We got a rate limited advise by trying to renew one domain many times accidentally. Could you tell me if I have to wait 7 days to make the renew correctly?. I have some error at this time and for that the renew was executed many times.
Sorry for the mistake about “-”. I really use “–” .
I executed the command ./certbot —nginx renew —cert-name ... and the rate limit notification dissapeared but now I have a new issue:
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (serargentino.com) from /etc/letsencrypt/renewal/serargentino.com.conf produced an unexpected error: Failed authorization procedure. serargentino.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 27b799d5e96b1e10f751888307d71bcb.8ec38f52a4740fe396318014bef81774.acme.invalid from 159.89.243.227:443. Received 2 certificate(s), first certificate had names "serargentino.com, www.serargentino.com", www.serargentino.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 39aef781a41e99fcdd74a08727652d12.b6f7bce35a4613c9109a08f6df133d36.acme.invalid from 159.89.243.227:443. Received 2 certificate(s), first certificate had names "serargentino.com, www.serargentino.com". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/serargentino.com/fullchain.pem (failure)
Please let me know if I have to open a new issue for this new issue.
You’re using the old tls-sni challenge. If you have a recent enough version of certbot, switching to the http challenge is often easier than getting the tls-sni challenge working. Try this:
(The --nginx is not needed with renew unless you’re trying to switch to it from a different plugin, but I left it in just in case that’s actually what you’re doing).
Incidentally, I notice you’re using a HTTP 307 response code to redirect to HTTPS, instead of the usual (and recommended) 301. I don’t think that will make a difference to your ability to issue a certificate, at least in this case, but it might be something to look at nonetheless.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: serargentino.com
Type: unauthorized
Detail: Invalid response from
http://serargentino.com/.well-known/acme-challenge/Wig-_9myUtwt1UdvoKXseF-ZG7V6CIXHVtnkAQvQX30:
"<html>
<head>
<title>No se encontró la página - Ser
Argentino</title>
<link rel="stylesheet" href="https://maxcdn."
...
The redirect to HTTPS is a configuration in a load balancer cloud services. There is not a configuration file that I can modify.
The SSL certificate is configurated in the load balancer services in Digital Ocean but it was created in a nginx webserver. At the begining the webserver was public but then it was behind of the load balancer services.
Could the error be caused by this type of infraestructure?. Are there any way to recreate the SSL certificate in another server and then configure it in the load balancer service?
That would certainly explain why the tls-sni challenge didn't work, at least.
Do you have more than one server behind the load balancer? If so, you might need to configure it to send requests for /.well-known/acme-challenge/* paths to a particular backend server, so that certbot can run on that server and be able to answer the challenges. If you can't get the load balancer to do that, you could configure nginx on the other servers to proxy those requests to the server where certbot is running. Or if you have a shared mount for your web root, you could try the --webroot plugin instead of --nginx.
If you just have the one backend server, the problem might be due to some quirk of your nginx configuration that's somehow incompatible with certbot's configuration parser, in which case it would still be useful to see your nginx configuration.
Another possibility might be to allow the load balancer to obtain and install certificates by itself, which it appears Digital Ocean's load balancers are able to do. This would save you the trouble of having to manually install the new cert to the load balancer after each renewal (or writing a script to do so). However you would have to move your DNS to Digital Ocean as well in order to take advantage of this. Also that wouldn't (by itself) secure the connection between the load balancer and the droplet(s).
Yes, I have a cache server ahead. So, could I configure that to proxy those request that you say?. Reading about load balance features, the services don't allow rules with URIs. You can only use port redirection. I will ask to digital ocean support about this features.
Yes, I know this feature but I don't have the DNS in DO, so I will need migrate it. The problem is that I have this site in production. However is an option.
So you have a load balancer, and behind that a cache server (or more than one?) and behind that two or more nginx web servers? In that case yes you could configure your cache server to ensure that all requests for /.well-known/acme-challenge/* paths go to a specific nginx web server.
If you have some other configuration, it would help if you could describe it in detail...