[SOLVED] Renew problem after long expiry

Je peux lire des réponses en Anglais : Oui

Mon nom de domaine est : cloud.ericdelcamp.fr

J’ai exécuté cette commande : certbot renew

Elle a produit cette sortie : (See below)

Mon serveur Web est (inclure la version) : Apache 2.2.41

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : Ubuntu 20.04

Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : Oui

I forgot for a long time to renew my certificate. Then, when I tried :

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.ericdelcamp.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.ericdelcamp.fr
Waiting for verification...
Challenge failed for domain cloud.ericdelcamp.fr
http-01 challenge for cloud.ericdelcamp.fr
Cleaning up challenges
Attempting to renew cert (cloud.ericdelcamp.fr) from /etc/letsencrypt/renewal/cloud.ericdelcamp.fr.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.ericdelcamp.fr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.ericdelcamp.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cloud.ericdelcamp.fr
   Type:   connection
   Detail: Fetching
   http://cloud.ericdelcamp.fr/.well-known/acme-challenge/CsOGuvF23S6Z_AMBW8j_2tEB8GJ8GLRAR1CqC3im1B8:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.


# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: cloud.ericdelcamp.fr
    Domains: cloud.ericdelcamp.fr
    Expiry Date: 2020-07-31 01:17:30+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/cloud.ericdelcamp.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.ericdelcamp.fr/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# netstat -pant | grep -i listen
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      9783/systemd-resolv
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      173/sshd: /usr/sbin
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      417/master
tcp6       0      0 :::22                   :::*                    LISTEN      173/sshd: /usr/sbin
tcp6       0      0 :::36602                :::*                    LISTEN      356/xinetd
tcp6       0      0 :::443                  :::*                    LISTEN      678/apache2
tcp6       0      0 :::80                   :::*                    LISTEN      678/apache2
2 Likes

Hi and welcome to LE community forum!

Please excuse my English.

Indeed HTTP port 80 appears to be closed.
It is required for HTTP authentication.
See: https://letsdebug.net/cloud.ericdelcamp.fr/351177

curl -4Iki cloud.ericdelcamp.fr
curl: (7) Failed to connect to cloud.ericdelcamp.fr port 80: Connection timed out

curl -6Iki cloud.ericdelcamp.fr
curl: (7) Failed to connect to cloud.ericdelcamp.fr port 80: Connection timed out

Also note that there are two IP addresses:

Name:    ericdelcamp.fr
Addresses:  2a01:e0a:3ba:cf70::1
          91.174.235.61
Aliases:  cloud.ericdelcamp.fr

And LE will prefer IPv6 when available.

3 Likes

I will delete the IPv6 DNS entry for that domain.
Port 80 is opened and apache listening on it. But LetsEncrypt created a redirection to port 443 in apache config file :

RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.ericdelcamp.fr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Should I remove it ? How the renew could work if that rewrite rule is added by the certbot ?

1 Like

LE will follow redirects.
But it has to start from HTTP.

2 Likes

Ok I found the problem. My provider change my connexion from ADSL to FTTH last month but I've lost the static IP option, and his home router could only do ports redirection if I have a static @. So, I asked one and that will make everything OK I think.

2 Likes
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.ericdelcamp.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.ericdelcamp.fr
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/cloud.ericdelcamp.fr/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/cloud.ericdelcamp.fr/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Likes