Renewal redirect help

Comically I can’t update my certs due to a problem I’ve been fighting for a while. Originally my renew would try port 80 and fail because the LE configs redirect traffic coming in on 80 to 443 and the check wouldn’t follow. Now I have it asking on 443 but there is no .wellknown there to check. The only way I can get it to “work” is by removing all the LE redirect rules but then everything fails when certbot restarts the webserver expecting all the now removed rules to be in place.

Hi @nPHYN1T3,

I split you off onto a separate topic so you can get help with your issue.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Well ATM everything is dead in the water because I’m getting the dread too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.

However this issue has plagued me for a while. It’s spanned too much time to be clear about all the details. I never get to just focus on one thing at a time but I am suspecting this is because the LE sever hammers my FOH and triggers the DDoS protection when renewing. Which is to say I think some of my last measures where it would ask on port 80 then just die is fixed but now I think this is a different issue with similar results making it look like it’s still the same issue. I can’t test things until the rate limiting is removed. Sadly you LE will basically be under a valid DDoS attack with everyone scrambling to update.

@nPHYN1T3,

Have you tried using the dns-01 challenge instead of the http-01 challenge? Fill out the questionnaire above too please.

My domain is: more than one ;p

I will attach both below but no I have no tried the dns-01, where can I look up how to switch to this? Searching the docs is really terrible…because there is no search. I will try to search for it in a bit but I was in the middle of a chitstorm when I got that email about needing to renew, when it rains is Tsunami’s…

**update just tried again and it worked in so far as it didn’t say failed due to rate limiting so it’s not the DDoS protection since I disabled it for the test.

My logs show all the requests as fine and hitting port 80 again (wtf is this thing on crack?) Serious all requests 200 but then certbot says connection was refused…

At this rate I’d rather a nice guide on how to wipe certbot/LE clean and start fresh. Part of me things trying things from all the guides and stupid help over the last few months has amounted to cruft or injected problems. Sadly as I said before the docs are horrible. Unless you know what heading something is under you have to fish through everything. Most the simple things aren’t discussed leaving you to hunt the web and try things others have figured out because the docs are deficient with basic things like adding or removing a domain.

**update 2 I just got it to work but seems like a perfect storm of stupidity. I don’t disabled my DDoS and wiped my htaccess just to see and it worked. When I saw all 200’s in my logs but cert bot said denied it made me suspicious but still a serious wtf as now on top of everything I’ve got to figure out what rule is breaking this.

I’ve been doing this chit 40ish years and I’m burnt out, frustrated and sweet jebus I don’t want to support my own issues much less subject poor folks like you guys to guessing at all the zillions of variables and inbetweens that might cause these issues. I need a vacation…or a lobotomy…or a lobotication…

**update 3 thought I had this worked out but I’m testing more and I can’t seem to get any consistency or helpful info from my logs. I have looked up the dns-01 but as previously stated I can’t find anything solid on the LE site so search engine bound which leads me to forums outside this with “do this!” “no do THIS!” ah… the internet…

I ran this command: certbot renew --force-renewal

It produced this output: Attempting to renew cert (m0dw3rks.com) from /etc/letsencrypt/renewal/m0dw3rks.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/m0dw3rks.com/fullchain.pem (failure)

My web server is (include version): apache 2.X.X something

The operating system my web server runs on is (include version): ubun 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

From the original reporting of this

My domain is: m0dw3rks.com

I ran this command: /usr/bin/certbot renew --apache

It produced this output:
Domain: x.m0dw3rks.com
Type: connection
Detail: Fetching
x.m0dw3rks.com
Connection refused

My web server is (include version): apache 2.4.29

The operating system my web server runs on is (include version): Ubu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.