Strange renewal failure


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hornnes-ikt.privat.net

I ran these commands: sudo certbot renew --dry-run and then sudo certbot renew

They produced this output:


Processing /etc/letsencrypt/renewal/support.hornnes-ikt.privat.net.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for support.hornnes-ikt.privat.net
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    support@support:~$ sudo certbot renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/support.hornnes-ikt.privat.net.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.hornnes-ikt.privat.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (support.hornnes-ikt.privat.net) from /etc/letsencrypt/renewal/support.hornnes-ikt.privat.net.conf produced an unexpected error: Failed authorization procedure. support.hornnes-ikt.privat.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested ed991d79be8a7058ea0790d1f49435b7.e949ccbaa75a05dde3fcd21dbebf2591.acme.invalid from 81.166.59.29:443. Received 1 certificate(s), first certificate had names "netgear vpn firewall ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: support.hornnes-ikt.privat.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    ed991d79be8a7058ea0790d1f49435b7.e949ccbaa75a05dde3fcd21dbebf2591.acme.invalid
    from 81.166.59.29:443. Received 1 certificate(s), first certificate
    had names "netgear vpn firewall "

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache 2 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

What is strange is this: I had no errors when I first installed the first certbot certificate. Furthermore, the dry run ran ok. The response is strange as the address 81.166.56.29 is correctly registered externally in DNS as belonging to this server: support.hornnes-ikt.privat.net which is making the request.

The "Received 1 certificate(s), first certificate had names "netgear vpn firewall “” response is also strange. The support server is connected to the internet via a Netgear vpn firewall router which redirects all traffic to 81.166.55.29 to the internal server. The router does not have a host or domain name so I don’t understand the problem here - especially since the same router was in place when I installed the first certificate.

In addition, I now have another issue. I thought to try using the following command sudo certbot renew --apache, but that threw up a new can of worms, saying that I had exceeded the limit of invalid authorizations - 5, I believe - and that I now have to wait a week to try all of this again. My certificate expires tomorrow.

Can I reset the whole mess by uninstalling the entire certbot package, or are the failed authentications save on a central site somewhere?


#2

Hi @perryhs

there is nothing strange. Your dry-run uses http-01 validation.

But your main-system validation uses tls-sni-01 - validation:

tls-sni-01 is deprecated, support ends 2019-02-13.

So use

certbot renew --preferred-challenges http

so that you use the http challenge with the main system.


#3

Ok, but with certbot, my system is now https only. HTTP is deactivated. Do I use preferred-challenges https instead?


#4

Thanks. certbot renew --preferred-challenges http worked like a charm!


#5

The certificate domain control validation still happens on port 80 with the HTTP-01 challenge regardless of whether you ordinarily use port 80 for anything. There is no HTTPS-01 challenge. There once was, but it had some security problems and was removed before Let’s Encrypt launched.


#6

If you have used the tls-sni-01 validation, your configuration may have the standalone-authentication.

So Certbot creates a temporary webserver -> new port 80.

But there is a self signed certificate:

C=US, O=Netgear Inc., OU=Netgear Prosafe, CN="Netgear VPN Firewall " 13.03.2011 - 10.03.2021


#7

It seems like it doesn’t forward all traffic to the other server.

The failed authorization rate limit is over a period of 1 hour, not 1 week.


#8

First of all, I would like to kindly thank everyone who replied to this issue. In reply to mnordhoff, I have disabled http on both the router and partially on the server, so I expect that the timeout would be normal. The IPv6 https was originally enabled, but is currently disabled (cable removed) because of a suspected hack by a former employee. So also that timeout is expected. The last one, though, seems to stop up at the configuration page of the router. I think I know why and will have to look more closely at the traffic between the two. I do have one last question though: The response from certbot included this passage:

Received 1 certificate(s), first certificate had names "netgear vpn firewall "

Does this mean that I am getting two certificates - one for the router and one for the server?


#9

No, it means that Certbot is trying to use the TLS-SNI-01 method on port 443 but the firewall isn’t passing the connection through to the web server. Instead, the firewall is answering the request itself.

It’s possible that the firewall sometimes passes through connections on port 443, but not all connections.

Fixing this problem at the firewall isn’t very worthwhile because the TLS-SNI-01 challenge will stop being supported at all in spring 2019.

If you use --preferred-challenges http, you will not get this particular error because Certbot will instead use the HTTP-01 challenge.