Renewal SSL certificat issue

Good evening,
I attempt to renew my certificat since june 2021 without success.

NET::ERR_CERT_DATE_INVALID
Subject: vps12001.serveur-vps.net
Issuer: R3
Expires on: 1 juil. 2021

I ran this command:certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vps12001.serveur-vps.net.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vps12001.serveur-vps.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (vps12001.serveur-vps.net) from /etc/letsencrypt/renewal/vps12001.serveur-vps.net.conf produced an unexpected error: Failed authorization procedure. vps12001.serveur-vps.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vps12001.serveur-vps.net/.well-known/acme-challenge/KJpmbwRZqT0-q8-QrMwypIu8HAjJrxC4Zh94wniJiOc: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vps12001.serveur-vps.net/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vps12001.serveur-vps.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry

Due to the result I deactivated firewall and IPTABLE but the result is same.

So I ran this command: apachectl -S

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
VirtualHost configuration:
*:8081                 vps12001.serveur-vps.net (/etc/apache2/sites-enabled/000-apps.vhost:9)
*:8080                 vps12001.serveur-vps.net (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
*:80                   is a NameVirtualHost
         default server annonces.cicalm.fr (/etc/apache2/sites-enabled/100-annonces.cicalm.fr.vhost:7)
         port 80 namevhost annonces.cicalm.fr (/etc/apache2/sites-enabled/100-annonces.cicalm.fr.vhost:7)
                 alias www.annonces.cicalm.fr
         port 80 namevhost cicalm.fr (/etc/apache2/sites-enabled/100-cicalm.fr.vhost:7)
                 alias www.cicalm.fr
         port 80 namevhost live.cicalm.fr (/etc/apache2/sites-enabled/100-live.cicalm.fr.vhost:7)
                 alias www.live.cicalm.fr
*:443                  vps12001.serveur-vps.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex fcgid-pipe: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
-------------------------------------

But I don't know if my problem is due to numbers of ssl domaines or a problem configuration.
Could you help me to identify my renewal problem?

Thank's you in advance.

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

You almost certainly encountered the Certificates per Registered Domain (50 per week) rate limit recently, but that's not causing the timeout. Nevermind. The listed certs are dated 2020. According to Let's Debug, there are 239 Certificates contributing to rate limits for this domain. That certainly could pose an issue, but would be hindered by a timeout problem, not cause it.

https://crt.sh/?q=serveur-vps.net

I believe there is something in your Apache configuration (or an .htaccess file) causing the timeout.

1 Like

Wow, I'm off my game today. :woozy_face: I made an edit-mess of things.

1 Like

Hi Griffin and Thank you for your quick answer.
Effectively I don't think to watch my .htaccess.
In a first time I'll check this file and I back to you.
Regards,

2 Likes

No problem, you're welcome :wink:

1 Like

From:

Given the 404 here:

http://vps12001.serveur-vps.net/.well-known/acme-challenge/letsdebug-test

and the timeout here:

http://vps12001.serveur-vps.net/.well-known/acme-challenge/ywIypdrPemnwn2typ_UwoOkCJSOGRGmiBlxp7jL54N0

I deduce that a rule in Apache (config or .htaccess) is responsible for the timeout. It could be a dynamic defense type of problem though (e.g. adaptive firewall).

1 Like

Thank tou again Griffin, I check this.

2 Likes

FWIW, my browser doesn't see the timeout while Let's Debug does. This difference in behavior would seem to indicate a firewall issue.

1 Like

Beyond the firewall issue...
[after you fix that]

It seems that there is no vhost config that covers that name for port 80.

1 Like

@rg305

The amount of times I have found myself saying "I wish things worked X way in Apache", you'd think there were a genie :genie: in there.

I wish Apache would do ServerName/ServerAlias matching only and thus not match against ip:port.

1 Like

Maybe by adding a global toggleswitch (feature request).
But, for me, I wouldn't switch it on.
[and needless to say, would opt for another web server altogether - LOL]
[but I don't use a Mac, so I don't really know if there are other choices there]

1 Like

Offtopic: That's a feature. IP based virtualhosts were actually quite necessary when SNI didn't exist or wasn't as wide spread.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.