Renewal attempts failed


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mail.spacetux.net

I ran this command:
certbot renew

It produced this output:
Attempting to renew cert (mail.spacetux.net) from /etc/letsencrypt/renewal/mail.spacetux.net.conf produced an unexpected error: Failed authorization procedure. mail.spacetux.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 163096d7af3f4817d0a7172855b0696a.52084125ce5aa8d8fee9d1d3b6375a78.acme.invalid from 96.248.104.29:443. Received 2 certificate(s), first certificate had names “jenkins.spacetux.net”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.spacetux.net/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.spacetux.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.spacetux.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    163096d7af3f4817d0a7172855b0696a.52084125ce5aa8d8fee9d1d3b6375a78.acme.invalid
    from 96.248.104.29:443. Received 2 certificate(s), first
    certificate had names “jenkins.spacetux.net”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

Hi,

This error is due to TLS-SNI-01 challenge… (and it would have some issue when they are edited by certbot… I guess it’s because the certificate is not in the “expected” position in certbot files)

certbot renew --preferred-challenges http-01

Thank you


#3

Thank you. I need to wait until tomorrow to do this, I apparently did too many today.


#4

Are you sure? I tried connecting to mail.spacetux.net and the service on port 443 claims to be nginx.

Port 80 doesn’t seem to respond at all - you probably need to open it in your firewall if you want to use stevenzhu’s suggestion. If you originally obtained a certificate using certbot’s apache or nginx plugins, it will try to use the same server to answer the challenge on port 80, so that server will need to be able to receive connections there.

The failed validation limit is hourly, not daily.


#5

I see what’s going on.
I have two servers in this network:

Jenkins, running nginx and listening on 443
netfiles, running apache, and temporarily listening on 80

It is netfiles I’m having the problem with. I’ve updated it to listen on 80, and was able to get the certificate updated.
But, I don’t like leaving 80 open, so, is there a specific IP or range of IPs which will do the challenge, so I can restrict what comes to the server at the firewall?


#6

No, whitelisting IPs is explicitly an unsupported configuration. There aren’t really any issues leaving 80 open, particularly if you configure whatever is listening on 80 to serve redirects to 443. In fact, that’s arguably a more secure configuration.


#7

As @jared.m says, using port 80 to serve only a redirect to port 443 is generally safe and a good idea.

https://scotthelme.co.uk/why-closing-port-80-is-bad-for-security/

But if you really don’t want to do that for some reason, there is a possible alternative: if you’re comfortable with temporarily opening port 80 (and with writing simple shell scripts), you can put scripts in the pre and post directories under /etc/letsencrypt/renewal-hooks/ to open and close the port before and after any renewal attempt.


#8

I’ve taken care of it by added some simple pages to be displayed, Try going to: http://mail.spacetux.net

Thank you for your help


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.