Renewal fails and stops Apache

#1

Hello,

Can someone please explain this on Ubuntu with Apache:

Feb  3 00:24:41 ns3011870 certbot[20120]: Attempting to renew cert (elforosecreto.com) from /etc/letsencrypt/renewal/elforosecreto.com.conf produced an unexpected error: Failed authorization procedure. www.elforosecreto.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during read (your server may be slow or overloaded). Skipping.
Feb  3 00:24:48 ns3011870 certbot[20120]: All renewal attempts failed. The following certs could not be renewed:
Feb  3 00:24:48 ns3011870 certbot[20120]:   /etc/letsencrypt/live/elforosecreto.com/fullchain.pem (failure)
Feb  3 00:24:48 ns3011870 certbot[20120]: 1 renew failure(s), 0 parse failure(s)
Feb  3 00:24:48 ns3011870 systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Feb  3 00:24:48 ns3011870 systemd[1]: Failed to start Certbot.
Feb  3 00:24:48 ns3011870 systemd[1]: certbot.service: Unit entered failed state.
Feb  3 00:24:48 ns3011870 systemd[1]: certbot.service: Failed with result 'exit-code'.
Feb  3 00:25:01 ns3011870 CRON[20167]: (root) CMD (/usr/local/rtm/bin/rtm 3 > /dev/null 2> /dev/null)
Feb  3 00:25:04 ns3011870 apache2[20212]:  * Stopping Apache httpd web server apache2
Feb  3 00:25:04 ns3011870 apache2[20212]:  *

The certificate can’t be renewed and it stops Apache.

Is that normal?

Today I run certbot renew manually and it works perfectly.

Thanks

#2

Hi @fernandoch

first, it looks like a temporary problem, a timeout of your server. But you use tls-sni - validation, this is deprecated, support ends 2019-02-13 / 03-13. So you should switch to another validation method.

Your main configuration is ok, port 80 is open, redirects http -> https are ok, Letsencrypt follows these redirects. So you should be able to use http-01 - validation.

You have a new certificate, so you can wait two months.

Perhaps update your Certbot, check the version with

certbot --version
#3

And it is normal to shutdown the Apache server?

#4

It’s a side effect using tls-sni-01 - validation. That requires port 443.

If you use http-01 - validation, you can use your running webserver without interruption.

#5

If I update certbot, everything will be ok?

#6

I don’t know. You may have a too old certbot, a buggy configuration. Or you change something in the next weeks that makes your configuration buggy.

#7

I just have the default ppa package.

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.