Hi,
I am trying to renew my certificate by using this below command, Previously i did many times,it was working proper but now i am getting below error.
./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
It’s much easier to debug these problems if you share your actual domain name instead of example.net.
Looking at the tls-sni-01 challenge response error you received you seem to be using a CDN. This typically prevents you from using the tls-sni-01 challenge since the CDN terminates TLS connections on your behalf and doesn’t understand how to return the special tls-sni-01 challenge response certificate.
I would recommend that you try using the http-01 challenge type as this will use an HTTP request to a /.well-known/acme-challenge/ file that will pass through the CDN to your origin server where Certbot is running.
I don’t know the best way to accomplish this given the way you’re running Certbot. Hopefully someone else in this thread will be able to help with that portion.
When using Certbot, the default is to try the Apache plugin (--apache) which uses TLS-SNI-01, which indeed does not work from behind a CDN. You can instead choose the webroot plugin with --webroot in order to use HTTP-01.
So can i run this above command to renew the certificate? If this command is not clear, so can you please provide the commands, so that i can run the execute at my end.
That looks good. It’s not really necessary to re-specify --agree-tos and --email here.
Also, the -w /var/www should go before the -d options. Normally the order of command line options doesn’t matter, but Certbot has a feature where you can have different web root directories for different domain names, in which case the most recently encountered -w specifies the web root to use for subsequent -d options.
I believe that means your web server is returning a 403 Forbidden when LE tries to access your challenge file. Some web servers are configured to not serve files from hidden directories by default. Other times, this comes from a configuration or permissions issue.
First, try creating a text file with something in it in /var/www/.well-known and load that in your browser. If that doesn’t load, troubleshoot why not for your web server. If so, put a test file in /var/www/.well-known/acme-challenge and see if that will load in a browser. If not, troubleshoot why not.
If you were able to load that test file, you may need to look into IPv4 vs IPv6 issues. Another common issue is that if you have an AAAA record for your domain, LE will (currently) use that and not fallback to IPv4 if the verification fails on IPv6. Often, web servers are not properly configured to handle IPv6 traffic, so the verification fails. Sometime soon (in the next several days, most likely), this will be changed so that HTTP-01 challenges will fallback to IPv4 in the event that they fail for IPv6.
Do you want to expand and replace this existing certificate with the new
certificate?
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.net
http-01 challenge for example.net
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.net/fullchain.pem. Your cert will
expire on 2017-10-16. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew all of your certificates, run
"certbot-auto renew"
If you like Certbot, please consider supporting our work by:
After checking the certificate validation by using https://www.ssllabs.com/ssltest/analyze.html, I tried to see the values for "Valid from" and "Valid until" dates, these values are not still changed. I think, these values will be reflect after some time.
So I think this certificate is renewed successfully by using HTTP-01.
Great! In the future you can run (perhaps even automatically using cron, which is what we recommend) ./certbot-auto renew to renew your certificate when it is 30 days from expiry. It will remember, using a configuration file in /etc/letsencrypt/renewal, that you used the particular settings that you most recently specified with the ./certbot-auto certonly command.