Renew cert failed


#1

Hi, can anyone could help me to renew my letsencrypt cert???

3 months ago I did the cert renew using this command:
sudo letsencrypt renew

Now I’m traying the same command but fails getting this response:
Attempting to renew cert (edificanet.com) from /etc/letsencrypt/renewal/edificanet.com.conf produced an unexpected error: Failed authorization procedure. edificanet.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://edificanet.com/.well-known/acme-challenge/J-auGSptGkzhXT6PnXLXOh7dKu9BaK7KmFX83cOL8SE: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/edificanet.com/fullchain.pem (failure)

Since half year ago the https protocol was working fine using the lets encrypt cert

Also today I’m traying to renew the cert using this command
sudo certbot certonly --force-renew -d edificanet.com

choosing the 1) option but I get the same response.

Thanks for your help


#2

Hi @robertomo

you may have used tls-sni-01 - validation. But this is deprecated, support ends 2019-02-13.

So your certbot switches to http-01 validation.

An open port 80 and a http webserver is required.

But your port 80 is closed or no http is configured ( https://check-your-website.server-daten.de/?q=edificanet.com ):

Domainname Http-Status redirect Sec. G
http://edificanet.com/
34.237.243.249 -14 10.026 T
Timeout - The operation has timed out
http://www.edificanet.com/
34.237.243.249 -14 10.026 T
Timeout - The operation has timed out
https://edificanet.com/
34.237.243.249 200 2.570 N
Certificate error: RemoteCertificateChainErrors
https://www.edificanet.com/
34.237.243.249 200 2.306 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://edificanet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
34.237.243.249 -14 10.027 T
Timeout - The operation has timed out
http://www.edificanet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
34.237.243.249 -14 10.026 T
Timeout - The operation has timed out

Only timeouts. So check your configuration if http is running and if the firewall allows http traffic. To check, you can use the tool.


#3

You’re right Juergen, my 80 port was closed, now my cert is updated :wink:

Thank you!!!


#4

Happy to read that you have now a new certificate.

But two things:

If Certbot want’s to renew your certificate, you must open port 80 again.

So it may be easier to open port 80 permanent and add a redirect http -> http. Checking a file Letsencrypt follows this redirect. So port 80 sends only redirects, this isn’t a security problem.

Rechecked your domain

Domainname Http-Status redirect Sec. G
http://edificanet.com/
34.237.243.249 -14 10.013 T
Timeout - The operation has timed out
http://www.edificanet.com/
34.237.243.249 -14 10.024 T
Timeout - The operation has timed out
https://edificanet.com/
34.237.243.249 200 2.577 B
https://www.edificanet.com/
34.237.243.249 200 2.293 N
Certificate error: RemoteCertificateNameMismatch
http://edificanet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
34.237.243.249 -14 10.027 T
Timeout - The operation has timed out
http://www.edificanet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
34.237.243.249 -14 10.027 T
Timeout - The operation has timed out

You have one certificate with one domain name:

CN=edificanet.com
	01.02.2019
	02.05.2019
	edificanet.com - 1 entry

You have a www dns entry, this is not secure. Some users never add www, some users always add www. So you have two options

  • Remove the dns entry www or (better)
  • create one certificate with both domain names and use that with both versions (www and non-www). Then every user has a secure connection.