Renewal failed after restoring instance

Hi guys.

I restored a previous instance of my aws server yesterday and not it is not renewing the cert. I never had this before.

I looked in the renewal directory and the conf file in there, is the webroot stanza dynamically generated? I don’t remember putting the cdn.grabaguru.com in there.

Anyway, I did not do anything out of the ordinary so not sure why it’s balking. Should I turn CloudFront off. For some reason it’s failing and denying there. I invalidated everything there as well but no dice yet.

My domain is:grabaguru.com

I ran this command:

It produced this output:
[ec2-user@www renewal]$ /opt/letsencrypt/letsencrypt-auto --no-bootstrap renew

Requesting to rerun /opt/letsencrypt/letsencrypt-auto with root privileges…

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/grabaguru.com.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for cdn.grabaguru.com

Waiting for verification…

Challenge failed for domain cdn.grabaguru.com

http-01 challenge for cdn.grabaguru.com

Cleaning up challenges

Attempting to renew cert (grabaguru.com) from /etc/letsencrypt/renewal/grabaguru.com.conf produced an unexpected error: Some challenges have failed… Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/grabaguru.com/fullchain.pem(failure)


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/grabaguru.com/fullchain.pem(failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cdn.grabaguru.com

    Type: unauthorized

    Detail: Invalid response from

http://cdn.grabaguru.com/.well-known/acme-challenge/H2q4oVhACboi_-nw7TbnkQCXkgrwmXGkOQ2_t19vMyc

[2600:9000:2038:4c00:1d:b292:12c0:93a1]: "<!DOCTYPE HTML PUBLIC

“-//W3C//DTD HTML 4.01 Transitional//EN”

http://www.w3.org/TR/html4/loose.dtd”>\n<META

HTTP-EQ"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

My web server is (include version):http2

The operating system my web server runs on is (include version): Amazon linux

My hosting provider, if applicable, is:Aws

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @atv2016

checking your subdomain ( https://check-your-website.server-daten.de/?q=cdn.grabaguru.com ) that can’t work.

There are tons of Bad Gateway - results (http status 502).

Visible Content: ERROR: The request could not be satisfied 502 ERROR The request could not be satisfied. CloudFront wasn’t able to connect to the origin. If you received this error while trying to use an app or access a website, please contact the provider or website owner for assistance. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by following steps in the CloudFront documentation ( https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html ). Generated by cloudfront (CloudFront) Request ID: agVO8mIjfDAfbZyGEpMTe0N7ohyzxpnhWo646FtnYUE-XCSb4conQw==

If you want to use Cloudflare, you must have a working certificate.

So

  • deactivate Cloudflare, recheck your domain (http status 404 should be visible), install the certificate, then activate Cloudflare (or)
  • create one certificate with dns-01 and --manual, that should always work. Then install this.

It’s cloudfront, not cloudflare :slightly_smiling_face:

Weird. I’ll try the first option i guess. I’ll log something with AWS support as well, maybe something got messed up on the cloudfront side. I did not do anything other then terminating my instance and restoring a older one.

I didn’t realize that check your website is yours, that’s pretty cool.

What do you mean by option 2, is that installing a completely new certificate? That would be my other thing i would pursue, but probably this is more of a cloudfront issue and the issue still wouldn’t be fixed.

What could possible cause cloudfront to act like this i wonder.

I don’t use both, but good to know - thanks.

That can’t work if Cloudfront requires a working certificate and if the old certificate is already expired.

Thanks. I’ve startet the tool because of the problems in this forum. Manual checking such things is impossible (different ip addresses, different urls, redirects, certificates etc.). So it saves my time to find such problems and answers.

Well cloudfront uses it’s own cert. For some reason if i connect to the cdn.grabaguru.com it says cloudfront can’t connect to the origin.

That is really strange. If i check only the grabaguru.com domain your tool, it shows me the dynadot servers in red. Is that something i should worry about ? Maybe the two are correlated?

So i’m thinking cloudfront is denying it and failing to connect to the origin (i.e. grabaguru.com) (as per the message from cloudfront on going to https://cdn.grabaguru.com because the origin is giving it an old certificate/keychain.

How do i circumvent this? How do i remove the old certificate, would that resolve it ? Or how do i take the cdn out of the equation? Do i remove the domain from the webroot stanza in the renewal file? Or would just turning off cloudfront do the trick.

I really appreciate your help with this, right now my site is offline and i’d like to get it back up asap.
Thanks a lot Juergen.

No, that’s not relevant. These are only a lot of name server errors:

X	Fatal error: Nameserver isn't defined or has timeout
X	Fatal error: Nameserver doesn't support TCP connection: ns1.dynadot.com: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.34.35.173:53
X	Fatal error: Nameserver doesn't support TCP connection: ns1.dynadot.com / 52.26.28.15: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.26.28.15:53
X	Fatal error: Nameserver doesn't support TCP connection: ns1.dynadot.com / 52.34.35.173: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.34.35.173:53
X	Fatal error: Nameserver doesn't support TCP connection: ns1.dynadot.com / 52.35.76.183: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.35.76.183:53
X	Fatal error: Nameserver doesn't support TCP connection: ns1.dynadot.com / 52.36.53.176: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.36.53.176:53
X	Fatal error: Nameserver doesn't support TCP connection: ns2.dynadot.com / 52.71.195.14: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.71.195.14:53
X	Fatal error: Nameserver doesn't support TCP connection: ns2.dynadot.com / 52.72.130.79: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.72.130.79:53
X	Fatal error: Nameserver doesn't support TCP connection: ns2.dynadot.com / 52.72.200.98: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.72.200.98:53
X	Fatal error: Nameserver doesn't support TCP connection: ns2.dynadot.com / 52.73.101.236: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 52.73.101.236

Not good, but these are not connection problems of your website.

As written - Cloudflare may use the same logic as Cloudfront: A working certificate is required, your certificate doesn’t work -> that crashes.

Replace Cloudflare -> Cloudfront.

Ok thanks Juergen.

Issues like this shouldn’t happen though, just because i restore an older copy of a server (maybe 40 days older).

But that’s the problem.

You restore an older Letsencrypt certificate, that’s now invalid. So such a proxy system can’t connect your domain, that’s required to use http-01 validation to create a new certificate.

Just to update in case anyone had this problem. I set in cloud front, origins and origin groups, origin protocol to http instead of “match viewer” or “https”. Then a regular cert renewal on the server and voila, the problem was solved.

Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for cdn.grabaguru.com

Waiting for verification…

Cleaning up challenges


new certificate deployed without reload, fullchain is

/etc/letsencrypt/live/grabaguru.com/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/grabaguru.com/fullchain.pem (success)

Thanks again for your help Juergen.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.