Ssl renew problem


#1

i am facing this problem can any body help me on this .

[root@www sites-available]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sonicfiber.pk
tls-sni-01 challenge for www.sonicfiber.pk
Cleaning up challenges
Attempting to renew cert (sonicfiber.pk-0001) from /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.


Processing /etc/letsencrypt/renewal/sonicfiber.pk.conf


Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/sonicfiber.pk/fullchain.pem expires on 2019-02-06 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)


#2

You’re using the standalone plugin authenticator, which spins up its own webserver on port 80 (for the currently recommended http challenge) or on port 443 (for the deprecated tls-sni challenge you’re currently using). But it seems another application is listening on your port 443. And probably on your port 80 too.

Is that the case?


#3

can you help me out in this case

[root@www ~]# netstat -nap | grep 80
tcp 0 64 202.63.197.101:2222 202.63.215.48:56805 ESTABLISHED 59907/sshd: root@pt
tcp6 0 0 :::80 :::* LISTEN 41830/httpd
tcp6 0 1 2400:1a80::20c:29:42684 2a04:4e42:400::223:443 SYN_SENT 42248/python2.7
unix 2 [ ACC ] STREAM LISTENING 17980 1467/master private/lmtp
unix 3 STREAM CONNECTED 5731800 772/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 DGRAM 18009 1060/snmpd
[root@www ~]# netstat -nap | grep 443
tcp6 0 0 :::443 :::* LISTEN 41830/httpd
tcp6 0 1 2400:1a80::20c:29:42684 2a04:4e42:400::223:443 SYN_SENT 42248/python2.7
[root@www ~]#


#4

Osiris

still waiting for your response on it.


#5

Hi @fayaz

the tls-sni-01 is deprecated. So don’t use it.

certbot renew --preferred-challenges http

If this doesn’t work, share your log and add the --debug-challenges - parameter to find the place where certbot saves the file.

–debug-challenges After setting up challenges, wait for user input before submitting to CA


#6

hi
i tried it as well but its does work can you help me on that…

[root@www acme-challenge]# certbot renew --preferred-challenges http --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sonicfiber.pk
http-01 challenge for www.sonicfiber.pk
Waiting for verification…


Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.


Cleaning up challenges
Attempting to renew cert (sonicfiber.pk-0001) from /etc/letsencrypt/renewal/sonicfiber.pk-0001.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: sonicfiber.pk,www.sonicfiber.pk: see https://letsencrypt.org/docs/rate-limits/. Skipping.


Processing /etc/letsencrypt/renewal/sonicfiber.pk.conf


Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/sonicfiber.pk/fullchain.pem expires on 2019-02-06 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sonicfiber.pk-0001/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)


#7

Why do you want to renew a certificate if you have already 5 new certificates created today?

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:sonicfiber.pk&lu=cert_search

Your renew works.

If you use “Installer none”, you have to install your certificate manual.


#8

i couldn’t get certificate …how can i install that one… can you help me and guide properly on this.


#9

Check your certificates with

certbot certificates

And read


#10

Now

your non-www is correct. But your www uses the wrong certificate, only with the non-www domain name.

But you have certificates with two names, created today:

https://transparencyreport.google.com/https/certificates/J63jd4XvLTz4zoAQLaKvuszmD9fwcYg4izqM9Mo8Msc%3D

So use certbot certificates to find one of these and use this certificate.


#11

I’m in timezone CET (UTC+1), my post was made just before I left for work, so yes, you were waiting :slight_smile:

@JuergenAuer He’s using the standalone plugin but also has a webserver running on port 80. So changing from tls-sni to http doesn’t really work, @fayaz needs to change the authenticator plugin to either apache/nginx or the webroot plugin.

@fayaz Is there a specific reason you’re running the standalone plugin? Did you use some sort of guide the first time you issued a certificate? If so, which one? Also, which webserver are you running?


#12

That looks like your running apache on ports 80 and 443.
So you should NOT be using --standalone
Try:
certbot renew --apache --preferred-challenges http

If you run into any problems, please show:
certbot --version
apache2 -v