Summing up the Prologue …
- Self-Hosting with banana Pi M1 over private ADSL
- Setup diaspora-pod with lubuntu 14.04 and StarSSL
- Switched to LE-Certificate since January 2016 with apache-plugin of letsencrypt-auto without any problem with tld.net and pod.tld.net
- First renewal in march worked flawlessly.
- Cert expired few days ago, tried to renew but because of unknown reason letsencrypt-auto failed on setting up environment (I later understood that it couldn’t compile cryptography despite having enough memory … couldn’t activate backports for lubuntu and decided to resetup the server with debian jessie (bananian to be exact).
- Installing certbot via backports on jessie-server and restoring /etc/letsencrypt and apache-vhosts
- Calling tld and subdomain in browser results in HSTS-Warning and SEC_ERROR_EXPIRED_CERTIFICATE error.
The actual problem
sudo certbot renewal --apacheleeds to
2016-06-18 16:32:35,690:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/pod.tld.net.conf produced an unexpected error: Failed authorization procedure. pod.tld.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 18.104.22.168:443 for TLS-SNI-01 challenge, tld.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 22.214.171.124:443 for TLS-SNI-01 challenge. Skipping.
Which is odd as obivously the server is connectable since I receive the old expired cert despite or do I mix up sth?
- Even odder: I checked my IP and actually noticed a different IP to the error message. Copying the IPs into browser as url both reach the server! Seems that the DNS used by LE didn’t’t receive my actual IP (dyndns via ddclient with udmedia as my domain-host) yet but the old one still routes to my server …
I would have expected the renewal to work with both IPs reaching the server and don’t understand why connection seems to fail while SSL is working with expired certs.
How can I step further? Is the failure really caused by the IP mismatch? Or do I have to check elsewhere?
Prospective thanks for your help!
400 Bad Request
curl 126.96.36.199:443 (old IP used by certbot)
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.10 (Debian) Server at ismus.net Port 443