Renewal of certificates stopped


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: otrs.czics.ru

I ran this command: sudo certbot-auto renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/otrs.czics.ru.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for otrs.czics.ru
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (otrs.czics.ru) from /etc/letsencrypt/renewal/otrs.czics.ru.conf produced an unexpected error: Failed authorization procedure. otrs.czics.ru (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://otrs.czics.ru/.well-known/acme-challenge/IAmFnwO9EQqSxWN_oGBrpoezr6i487TwUR_fUDwcMpo: Connection reset by peer. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/otrs.czics.ru/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/otrs.czics.ru/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: otrs.czics.ru
    Type: connection
    Detail: Fetching
    http://otrs.czics.ru/.well-known/acme-challenge/IAmFnwO9EQqSxWN_oGBrpoezr6i487TwUR_fUDwcMpo:
    Connection reset by peer

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):

Server version: Apache/2.4.7 (Ubuntu)
Server built: Oct 14 2015 14:20:21

The operating system my web server runs on is (include version):

3.13.0-76-generic #120-Ubuntu SMP Mon Jan 18 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): only sudo

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

The server suddenly stopped updating certificates automatically; it can be accessed from the Internet on port 443. So i try to renew manualy, but has this error. Please, help.


#2

Hi @IlyaSiz

you may have used tls-sni-01 validation. This is deprecated, support ends 2019-03.

So you have to use http-01, dns-01 or tls-alpn-01 - validation.

Checked your domain via https://check-your-website.server-daten.de/?q=otrs.czics.ru - port 80 is closed:

Domainname Http-Status redirect Sec. G
http://otrs.czics.ru/
80.243.3.106 -3 0.223 W
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
https://otrs.czics.ru/
80.243.3.106 302 https://otrs.czics.ru/otrs/customer.pl 1.873 N
Certificate error: RemoteCertificateChainErrors
https://otrs.czics.ru/otrs/customer.pl 200 1.727 N
Certificate error: RemoteCertificateChainErrors
http://otrs.czics.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.243.3.106 -3 0.174 W
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

So http-01 validation can’t work.

  • Open port 80 and use your running webserver (must answer port 80)
  • use dns-01 validation
  • perhaps use tls-alpn-01 - validation. acme.sh supports that.

#3

Hello!

Thank you for your answer.
But I checked my site with Nmap and 80 port is open. Did i understand correctly?
Please, tell me, how and where can i choose validation type?

Best Regards,
Ilya Sizganov


#4

There is a distinction.

The port is open, but the connection is reset after the request is received by your server.


#5

It’s open, but it throws an error:

ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

If you want to use http-01 validation, certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

So your webserver must answer if a request comes via port 80. You can redirect that to port 443 / https.

But a ReceiveFailure stops the validation.


#6

Shoould i do this using apache2.conf?


#7

Also, I don’t understand, how it worked before, we didn’t make any changes in our configuration.


#8

This

is perhaps the reason.

You must have a running webserver on port 80 to use http-01 validation.

Or try --standalone


#9

Yes. Or add a vHost in /sites-available and a symlink in sites-enabled.


#10

Hello,

I have updatet server to Ubuntu 16.04 but error still exists. Also, we have only 443 port accessible for otrs.czics.ru. Can we change port for certbot?

Best Regards,
Ilya Sizganov


#11

Then you can’t use http-01 - validation.

Open port 80. This shouldn’t be a security problem - read

Or use another validation method.

http isn’t a security problem if you have only redirects http -> https. And it’s more user friendly.


#12

Thank you for your answer, but for our public ip address port 80 is using for another service.
Another validation method is dns-01 only?


#13

:/opt/otrs/var/cron$ sudo certbot certonly --standalone --preferred-challenges tls-sni-01 -d otrs.czics.ru

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for otrs.czics.ru
TLS-SNI-01 is deprecated, and will stop working soon.
Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.


#14

Isn’t it possible to create an exception?

Only /.well-known/acme-challenge/random-filename is required.

You can use dns-01 validation or tls-alpn-01 - validation. That is new, acme.sh supports that.

That conflicts with your running webserver.


#15

Hello,

Can you, please, explain “That conflicts with your running webserver.”


#16

If you want to use --standalone, Certbot starts a new webserver.

So you have first to stop your running webserver.

So standalone is good if you don’t have a webserver (sample: The server is a mail server).

But if you have a working webserver, http validation and --webroot can use that webserver and should always work: Most webserver have a webroot.


#17

I try to use acme.sh.

:~$ sudo ./acme.sh/acme.sh --install-cert -d otrs.czics.ru \

–cert-file /etc/apache2/ssl/otrs.czics.ru-cert.pem
–key-file /etc/apache2/ssl/otrs.czics.ru-key.pem
–fullchain-file /etc/apache2/ssl/letsencrypt.pem
–reloadcmd “service apache2 force-reload”
[Mon Mar 4 15:03:24 MSK 2019] Installing cert to:/etc/apache2/ssl/otrs.czics.ru-cert.pem
[Mon Mar 4 15:03:24 MSK 2019] Installing key to:/etc/apache2/ssl/otrs.czics.ru-key.pem
[Mon Mar 4 15:03:24 MSK 2019] Installing full chain to:/etc/apache2/ssl/letsencrypt.pem
[Mon Mar 4 15:03:24 MSK 2019] Run reload cmd: service apache2 force-reload
[Mon Mar 4 15:03:24 MSK 2019] Reload success

But i stiil has no valid certificate on my site.
Please tell, me what i am doing wrong.


#18

I don’t know what acme.sh is doing.

But you have a new certificate:

https://crt.sh/?q=otrs.czics.ru

So check your Apache SSL vHost if

/etc/apache2/ssl/otrs.czics.ru-cert.pem

is used.

Or you have more then one vHost, so acme.sh has updated the wrong vHost.


#19

Yes, you are right, I have extra web-server.

:~$ sudo apache2ctl -S
VirtualHost configuration:
[::1]:443 localhost (/etc/apache2/apache2.conf:224)
127.0.0.1:443 localhost (/etc/apache2/apache2.conf:224)
*:80 OTRS.local (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server otrs.czics.ru (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost otrs.czics.ru (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost OTRS.local (/etc/apache2/sites-enabled/default-ssl.conf:2)

How can i fix it?
Do i have to remove one?


#20

Yes. Every combination of port (80 / 443) and domain name should be unique. If not, it’s unclear which definition is used.

So

  • make a backup
  • remove duplicate vHosts, copy the lines you need
  • restart Apache