Ssl renew problem

i am facing this problem can any body help me on this .

[root@www sites-available]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sonicfiber.pk
tls-sni-01 challenge for www.sonicfiber.pk
Cleaning up challenges
Attempting to renew cert (sonicfiber.pk-0001) from /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.

Processing /etc/letsencrypt/renewal/sonicfiber.pk.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/sonicfiber.pk/fullchain.pem expires on 2019-02-06 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

You’re using the standalone plugin authenticator, which spins up its own webserver on port 80 (for the currently recommended http challenge) or on port 443 (for the deprecated tls-sni challenge you’re currently using). But it seems another application is listening on your port 443. And probably on your port 80 too.

Is that the case?

can you help me out in this case

[root@www ~]# netstat -nap | grep 80
tcp 0 64 202.63.197.101:2222 202.63.215.48:56805 ESTABLISHED 59907/sshd: root@pt
tcp6 0 0 :::80 :::* LISTEN 41830/httpd
tcp6 0 1 2400:1a80::20c:29:42684 2a04:4e42:400::223:443 SYN_SENT 42248/python2.7
unix 2 [ ACC ] STREAM LISTENING 17980 1467/master private/lmtp
unix 3 STREAM CONNECTED 5731800 772/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 DGRAM 18009 1060/snmpd
[root@www ~]# netstat -nap | grep 443
tcp6 0 0 :::443 :::* LISTEN 41830/httpd
tcp6 0 1 2400:1a80::20c:29:42684 2a04:4e42:400::223:443 SYN_SENT 42248/python2.7
[root@www ~]#

Osiris

still waiting for your response on it.

Hi @fayaz

the tls-sni-01 is deprecated. So don't use it.

certbot renew --preferred-challenges http

If this doesn't work, share your log and add the --debug-challenges - parameter to find the place where certbot saves the file.

https://certbot.eff.org/docs/using.html

--debug-challenges After setting up challenges, wait for user input before submitting to CA

hi
i tried it as well but its does work can you help me on that…

[root@www acme-challenge]# certbot renew --preferred-challenges http --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sonicfiber.pk
http-01 challenge for www.sonicfiber.pk
Waiting for verification…

Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.

Cleaning up challenges
Attempting to renew cert (sonicfiber.pk-0001) from /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: sonicfiber.pk,www.sonicfiber.pk: see https://letsencrypt.org/docs/rate-limits/. Skipping.

Processing /etc/letsencrypt/renewal/sonicfiber.pk.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/sonicfiber.pk/fullchain.pem expires on 2019-02-06 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Why do you want to renew a certificate if you have already 5 new certificates created today?

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:sonicfiber.pk&lu=cert_search

Your renew works.

If you use "Installer none", you have to install your certificate manual.

i couldn't get certificate ..how can i install that one.... can you help me and guide properly on this.

Check your certificates with

certbot certificates

And read

Now

your non-www is correct. But your www uses the wrong certificate, only with the non-www domain name.

But you have certificates with two names, created today:

https://transparencyreport.google.com/https/certificates/J63jd4XvLTz4zoAQLaKvuszmD9fwcYg4izqM9Mo8Msc%3D

So use certbot certificates to find one of these and use this certificate.

I'm in timezone CET (UTC+1), my post was made just before I left for work, so yes, you were waiting

@JuergenAuer He's using the standalone plugin but also has a webserver running on port 80. So changing from tls-sni to http doesn't really work, @fayaz needs to change the authenticator plugin to either apache/nginx or the webroot plugin.

@fayaz Is there a specific reason you're running the standalone plugin? Did you use some sort of guide the first time you issued a certificate? If so, which one? Also, which webserver are you running?

That looks like your running apache on ports 80 and 443.
So you should NOT be using --standalone
Try:
certbot renew --apache --preferred-challenges http

If you run into any problems, please show:
certbot --version
apache2 -v

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.