May 12, 2018, 11:01pm
if I run the command
certbot renew --dry-run
everything seems ok but when I run
“certbot renew” I get the following error
Attempting to renew cert (domain.it) from /etc/letsencrypt/renewal/domain.it.conf produced an unexpected error: Failed authorization procedure. domain.it (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
What can it be?
Thanks in advance
May 12, 2018, 11:07pm
tail -n 30 /var/log/letsencrypt/letsencrypt.log
May 12, 2018, 11:25pm
following the info you ask
Found the following certs:
Certificate Name: domain.it
Domains: domain.it www.domain.it
Expiry Date: 2018-06-01 16:25:44+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/domain.it/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.it/privkey.pem renew_before_expiry = 30 days
version = 0.21.1
archive_dir = /etc/letsencrypt/archive/domain.it
cert = /etc/letsencrypt/live/domain.it/cert.pem
privkey = /etc/letsencrypt/live/domain.it/privkey.pem
chain = /etc/letsencrypt/live/domain.it/chain.pem
fullchain = /etc/letsencrypt/live/domain.it/fullchain.pem Options used in the renewal process
authenticator = apache
installer = apache
account = #######################
2018-05-13 01:18:28,452:DEBUG:certbot.main:certbot version: 0.23.0
2018-05-13 01:18:28,452:DEBUG:certbot.main:Arguments: 
2018-05-13 01:18:28,452:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-05-13 01:18:28,925:DEBUG:certbot.log:Root logging level set at 20
2018-05-13 01:18:28,925:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-05-13 01:18:29,780:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/domain.it/cert.pem
2018-05-13 01:18:29,780:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/domain.it/chain.pem -cert /etc/letsencrypt/live/domain.it/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/domain.it/chain.pem -verify_other /etc/letsencrypt/live/domain.it/chain.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org
May 12, 2018, 11:40pm
If I have guessed your domain correctly, the non-www version of your domain is pointing to a different set of IPs to the www version, possibly a URL redirector, that is not compatible with the TLS-SNI challenge.
TLS-SNI has been/is being disabled, please see
IMPORTANT: What you need to know about TLS-SNI validation issues
As for what you need to do now, you could try:
certbot renew --preferred-challenges http
May 12, 2018, 11:47pm
Thanks a lot _az!
It works, fine!
June 11, 2018, 11:47pm
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.