I figured I could wait for SNI to be ready for renewals again, so I didnât stop my renewal cron job.
I just noticed that renewals over SNI should be working.
But unfortunately I have hit a rate limit that I wasnât aware of.
Too many pending authorizationsâŚ
My renewals can wait more than a week. But unfortunately I need to get a new certificate. https://letsencrypt.org/docs/rate-limits/ says I can clear those pending authorizations by following the spec. I have read the âResponding to challengesâ part of the spec and it looks like I could use hours figuring out what to send in nonce, keyAuthorization, and signature.
It would be easier if the certbot client could help clear pending authorizations, but the --help all doesnât mention it.
Same here⌠as I keept the chronjob for renewal activ it now complains about to many open
Processing /etc/letsencrypt/renewal/www.XXX.conf
Cert is due for renewal, auto-renewingâŚ
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.XXX
tls-sni-01 challenge for www.XXX_SAN1.ch
tls-sni-01 challenge for www.XXX_SAN2.ch
tls-sni-01 challenge for www.XXX_SAN3.ch
Waiting for verificationâŚ
Cleaning up challenges
Attempting to renew cert (www.XXX) from /etc/letsencrypt/renewal/www.XXX.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: www.XXX,âŚ: see https://letsencrypt.org/docs/rate-limits/. Skipping.
Stoped the renew cronjob for the moment⌠letâs hope it recovers in a week
I have uploaded a binary of this program here (sha256sum fa7dc041d8e8f04c229fea8ab1132d7c87fa5bb41460a0d2c77c9833e1568c28 ) but I strongly recommend you compile it on your own because I'm not taking the blame if your account key gets hacked.
and got the following out put, if anyone could possibly point me in the right direction?
(I am running Ubuntu 16.04.3, I have Discourse installed and did the mail in a box install after)
"Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer nginx
Running pre-hook command: service nginx stop
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for "mydomain.com"
Cleaning up challenges
Running post-hook command: service nginx start
Hook command âservice nginx startâ returned error code 1
Error output from service:
Job for nginx.service failed because the control process exited with error code. See âsystemctl status nginx.serviceâ and âjournalctl -xeâ for details.
Problem binding to port 80: Could not bind to IPv4 or IPv6.
Following is the output when asking for new certificate.
Did any one get the solution ???
or any other way to install free ssl
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Exiting abnormally:
Traceback (most recent call last):
File â/opt/eff.org/certbot/venv/bin/letsencryptâ, line 11, in
sys.exit(main())
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.pyâ, line 861, in main
return config.func(config, plugins)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.pyâ, line 698, in run
certname, lineage)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.pyâ, line 85, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.pyâ, line 357, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.pyâ, line 318, in obtain_certificate
self.config.allow_subset_of_names)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 68, in get_authorizations
self._choose_challenges(domains)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 103, in _choose_challenges
self.authzr[dom].body.combinations)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 374, in gen_challenge_path
return _find_smart_path(challbs, preferences, combinations)
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 411, in _find_smart_path
_report_no_chall_path()
File â/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.pyâ, line 442, in _report_no_chall_path
raise errors.AuthorizationError(msg)
AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
I'm using nginx and trying like this:
certbot --authenticator standalone --installer nginx -d mysite.com --pre-hook "service nginx stop" --post-hook "service nginx start"
certbot fails with a TIMEOUT trying to fetch:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I'm already read the post on official forum but no of both methods doesn't work. It's just stacking on:
Cleaning up challenges
or giving TIMEOUT ERROR
Is there any way around this yet?
Is there anything outsiders can do to help?
PS: Thanks to all of you for your hard work and I really appreciate you staying on top of the security issues...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer apache
Running pre-hook command: service apache stop
Hook command "service apache stop" returned error code 5
Error output from service:
Failed to stop apache.service: Unit apache.service not loaded.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for g6.duckdns.org
Cleaning up challenges
Running post-hook command: service apache start
Hook command "service apache start" returned error code 5
Error output from service:
Failed to start apache.service: Unit apache.service not found.
Problem binding to port 80: Could not bind to IPv4 or IPv6.
Then I tried the other command sudo certbot --authenticator webroot --webroot-path /home/www-data/web2py --installer apache -d g6.duckdns.org
and got this error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for g6.duckdns.org
Using the webroot path /home/www-data/web2py for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. g6.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://g6.duckdns.org/.well-known/acme-challenge/VjzhxJbLDUJd_Agaeag7_ZySwj1AOlFcAZf9oDVmmpw: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: g6.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://g6.duckdns.org/.well-known/acme-challenge/VjzhxJbLDUJd_Agaeag7_ZySwj1AOlFcAZf9oDVmmpw:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Being a newbie, I am not sure what to put in the --webroot-path, so I just put the path to where the files are served, which is /home/www-data/web2py
Now this depreciation it no longer works, based on the thread I was reading here I have to do
certbot --authenticator standalone --installer nginx -d $1
But when I do so I get
File "/opt/certbot/src/certbot/plugins/standalone.py", line 67, in run
raise errors.StandaloneBindError(error, port)
StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.
The site is available over normal http, so it should be able to bind correctly
The nginx is running in a docker container (just as before the depreciation where the certificates getting worked nicely)