Renew dry run works but renew fails

if I run the command

certbot renew --dry-run

everything seems ok but when I run

“certbot renew” I get the following error

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

What can it be?
Thanks in advance

Please show:
certbot --version
certbot certificates
cat /etc/letsencrypt/renewal/
tail -n 30 /var/log/letsencrypt/letsencrypt.log

thanks rg305

following the info you ask

version: 0.23.0

Found the following certs:
Certificate Name:
Expiry Date: 2018-06-01 16:25:44+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

renew_before_expiry = 30 days

version = 0.21.1
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process

authenticator = apache
installer = apache
account = #######################

2018-05-13 01:18:28,452:DEBUG:certbot.main:certbot version: 0.23.0
2018-05-13 01:18:28,452:DEBUG:certbot.main:Arguments: []
2018-05-13 01:18:28,452:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-05-13 01:18:28,925:DEBUG:certbot.log:Root logging level set at 20
2018-05-13 01:18:28,925:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-05-13 01:18:29,780:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/
2018-05-13 01:18:29,780:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/ -cert /etc/letsencrypt/live/ -url -CAfile /etc/letsencrypt/live/ -verify_other /etc/letsencrypt/live/ -trust_other -header Host

If I have guessed your domain correctly, the non-www version of your domain is pointing to a different set of IPs to the www version, possibly a URL redirector, that is not compatible with the TLS-SNI challenge.

TLS-SNI has been/is being disabled, please see IMPORTANT: What you need to know about TLS-SNI validation issues

As for what you need to do now, you could try:

certbot renew --preferred-challenges http
1 Like

Thanks a lot _az!
It works, fine!

Thank again

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.