Renewal of certificates on server using SNI failes

Sorry to be very short but I'm limited as a new user.
My domain is: support.posper.de and shop.tassenregal.com
./certbot-auto renew --dry-run fails with /support.posper.de.conf produced an unexpected error: Failed authorization procedure. support.posper.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain
My web server is (include version): Apache 2.2.22
Situation:
I have 2 domains running on a server using SNI, call this server 'sni' . Port 443 is forwarded directly to this server.
Port 80 is forwarded to a different server, call it 'proxy' which performs a Redirect permanent to https://support.posper.de and https://shop.tassenregal.com accordingly.
This setup works very well.

In order to obtaiin the certificates I had to

which worked like a charm and, as said, the setup described above also works

However, any attempt to make a dry-run renewal fails. Why it fails seems to be clear for the example above but I tried a couple more options like using --preferred-challenges tls-sni-01and nothing worked.
The latter produced a message like this:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Attempting to renew cert (shop.tassenregal.com) from /etc/letsencrypt/renewal/shop.tassenregal.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.

I got stuck here because performing the configuration changes like for creation for every renewal attempt is a no go. Does anyone have an idea how to solve this?

Thank you.

Your redirect is misconfigured; it’s missing a trailing slash, so if you request http://support.posper.de/something you get redirected to https://support.posper.desomething instead of https://support.posper.de/something. If you fix that then you should be able to use certbot-auto --apache or certbot-auto --webroot without stopping Apache or changing your port forwarding configuration.

Standalone mode can also be made to work, but it’s tricky to set up when you have even one existing webserver, never mind two.

Thanks for your answer. I've fixed the redirect but I'm still getting errors as follows (the debug log produces a lot more but I can't see any further hint in it):

fujiyama:/etc/apache2/certbot# ./certbot-auto renew --dry-run --preferred-challenges tls-sni-01 --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/support.posper.de.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (support.posper.de) from /etc/letsencrypt/renewal/support.posper.de.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.


Processing /etc/letsencrypt/renewal/shop.tassenregal.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (shop.tassenregal.com) from /etc/letsencrypt/renewal/shop.tassenregal.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.posper.de/fullchain.pem (failure)
/etc/letsencrypt/live/shop.tassenregal.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.posper.de/fullchain.pem (failure)
/etc/letsencrypt/live/shop.tassenregal.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

2 renew failure(s), 0 parse failure(s)

You need to remove --preferred-challenges tls-sni-01 or change it to --preferred-challenges http-01

I removed the challenge option and ./certbot-auto renew --dry-run --apache returns:

...
Attempting to renew cert (shop.tassenregal.com) from /etc/letsencrypt/renewal/shop.tassenregal.com.conf produced an unexpected error: Failed authorization procedure. shop.tassenregal.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://shop.tassenregal.com/.well-known/acme-challenge/GLSDPvIVY7O2BWYNXfaAIk4baDBJmURjJhtrj2Lo3ZA: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.posper.de/fullchain.pem (failure)
/etc/letsencrypt/live/shop.tassenregal.com/fullchain.pem (failure)

I should mention that both vhosts are running Passenger with a Rails app, e.g.

DocumentRoot /home/rails/redmine/public/
<Directory /home/rails/redmine/public/>

I tried with and without trailing backslashes. Maybe I come closer?

Hmm, I don’t see how that would make a difference or cause the error you’re seeing, especially since I can make requests to that URL and I don’t get a timeout - but then I have no experience with Rails. Maybe you could share the full Apache configuration for those vhosts? And also the output of apachectl -S just in case there’s something else interfering.

You aren’t blocking requests from particular IP address ranges or something?

Here's the vhost config for support.posper.de

<VirtualHost *:443>
ServerName support.posper.de
DocumentRoot /home/rails/redmine/public/
<Directory /home/rails/redmine/public/ >
AllowOverride All
# MultiViews must be turned off.
Options -MultiViews

LogLevel warn
ErrorLog log/redmine2_ssl_errors_log
CustomLog log/redmine2_ssl_log "%h %l %u %t "%r" %>s %b"
PassengerRuby /home/rails/.rvm/gems/ruby-1.9.3-p547@redmine2/wrappers/ruby
PassengerMinInstances 3

SSL directives

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/support.posper.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/support.posper.de/privkey.pem
Header always set Strict-Transport-Security "max-age=15768000"

And here's the vhost config reorted by apachectl -S

fujiyama:/etc/apache2/certbot# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:8090 fujiyama.WORKGROUP (/etc/apache2/conf.d/egroupware:9)
*:8291 arcasys.fujiyama (/etc/apache2/sites-enabled/arcasys_home:1)
*:8085 fujiyama.WORKGROUP (/etc/apache2/sites-enabled/backoffice:22)
*:8290 concrete5.fujiyama.local (/etc/apache2/sites-enabled/concrete5:1)
*:8095 fujiyama.WORKGROUP (/etc/apache2/sites-enabled/mobile-test-luigi:22)
*:8099 ldap.arcasys.de (/etc/apache2/sites-enabled/phpldapadmin:3)
*:8380 repo.posper.de (/etc/apache2/sites-enabled/repo.posper:1)
*:443 is a NameVirtualHost
default server arcasys.de (/etc/apache2/sites-enabled/default-ssl:2)
port 443 namevhost arcasys.de (/etc/apache2/sites-enabled/default-ssl:2)
port 443 namevhost support.posper.de (/etc/apache2/sites-enabled/redmine2:11)
port 443 namevhost shop.tassenregal.com (/etc/apache2/sites-enabled/tassenregal:1)
Syntax OK

It seems to me that certbot temporarily changes the Apache configuration to use a different directory to retrieve the challenge record:

2018-02-18 22:23:35,092:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: support.posper.de in: /etc/apache2/sites-enabled/redmine2
2018-02-18 22:23:35,093:DEBUG:certbot_apache.http_01:writing a pre config file with text:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [L]

and

2018-02-18 22:23:35,093:DEBUG:certbot_apache.http_01:writing a post config file with text:
<Directory /var/lib/letsencrypt/http_challenges>
Order Allow,Deny
Allow from all

<Location /.well-known/acme-challenge>
Order Allow,Deny
Allow from all

So the problem could be:

The challenge is written to the "right" place /var/lib/letsencrypt/http_challenges but this most likely apllies to http requests while we always redirect to port 443 and the target file's not found...

I havn't any idea yet to get around this:
Either reconfigure the pre and post config file? How?
Or find some trick how to tweak the Apache configuration to this situation (maybe a permanent RewriteRule in the <VirtualHost *:443>?)

WOW, this works!

I inserted the RewriteRule in the vhost configurations e.g.
<Directory /home/rails/redmine/public/ >
AllowOverride All
# MultiViews must be turned off.
Options -MultiViews

RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [L]
LogLevel warn

Thank you so much for your time and your help!
Hans

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.