Renew certificate certbot issue - how to use HTTP-01 instead of TLS-SNI-01?


#1

Hi,
I am trying to renew my certificate by using this below command, Previously i did many times,it was working proper but now i am getting below error.

./certbot-auto

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: example.net
2: www.example.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example.net.conf)

It contains these names: example.net

You requested these names for the new certificate: example.net, www.example.net.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for example.net
tls-sni-01 challenge for www.example.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.example.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b9fba34b9c1a348e6.9974e96de0a311e27f64d38b5a64c8f7.acme.invalid from 23.52.2.149:443. Received 2 certificate(s), first certificate had names “a.ltscdn.com, aegontest.blonde.net, apps-cdn.kognito.com, assetbundles.kognito.com, assets.fisco.com, cdn.gromsocial.com, cdn.iamqu.com, cdn.juniorscheesecake.com, cdn.lekekassen.no, cdn.letsgolearn.com, cdn.media.euromonitor.com, cdn.qouyou.com, cdn.spinit.com, cdn.timezone.de, cdns.visitorlando.com, cdntest.tron.rax.io, content.audi.co.uk, css.bluelinerental.com, images.booksense.com, images.cdndaviselen.com, img.bluelinerental.com, js.bluelinerental.com, logos.teamgantt.com, media.4seating.com, media.atkinsonsbullion.com, media.glenfiddich.com, mediavault.point2.com, op-drive-sto.carrefour.fr, production.uncf.org, secured1.san1.raxcdn.com, static.acne.org, static.casinocruise.com, static.facecreamantiaging.com, test.harrypottertheplay.com, track.tend.io, uatr2.pearlizumi.com, video.carid.com, www.bluelinerental.com, www.dealdey.com, www.harrypottertheplay.com, www.michaeljfox.org, www.example.net, www.uncf.org

Please any suggestion.

Thanks,


#2

Hi @drupaldev,

It’s much easier to debug these problems if you share your actual domain name instead of example.net.

Looking at the tls-sni-01 challenge response error you received you seem to be using a CDN. This typically prevents you from using the tls-sni-01 challenge since the CDN terminates TLS connections on your behalf and doesn’t understand how to return the special tls-sni-01 challenge response certificate.

I would recommend that you try using the http-01 challenge type as this will use an HTTP request to a /.well-known/acme-challenge/ file that will pass through the CDN to your origin server where Certbot is running.

I don’t know the best way to accomplish this given the way you’re running Certbot. Hopefully someone else in this thread will be able to help with that portion.


#3

When using Certbot, the default is to try the Apache plugin (--apache) which uses TLS-SNI-01, which indeed does not work from behind a CDN. You can instead choose the webroot plugin with --webroot in order to use HTTP-01.


#4

Hi,

Thanks for reply. So as per your suggestion related to webroot plugin, i get the below command to execute.

sudo certbot certonly --webroot --agree-tos --email your-email address -d www.example.com -d example.com -w /var/www/

So can i run this above command to renew the certificate? If this command is not clear, so can you please provide the commands, so that i can run the execute at my end.

Thanks,


#5

That looks good. It’s not really necessary to re-specify --agree-tos and --email here.

Also, the -w /var/www should go before the -d options. Normally the order of command line options doesn’t matter, but Certbot has a feature where you can have different web root directories for different domain names, in which case the most recently encountered -w specifies the web root to use for subsequent -d options.


#6

Hi,

Thanks for reply. I got the below error while I executed below command.

sudo certbot certonly --webroot -w /var/www/ -d www.example.net -d example.net

certbot: command not found

Then i tried to list the current directory (ls), then i saw below folder is already there.

-rwxr-xr-x 1 root root 48386 Jul 14 14:15 certbot-auto*

After this i modified the command and then executed below command.

root@server01:~# ./certbot-auto certonly --webroot -w /var/www/ -d www.example.net -d example.net

Saving debug log to /var/log/letsencrypt/letsencrypt.log


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example.net.conf)

It contains these names: example.net

You requested these names for the new certificate: www.example.net, example.net.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.net
http-01 challenge for example.net
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.example.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.net/.well-known/acme-challenge/2ANmKF0TWWa3PI0IqY9Ii9Y2cC2aCgcNYoAJM8wbHbo: "

403 Forbidden

Forbidden

-------------------------------------

Please any suggestion.

Thanks,


#7

I believe that means your web server is returning a 403 Forbidden when LE tries to access your challenge file. Some web servers are configured to not serve files from hidden directories by default. Other times, this comes from a configuration or permissions issue.

First, try creating a text file with something in it in /var/www/.well-known and load that in your browser. If that doesn’t load, troubleshoot why not for your web server. If so, put a test file in /var/www/.well-known/acme-challenge and see if that will load in a browser. If not, troubleshoot why not.

If you were able to load that test file, you may need to look into IPv4 vs IPv6 issues. Another common issue is that if you have an AAAA record for your domain, LE will (currently) use that and not fallback to IPv4 if the verification fails on IPv6. Often, web servers are not properly configured to handle IPv6 traffic, so the verification fails. Sometime soon (in the next several days, most likely), this will be changed so that HTTP-01 challenges will fallback to IPv4 in the event that they fail for IPv6.


#8

Hi,

Thanks for reply. I have checked and updated some code in the .htaccess at the root directory.
After these changes, i ran the below command again.

root@server01:~# ./certbot-auto certonly --webroot -w /var/www/ -d www.example.net -d example.net

Then below is the output of this command.

Saving debug log to /var/log/letsencrypt/letsencrypt.log


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example.net.conf)

It contains these names: example.net

You requested these names for the new certificate: www.example.net, example.net.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.net
http-01 challenge for example.net
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/example.net/fullchain.pem. Your cert will
    expire on 2017-10-16. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot-auto again. To
    non-interactively renew all of your certificates, run
    "certbot-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


After checking the certificate validation by using https://www.ssllabs.com/ssltest/analyze.html, I tried to see the values for “Valid from” and “Valid until” dates, these values are not still changed. I think, these values will be reflect after some time.

So I think this certificate is renewed successfully by using HTTP-01.

Thanks


#9

Great! In the future you can run (perhaps even automatically using cron, which is what we recommend) ./certbot-auto renew to renew your certificate when it is 30 days from expiry. It will remember, using a configuration file in /etc/letsencrypt/renewal, that you used the particular settings that you most recently specified with the ./certbot-auto certonly command.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.