[Solved] April 2024 Renewal

p_7 · April 21, 2024, 7:57pm

Hi, I just solved the configuration issue blocking certbot renewal, and hope to document my process here in case the breadcrumbs help anyone.

First I got an email warning me my certificate was about to expire. I logged into my server and ran sudo certbot -v renew --dry-run which warned me with

Detail: During secondary validation: 2606:4700:3037::6815:26db: Invalid response from http://nc.example.com/.well-known/acme-challenge/GlH7ZlBduaimQNFSi57Om8iDNQj29i_bp
wb1pfz-wmM: 403
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server
and that it is accessible from the internet.

As I followed the help link from the certbot documentation (https://certbot.eff.org/), the first thing I noticed was the latest Debian version the site knows about is Debian 10. That's embarrassing, but I chose Debian Testing... (I have Debian 12). It recommended I use the snap version of certbot, so I begrudgingly installed it. My OS version was 2.10, and the snap version once I got it installed was 2.10.0. This made no difference.

The next step was this link: https://letsdebug.net/ This found "Redirect Loop Detected" and recommended using the SSL option 'Full SSL (strict)' -- I checked Cloudflare and it was already set to this setting.

At this point my only clue was the '403' in the output of certbot, so I searched, and found some unrelated threads here on this forum.

I made an account to post my own thread, and lo-and-behold, the sticky'd post completely identified my problem: In April 2024, Let's Encrypt made a change that will result in "During secondary validation" errors. I had not thought to search for that keyword before.

I went into Cloudflare and found a setting in Security>WAF that was geoblocking other countries. Instead of turning this off, I added an AND clause to the rule that does not block any URI that contains "/.well-known/acme-challenge/"

This solved my problem.

Experts, let me know if you would do anything different.
Thanks!

MikeMcQ · April 21, 2024, 8:10pm

No, you did well to discover that and correct it on your own. It has come up here many times recently since the addition of the new remote validation centers.

It is a good tip about the "AND" clause in your Cloudflare rule. Thank you

system · May 21, 2024, 8:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Another "Redirect loop" error - despite 200 OK in server logs Help	5	255	July 10, 2024
Sudden renewal failures Help	5	263	May 30, 2024
Can't renew follow migration to different server [SOLVED: upgrade certbot] Server	3	2738	December 31, 2018
Certificate renewal error on a new operating system (Reinstalled) Help	6	669	February 17, 2023
Renewal issues, as so many others Help	9	837	February 17, 2019

[Solved] April 2024 Renewal

Related topics