SOLVED - Failed to renew certificate


#1

i have a cert that will expire today :frowning: Please help…

I ran this command:
certbot-auto renew

Output:
Requesting root privileges to run certbot…
…/letsencrypt/bin/letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/xxxxxxx.id.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxxxx.id
http-01 challenge for www.xxxxxx.id
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/xxxxxx.id.conf produced an unexpected error: Failed authorization procedure. xxxxx.id (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to xxxxxxx.id. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxxxxxx.id/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Output if i run $certbot-auto --keep-until-expiring:

Requesting root privileges to run certbot…
…local/share/letsencrypt/bin/letsencrypt --keep-until-expiring
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /…

Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot-auto certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

OS:
Ubuntu 14.04

Web Server:
Nginx

I can login to a root sheel on my machine? Yes


#2

Hi @smallboat,

It would be helpful if you could tell us what the domain name is so we could look into more technical details.

Do you know if anything has changed in your configuration since you first got the certificate? One thing that comes to mind is: did you somehow entirely shut off HTTP service on your site instead of just redirecting it to HTTPS? Did you change your DNS or firewall configuration at all?


#3

mydomain: xxxxxxx.id

I used to run my webserver with Apache. Then, couple months ago, i switch to Nginx and never change DNS. After using LetEncrypt, i shut off the HTTP service. All traffic via HTTPS. Regarding firewall, i remember my server firewall configuration changed after i mistakenly uninstall iptables.


#4

Hi @smallboat,

I think shutting off HTTP is the explanation here!

In order to obtain or renew the certificate, you have to prove to the CA that you control the site in question, which is done by having Certbot make small technical changes to the site that the CA requests. There are 3 different methods for this depending on your configuration. The method that you used as a result of choosing webroot as your authentication plugin requires HTTP to be enabled on the site and can never succeed if it’s unavailable.

Also, when you perform a renewal, Certbot always tries to use the same method that was originally used to obtain the certificate.

In this case I guess you can choose between re-enabling HTTP, or trying to switch the method that Certbot uses to prove your control over the site. I can try to help you with either, but perhaps neither will be very convenient for you. The first one is slightly technically simpler.

What many people in this situation have done is set their web servers to serve an HTTP 301 redirect code from the HTTP version of the site to the HTTPS version, so that if someone just types in the domain name without HTTPS, they get redirected. This kind of configuration can be done with your nginx configuration file, and would probably also be sufficient to fix the renewal process here without making any other changes.


#5

In any case, if you tell nginx to listen to HTTP on port 80 temporarily, the renewal process should work (as long as the web root directory where web content is served from hasn’t changed when you switched from Apache to nginx!). You could then disable it again, if you want, and do more research about your future renewal options over the course of the next 90 days.


#6

Thank you, Schoen. I just manage to renew. Thank you 100x :slight_smile:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.