Renewal of certificates stopped

IlyaSiz · February 25, 2019, 10:25am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: otrs.czics.ru

I ran this command: sudo certbot-auto renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/otrs.czics.ru.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for otrs.czics.ru
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (otrs.czics.ru) from /etc/letsencrypt/renewal/otrs.czics.ru.conf produced an unexpected error: Failed authorization procedure. otrs.czics.ru (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://otrs.czics.ru/.well-known/acme-challenge/IAmFnwO9EQqSxWN_oGBrpoezr6i487TwUR_fUDwcMpo: Connection reset by peer. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/otrs.czics.ru/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/otrs.czics.ru/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: otrs.czics.ru
Type: connection
Detail: Fetching
http://otrs.czics.ru/.well-known/acme-challenge/IAmFnwO9EQqSxWN_oGBrpoezr6i487TwUR_fUDwcMpo:
Connection reset by peer

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):

Server version: Apache/2.4.7 (Ubuntu)
Server built: Oct 14 2015 14:20:21

The operating system my web server runs on is (include version):

3.13.0-76-generic #120-Ubuntu SMP Mon Jan 18 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): only sudo

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

The server suddenly stopped updating certificates automatically; it can be accessed from the Internet on port 443. So i try to renew manualy, but has this error. Please, help.

JuergenAuer · February 25, 2019, 10:37am

Hi @IlyaSiz

you may have used tls-sni-01 validation. This is deprecated, support ends 2019-03.

So you have to use http-01, dns-01 or tls-alpn-01 - validation.

Checked your domain via otrs.czics.ru - Make your website better - DNS, redirects, mixed content, certificates - port 80 is closed:

Domainname	Http-Status	redirect	Sec.	G
• http://otrs.czics.ru/
80.243.3.106	-3		0.223	W
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

• https://otrs.czics.ru/
80.243.3.106	302	登錄 - OTRS 5s	1.873	N
Certificate error: RemoteCertificateChainErrors

• 登錄 - OTRS 5s	200		1.727	N
Certificate error: RemoteCertificateChainErrors

• http://otrs.czics.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.243.3.106	-3		0.174	W
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

So http-01 validation can't work.

Open port 80 and use your running webserver (must answer port 80)
use dns-01 validation
perhaps use tls-alpn-01 - validation. acme.sh supports that.

IlyaSiz · February 25, 2019, 10:47am

Hello!

Thank you for your answer.
But I checked my site with Nmap and 80 port is open. Did i understand correctly?
Please, tell me, how and where can i choose validation type?

Best Regards,
Ilya Sizganov

_az · February 25, 2019, 10:49am

There is a distinction.

The port is open, but the connection is reset after the request is received by your server.

JuergenAuer · February 25, 2019, 10:53am

It's open, but it throws an error:

ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

If you want to use http-01 validation, certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

So your webserver must answer if a request comes via port 80. You can redirect that to port 443 / https.

But a ReceiveFailure stops the validation.

IlyaSiz · February 25, 2019, 1:27pm

Shoould i do this using apache2.conf?

IlyaSiz · February 25, 2019, 1:28pm

Also, I don’t understand, how it worked before, we didn’t make any changes in our configuration.

JuergenAuer · February 25, 2019, 1:35pm

This

is perhaps the reason.

You must have a running webserver on port 80 to use http-01 validation.

Or try --standalone

JuergenAuer · February 25, 2019, 2:22pm

Yes. Or add a vHost in /sites-available and a symlink in sites-enabled.

IlyaSiz · March 2, 2019, 9:36am

Hello,

I have updatet server to Ubuntu 16.04 but error still exists. Also, we have only 443 port accessible for otrs.czics.ru. Can we change port for certbot?

Best Regards,
Ilya Sizganov

JuergenAuer · March 2, 2019, 9:41am

Then you can't use http-01 - validation.

Open port 80. This shouldn't be a security problem - read

Or use another validation method.

http isn't a security problem if you have only redirects http -> https. And it's more user friendly.

IlyaSiz · March 2, 2019, 9:47am

Thank you for your answer, but for our public ip address port 80 is using for another service.
Another validation method is dns-01 only?

IlyaSiz · March 2, 2019, 9:55am

:/opt/otrs/var/cron$ sudo certbot certonly --standalone --preferred-challenges tls-sni-01 -d otrs.czics.ru

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for otrs.czics.ru
TLS-SNI-01 is deprecated, and will stop working soon.
Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.

JuergenAuer · March 2, 2019, 10:41am

Isn't it possible to create an exception?

Only /.well-known/acme-challenge/random-filename is required.

You can use dns-01 validation or tls-alpn-01 - validation. That is new, acme.sh supports that.

That conflicts with your running webserver.

IlyaSiz · March 4, 2019, 7:40am

Hello,

Can you, please, explain “That conflicts with your running webserver.”

JuergenAuer · March 4, 2019, 8:00am

If you want to use --standalone, Certbot starts a new webserver.

So you have first to stop your running webserver.

So standalone is good if you don't have a webserver (sample: The server is a mail server).

But if you have a working webserver, http validation and --webroot can use that webserver and should always work: Most webserver have a webroot.

IlyaSiz · March 4, 2019, 12:05pm

I try to use acme.sh.

:~$ sudo ./acme.sh/acme.sh --install-cert -d otrs.czics.ru \

--cert-file /etc/apache2/ssl/otrs.czics.ru-cert.pem
--key-file /etc/apache2/ssl/otrs.czics.ru-key.pem
--fullchain-file /etc/apache2/ssl/letsencrypt.pem
--reloadcmd "service apache2 force-reload"
[Mon Mar 4 15:03:24 MSK 2019] Installing cert to:/etc/apache2/ssl/otrs.czics.ru-cert.pem
[Mon Mar 4 15:03:24 MSK 2019] Installing key to:/etc/apache2/ssl/otrs.czics.ru-key.pem
[Mon Mar 4 15:03:24 MSK 2019] Installing full chain to:/etc/apache2/ssl/letsencrypt.pem
[Mon Mar 4 15:03:24 MSK 2019] Run reload cmd: service apache2 force-reload
[Mon Mar 4 15:03:24 MSK 2019] Reload success

But i stiil has no valid certificate on my site.
Please tell, me what i am doing wrong.

JuergenAuer · March 4, 2019, 1:28pm

I don't know what acme.sh is doing.

But you have a new certificate:

So check your Apache SSL vHost if

/etc/apache2/ssl/otrs.czics.ru-cert.pem

is used.

Or you have more then one vHost, so acme.sh has updated the wrong vHost.

IlyaSiz · March 4, 2019, 1:37pm

Yes, you are right, I have extra web-server.

:~$ sudo apache2ctl -S
VirtualHost configuration:
[::1]:443 localhost (/etc/apache2/apache2.conf:224)
127.0.0.1:443 localhost (/etc/apache2/apache2.conf:224)
*:80 OTRS.local (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server otrs.czics.ru (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost otrs.czics.ru (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost OTRS.local (/etc/apache2/sites-enabled/default-ssl.conf:2)

How can i fix it?
Do i have to remove one?

JuergenAuer · March 4, 2019, 1:41pm

Yes. Every combination of port (80 / 443) and domain name should be unique. If not, it's unclear which definition is used.

So

make a backup
remove duplicate vHosts, copy the lines you need
restart Apache