Timeout trying to renew cert for multiple domains

Help
1

Unable to renew certificate for multiple domains. As far as I can tell .well-known is accessible on all, disabled ipv6, no firewall should be blocking ports 80 or 443. This happens every time I have to renew, sometimes doing new certificates works, and sometimes it just seems to work at random after a while, but I’ve never understood the problem and this time I can’t get past it with certbot renew so would like some help. Letsdebug shows all domains OK.

My domain is:
robinince.net
www.robinince.net
www.anacarlamiranda.com
robince.net
www.robince.net

I ran this command:
certbot renew --dry-run --preferred-challenge http

It produced this output:
RUN 1:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.robince.net.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.robince.net
http-01 challenge for www.robinince.net
http-01 challenge for robince.net
http-01 challenge for robinince.net
http-01 challenge for www.anacarlamiranda.com
Using the webroot path /var/www/html-www.robinince.net/_site for all unmatched domains.
Waiting for verification…
Challenge failed for domain robinince.net
Challenge failed for domain www.anacarlamiranda.com
http-01 challenge for robinince.net
http-01 challenge for www.anacarlamiranda.com
Cleaning up challenges
Attempting to renew cert (www.robince.net) from /etc/letsencrypt/renewal/www.robince.net.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.robince.net/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.robince.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

RUN 2 (note that the domains that fail are different each time):
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.robince.net.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for robinince.net
http-01 challenge for www.anacarlamiranda.com
http-01 challenge for robince.net
http-01 challenge for www.robince.net
http-01 challenge for www.robinince.net
Using the webroot path /var/www/html-www.robinince.net/_site for all unmatched domains.
Waiting for verification…
Challenge failed for domain www.robince.net
Challenge failed for domain www.robinince.net
http-01 challenge for www.robince.net
http-01 challenge for www.robinince.net
Cleaning up challenges
Attempting to renew cert (www.robince.net) from /etc/letsencrypt/renewal/www.robince.net.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.robince.net/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.robince.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Apache 2.4.6

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.3.0

1 Like
2

There are several things to consider and may be playing a part in this issue.

  1. The source IP validating the request may vary (not always the same one, nor same continent).
  2. Previously (recently) authorized domains may not require revalidation.
  3. GeoLocation blocking is NOT a friend of LE authentication requests.
  4. Other local firewall type programs that block inbound HTTP can be problematic (e.g. Fail2Ban).

I would suggest trying renewing each cert individually; to see if the problem is in any way related to only certain names [not likely, but worth ruling out].
Then ensure there are no inbound HTTP blocks.
My money is on GeoLocation blocking.

3 Likes
3

And in an unrelated story…
https://www.robinince.net/ has “mixed content” and TLS users may experience some browsing “discomfort”.
See: https://www.whynopadlock.com/results/89fae9a3-f2a8-4740-89f3-ab6e4b782378
Also, there is no HTTP to HTTP redirect - probably due to the “discomfort”.

1 Like
4

Thanks, I don’t have any fail2ban or geoblocking, but your pointer made me check the iptabels and with iptables disabled it seems to work so I think I have some firewall rules setup there I need to look at. Thanks for your help.

For the benefit of others, I had a rate limiting for SYN packets in iptables:
-p tcp --syn -m limit --limit 1/second --limit-burst 5 -j ACCEPT
This seemed to be causing the problem.

3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.