.

A timeout -> validation can’t work.

Is there a firewall? Or a wrong router setting router port 80 -> server port 80?


#5

i just tried the same check:

name “elberthome.dnshome.de” is domain, public suffix is “dnshome.de
A good: All ip addresses are public addresses
A good: No asked Authoritative Name Server had a timeout
A DNS: “Name Error” means: No www-dns-entry defined. This isn’t a problem
A Good: Nameserver supports TCP connections: 1 good Nameserver
A Good: Nameserver supports Echo Capitalization: 1 good Nameserver
A Good: Nameserver supports EDNS with max. 512 Byte Udp payload, message is smaller: 1 good Nameserver
A Duration: 43554 milliseconds, 43.554 seconds

where do you see, that the server is invisible?
when you open the link https://elberthome.dnshome.de, and confirm the certificate-warning, you will get to the nextcloud-login. so i think the router / firewall works fine.

i used to renew the certificate with the command ./letsencrypt-auto, and that worked fine for 2 years.

i think the error is anywhere in the .well-known directory, and because i deleted it.


#6

You may have used tls-sni-validation (via port 443).

But tls-sni-validation is deprecated, support ends 2019-02-13.

So Certbot switches to http - validation.

Then an open port 80 + http is required.

Your port 80 is closed or doesn’t answer.

The tool ( https://check-your-website.server-daten.de/?q=elberthome.dnshome.de ) should see a http status 404 - not found.

But not a timeout.


#7

I have the same problem – certificates stopped renewing after having auto-renewed for an extended period – and port 80 was not open. I’ve opened the port, but do I need to do anything else? I don’t have a webserver installed. Thanks.


#8

[This should have been a separate topic]

What is your renewal process?
What is your domain name?
Can you verify that port is allowed and reaches your server?


#9

I apologize for not creating a new topic – I thought it belonged here because I was getting the same error message.

Looking at the date on my certs, they were renewed tonight. Thanks again for the fantastic support culture on this forum.


#10

Hi Juergen,

you were right --> opening port 80 solved the “mystery”
Certificate is renewed, everything works fine.

Thank you very much for you quick and great support!

Warm regards,

Simon


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.