Renewal fails and stops Apache

fernandoch · February 3, 2019, 9:24am

Hello,

Can someone please explain this on Ubuntu with Apache:

Feb  3 00:24:41 ns3011870 certbot[20120]: Attempting to renew cert (elforosecreto.com) from /etc/letsencrypt/renewal/elforosecreto.com.conf produced an unexpected error: Failed authorization procedure. www.elforosecreto.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during read (your server may be slow or overloaded). Skipping.
Feb  3 00:24:48 ns3011870 certbot[20120]: All renewal attempts failed. The following certs could not be renewed:
Feb  3 00:24:48 ns3011870 certbot[20120]:   /etc/letsencrypt/live/elforosecreto.com/fullchain.pem (failure)
Feb  3 00:24:48 ns3011870 certbot[20120]: 1 renew failure(s), 0 parse failure(s)
Feb  3 00:24:48 ns3011870 systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Feb  3 00:24:48 ns3011870 systemd[1]: Failed to start Certbot.
Feb  3 00:24:48 ns3011870 systemd[1]: certbot.service: Unit entered failed state.
Feb  3 00:24:48 ns3011870 systemd[1]: certbot.service: Failed with result 'exit-code'.
Feb  3 00:25:01 ns3011870 CRON[20167]: (root) CMD (/usr/local/rtm/bin/rtm 3 > /dev/null 2> /dev/null)
Feb  3 00:25:04 ns3011870 apache2[20212]:  * Stopping Apache httpd web server apache2
Feb  3 00:25:04 ns3011870 apache2[20212]:  *

The certificate can’t be renewed and it stops Apache.

Is that normal?

Today I run certbot renew manually and it works perfectly.

Thanks

JuergenAuer · February 3, 2019, 9:45am

Hi @fernandoch

first, it looks like a temporary problem, a timeout of your server. But you use tls-sni - validation, this is deprecated, support ends 2019-02-13 / 03-13. So you should switch to another validation method.

Your main configuration is ok, port 80 is open, redirects http -> https are ok, Letsencrypt follows these redirects. So you should be able to use http-01 - validation.

You have a new certificate, so you can wait two months.

Perhaps update your Certbot, check the version with

certbot --version

fernandoch · February 3, 2019, 10:51am

And it is normal to shutdown the Apache server?

JuergenAuer · February 3, 2019, 11:19am

It's a side effect using tls-sni-01 - validation. That requires port 443.

If you use http-01 - validation, you can use your running webserver without interruption.

fernandoch · February 3, 2019, 12:13pm

If I update certbot, everything will be ok?

JuergenAuer · February 3, 2019, 12:39pm

I don’t know. You may have a too old certbot, a buggy configuration. Or you change something in the next weeks that makes your configuration buggy.

fernandoch · February 3, 2019, 2:34pm

I just have the default ppa package.

system · March 5, 2019, 2:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal failure ubuntu 18.04 apache Help	3	838	December 17, 2019
Auto renew fails for Apache + Ubuntu + certbot 0.31.0 Help	6	1898	November 30, 2021
Renewal problems after upgrading certbot Help	13	1884	March 18, 2019
Certbot Renew Fails The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet Help	8	2100	May 18, 2024
Certbot - Hard Coded URL Rewrite Means HTTP-01 Challenge Fails on Apache Server	25	8032	June 11, 2017

Renewal fails and stops Apache

Related topics