Renewal fails on existing letsencrypt certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:example.com

I ran this command:
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; /usr/bin/certbot renew 2>&1

It produced this output:
saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/examplecert3.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Challenge failed for domain example.com
Cleaning up challenges
Attempting to renew cert (examplecert3) from /etc/letsencrypt/renewal/examplecert3.conf produced an unexpected error: Challenges failed for all domains. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/examplecert3/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/examplecert3/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Done...

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Hi @msegal

first, the exact error message is missing. A complete log is required.

But second: Checking your domain there is a redirect http -> https. But https doesn't answer, so, validating your domain can't work.

May be a firewall.

Additional:

D:\temp>download http://example.com/.well-known/acme-challenge/1234 -h
Connection: keep-alive
Strict-Transport-Security: max-age=15768000; includeSubdomains
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 178
Content-Type: text/html
Date: Sat, 31 Oct 2020 16:36:02 GMT
Location: https://example.com:443/.well-known/acme-challenge/1234
Server: nginx

Status: 301 MovedPermanently

Such a redirect is always wrong. Never include the standard port 80 or 443 in a redirect location.

But that's not a problem creating a certificate. The timeout port 443 is the problem.

1 Like
3

thanks for the response. Where do you see the re-direct? I dont have that setup anywhere.

4

That's a redirect.  Looking at all the headers provided by nginx, to me it looks like the web-software running "behind" nginx is calling the shots here, not nginx itself.

1 Like
5

ok - can you check if its still re-directing

6

The redirect is gone now.

1 Like
7

ok - now I was able to renew the certificate.
Many thanks! The re-direct was the reason
Maybe it would be useful if Letsencrypt writes an error message into the log stating that
"there is a port re-direct in place and therefore the renawal cannot proceede"

1 Like
8

the redirect is a setting by my server, so anyone that tries to use the domain via 80 is forced into encrypted traffic via 443.

9

No, the redirect isn't a problem. Letsencrypt follows such redirects and it's helpful to use one domain to validate a lot of other domains.

The not working https was the problem.

PS: Normally, webroot + a redirect http -> https is a wonderful solution.

1 Like
10

The redirect was just a part of the problem: the fact your webserver doesn't answer on port 443 was the main reason. The Let's Encrypt validation server can't present an error message for every different situation. A little bit of investigation is always required by the user.

Without port 443 open there's no traffic at all, encrypted or otherwise. Your site is down in such a situation.

1 Like
11

when the re-direct is a setting of the server (behind a firewall), do you think I still need to open 443 on the firewall?

12

I'm not really following. The redirect isn't something just locally on your server. A redirect is a specific "command" to the client, i.e., the user. It tells the user to connect from their location (anywhere on the globe) to reconnect to your site, but now on port 443 (using HTTPS). Why would you think closing down port 443 would work?

1 Like
13

ok - i got it now.
I thought redirect means the server just redirects any traffic from p80 -> p443.
But what you are saying above makes sense.
thank you for your help

14

If that would the case, the client would still connect to your server through HTTP on port 80, oblivious to the HTTPS on port 443.

1 Like
15

ok. why is the letsencrypt certificate only valid for 3 months? Is it not possible to have this for longer?

16

Please read this news post: Why ninety-day lifetimes for certificates? - Let's Encrypt (Which you could have found through the FAQ question and answer for What is the lifetime for Let’s Encrypt certificates? For how long are they valid?.)

No. (Which is also answered in the FAQ linked above.)

1 Like
17

ok - the FAQ mentioned renewal after 60 days. What is the earliest I can renew? When I try to renew now, there is an error message that the certificate has not yet expired. Will I not get the same error after 60 days?

18

You can renew whenever you want (within the limits of the rate limits of course).

That's because certbots default setting is not to renew within 60 days after issuance.

No.

1 Like
19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.