[resolved] Cannot renew domain rate.ylnq.innosoft.kmutt.ac.th

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rate.ylnq.innosoft.kmutt.ac.th

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/support.innosoft.kmutt.ac.th.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/support.innosoft.kmutt.ac.th.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.innosoft.kmutt.ac.th/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version): apache 2.4.6

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: own vps

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

wget https://rate.ylnq.innosoft.kmutt.ac.th/
–2017-10-03 10:34:54-- https://rate.ylnq.innosoft.kmutt.ac.th/
Resolving rate.ylnq.innosoft.kmutt.ac.th (rate.ylnq.innosoft.kmutt.ac.th)… 202.44.12.254
Connecting to rate.ylnq.innosoft.kmutt.ac.th (rate.ylnq.innosoft.kmutt.ac.th)|202.44.12.254|:443… connected.
Unable to establish SSL connection.

As you can see, port 443 (for HTTPS auth) is not accessible from the Internet.

Also, the renew request is for “rate…” but the error shows "support…"
This would make sense if the cert was for multiple domains, but it is only for a single domain: https://crt.sh/?id=178155449

After fixing the port 443 access, I would start with:
certbot certificates
and ensure that list is as expected.

Hi @zxsylph,

@rg305’s analysis is right but I would like to add two more pieces of context:

The error that you saw happens when you’ve tried to renew unsuccessfully many times in a row without fixing the problem. Then you are limited in your ability to keep trying. This limitation is removed after one hour and you can try again.

Once the limitation is removed, you’ll get a different error message that explains the nature of the underlying problem. In this case, I think @rg305 is right to say that the problem is probably related to the inability to receive an incoming connection on port 443.

The error message you saw simply says that you’ve made too many attempts to renew in a short period of time without fixing the underlying problem that prevented the renewal from succeeding.

I have make sure that both http and https
are access able
Cloud you guy make sure for that again

http://rate.ylnq.innosoft.kmutt.ac.th
https://rate.ylnq.innosoft.kmutt.ac.th

and I have run
certbot certificates

output is
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: rate.ylnq.innosoft.kmutt.ac.th
Domains: rate.ylnq.innosoft.kmutt.ac.th
Expiry Date: 2017-10-22 16:08:00+00:00 (VALID: 18 days)
Certificate Path: /etc/letsencrypt/live/rate.ylnq.innosoft.kmutt.ac.th/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rate.ylnq.innosoft.kmutt.ac.th/privkey.pem

then I run
sudo certbot renew

sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/rate.ylnq.innosoft.kmutt.ac.th.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for rate.ylnq.innosoft.kmutt.ac.th
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/rate.ylnq.innosoft.kmutt.ac.th.conf produced an unexpected error: Failed authorization procedure. rate.ylnq.innosoft.kmutt.ac.th (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/rate.ylnq.innosoft.kmutt.ac.th/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: rate.ylnq.innosoft.kmutt.ac.th
    Type: connection
    Detail: Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I got new error but I try to find out what is causing problem
Cloud you help me

I would check the logs for port 443 access from acme-v01.api.letsencrypt.org
Most likely something is blocking those requests.

Differently from @rg305, I think the “Error getting validation data” is not an inbound connection being blocked, but rather a problem in your DNS configuration.

@cpu, could you remind us of what conditions are currently reported under this ACME error? I seem to recall that there was a change that went into the CA software that reorganized this error category a little bit.

We use this detailedError function to try and turn some low level errors into more meaningful error messages to be given to a client. I think you’re thinking of the change @jsha made recently to better describe connection refused errors.

In this case the underlying error was tls-sni-01 connection failure for {dns rate.ylnq.innosoft.kmutt.ac.th}. err=[&errors.errorString{s:"EOF"}] errStr=[EOF]. We don’t have a special case for this unexpected EOF error and so the generic “Error getting validation data” message is used.

Could a firewall or some middlebox be closing the connection prematurely?

Thanks for checking!

1 Like

Thank you all

I solve this problem by change command to certonly and use manual mode to specific challenge type
Problem is DNS challenge and I don’t have permission on DNS

I using HTTP challenge instead and create file on server everything going smoothly and success renew certificate

I’m glad that changing authentication methods worked well for you.

You might want to try --webroot instead of --manual in this case. If you’re running Certbot directly on your web server, the --webroot authentication method can automatically create the challenge file for you within a specified document root directory, instead of simply telling you what the challenge file’s contents should be. This also uses the HTTP-01 challenge, but it’s more automated.

The real benefit of this is that the --webroot method remembers the details of where the document root is located, and it will work with certbot renew for an automated renewal (even an unattended renewal from cron), while the --manual method won’t (it requires you to create the file yourself each time).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.