Renew SSL Certificate

NEXT LEFT LAST PASSED UNIT ACTIVATES
Sat 2022-04-23 05:03:26 +03 2h 25min left Fri 2022-04-22 16:09:23 +03 10h ago certbot.timer certbot.service

this is what i found in systemctl timers list... it's automatic trying for renewal i think... so will wait until 29 or 30 of april... then the result will comes if i am not wrong.

1 Like

Of course it is. I remembered my directives wrong.

4 Likes

There is no reason to wait. You can (and did) test it but it failed. It will continue to fail unless you fix it. Use this command to prove your fixes worked.

sudo certbot renew --dry-run

You can also try using this test site

Note to myself for later:
The live subdomain has never had a cert issued and has no DNS entry.
But, the press subdomain redirects to it at least in some cases.
5 Likes

need your suggestion now in our firewall only http and https port allowed do we need to allow any other port for renewal...

HTTP authenticated renewals will only require HTTP.
HTTPS should be allowed so that you can serve the secure site to the Internet (not "required" for renewals).
OR
If you redirect all HTTP to HTTPS, then you may be forcing HTTPS onto the renewal process.

3 Likes

I allow http and https. but still not able to renew getting same error. above mention

Shown below is the error from above. Are you sure this is the exact error you get now?

Because your press.alwatan.com.sa domain cannot be reached. It would not be possible for it to redirect to the live.alwatan.com.sa site in the error message below.

The Let's Debug test site cannot reach your server. From my own server it looks like a firewall is blocking all access (curl times out, nmap shows filtered). Please show the error message you are getting from the renew --dry-run test now.

2 Likes

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/press.alwatan.com.sa.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for press.alwatan.com.sa
Waiting for verification...
Challenge failed for domain press.alwatan.com.sa
http-01 challenge for press.alwatan.com.sa
Cleaning up challenges
Attempting to renew cert (press.alwatan.com.sa) from /etc/letsencrypt/renewal/press.alwatan.com.sa.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/press.alwatan.com.sa/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/press.alwatan.com.sa/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: press.alwatan.com.sa
    Type: connection
    Detail: 37.224.110.174: Fetching
    http://press.alwatan.com.sa/.well-known/acme-challenge/6w17B9AeU7Fq2dOSSjzFxuHLCAYW8n9n0eplgyx5x7I:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Are you sure that domain is pointing to your actual server? It looks like some kind of network apparatus from here:

% nmap press.alwatan.com.sa -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-27 15:58 CEST
Nmap scan report for press.alwatan.com.sa (37.224.110.174)
Host is up (0.082s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT    STATE  SERVICE
179/tcp closed bgp

Nmap done: 1 IP address (1 host up) scanned in 117.90 seconds
2 Likes

I must disagree.
As shown here:

curl -Ii http://press.alwatan.com.sa/
curl: (56) Recv failure: Connection reset by peer

curl -Ii https://press.alwatan.com.sa/
curl: (7) Failed to connect to press.alwatan.com.sa port 443: Connection timed out

Either:

  • you are not at the right IP ("37.224.110.174")
  • there is some other inline system(s) that are blocking HTTP and HTTPS access
2 Likes

i already allowed https and http. and i can access press.alwatan.com.sa from outside but include more link... but don't know where it's stuck ..

1 Like

Wait a second, does .sa mean South Africa or Saudi Arabia?

Is it possible some firewall you don't control and can't control is interfering somewhat with any connections from foreign countries?

2 Likes

Saudi Arabia. South Africa is .za

Good point about external firewall. My nmap from US gave same result as yours. Looks like a network device (bgp).

They got a Let's Encrypt cert in Feb 2022 though

2 Likes

Is the government there a Palo Alto customer? :smiling_imp:

1 Like

Who knows :slight_smile: If we can ever each the domain we can check the acme challenge path

@shahjs2002 Can you check the public IP of your server. Show us result of this:

curl -4 http://ifconfig.co
3 Likes

37.224.110.174 in my public ip address. i use above mention command and give me the same.

1 Like

but it was working and automatic renew on 28 Feb now it will expire again on 29 May...

Not valid before: 2022-02-28T14:40:05

| Not valid after: 2022-05-29T14:40:04

You might want to try using the dns-01 challenge.

1 Like

i don't know how to use. can you guide

Wow, you figured that out after just 2 minutes of researching, reading and learning all there is to know about the dns-01 challenge?

2 Likes