Renew dry run works but renew fails

Hi,
if I run the command

certbot renew --dry-run

everything seems ok but when I run

“certbot renew” I get the following error

Attempting to renew cert (domain.it) from /etc/letsencrypt/renewal/domain.it.conf produced an unexpected error: Failed authorization procedure. domain.it (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.it/fullchain.pem (failure)

What can it be?
Thanks in advance
Stefano

Please show:
certbot --version
certbot certificates
cat /etc/letsencrypt/renewal/domain.it.conf
tail -n 30 /var/log/letsencrypt/letsencrypt.log

Hi,
thanks rg305

following the info you ask

version: 0.23.0


Found the following certs:
Certificate Name: domain.it
Domains: domain.it www.domain.it
Expiry Date: 2018-06-01 16:25:44+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/domain.it/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain.it/privkey.pem

renew_before_expiry = 30 days

version = 0.21.1
archive_dir = /etc/letsencrypt/archive/domain.it
cert = /etc/letsencrypt/live/domain.it/cert.pem
privkey = /etc/letsencrypt/live/domain.it/privkey.pem
chain = /etc/letsencrypt/live/domain.it/chain.pem
fullchain = /etc/letsencrypt/live/domain.it/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = #######################

2018-05-13 01:18:28,452:DEBUG:certbot.main:certbot version: 0.23.0
2018-05-13 01:18:28,452:DEBUG:certbot.main:Arguments: []
2018-05-13 01:18:28,452:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-05-13 01:18:28,925:DEBUG:certbot.log:Root logging level set at 20
2018-05-13 01:18:28,925:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-05-13 01:18:29,780:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/domain.it/cert.pem
2018-05-13 01:18:29,780:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/domain.it/chain.pem -cert /etc/letsencrypt/live/domain.it/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/domain.it/chain.pem -verify_other /etc/letsencrypt/live/domain.it/chain.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org

If I have guessed your domain correctly, the non-www version of your domain is pointing to a different set of IPs to the www version, possibly a URL redirector, that is not compatible with the TLS-SNI challenge.

TLS-SNI has been/is being disabled, please see IMPORTANT: What you need to know about TLS-SNI validation issues

As for what you need to do now, you could try:

certbot renew --preferred-challenges http
1 Like

Thanks a lot _az!
It works, fine!

Thank again
Stefano

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.