TLS-SNI-01 To HTTP-01

Hi,

I would need some help to renew a cert using HTTP-01.

Here is the message I received when running: sudo certbot renew --dry-run

My web server: Apache 2.4.18 on Ubuntu 16.04.3

I can login to a root shell on my machine and I use Webmin 1.900

certbot --version = 0.28

Thanks

Hi @LucD

you have an ipv6 Teredo tunneling address as your ip address ( https://check-your-website.server-daten.de/?q=intuineo002.pro ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
intuineo002.pro A 92.222.84.144 yes 1 0
AAAA 2001:41d0:401:3100::702d yes
www.intuineo002.pro A 92.222.84.144 yes 1 0
AAAA 2001:41d0:401:3100::702d yes

--

Y intuineo002.pro
2001:41d0:401:3100::702d
warning: Private ip address found: 2001:0000:0000:0000:0000:0000:0000:0000 to 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff: Teredo tunneling
Y www.intuineo002.pro
2001:41d0:401:3100::702d
warning: Private ip address found: 2001:0000:0000:0000:0000:0000:0000:0000 to 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff: Teredo tunneling

Perhaps remove this ipv6, then try it again. Or check your vHosts, then find your DocumentRoot. Then use

certbot run -a webroot -i apache -w YourDocumentRoot -d intuineo002.pro -d www.intuineo002.pro

You have both dns entries - www and non-www. And http + www answers. But your certificate has only one domain name. So you should create one certificate with both domain names.

Thank you Juergen for your answer and all the provided information.

I didn't know about all this...

I need IPV6 on this server so I have no option to remove it.

I'm going to try your cerbot command and will be back soon...

Unfortunately, I received the following error (from letsencryp.log)

2019-01-29 12:09:43,135:ERROR:certbot.log:An unexpected error occurred:
2019-01-29 12:13:25,830:DEBUG:certbot.main:certbot version: 0.28.0
2019-01-29 12:13:25,831:DEBUG:certbot.main:Arguments: ['-a', 'webroot', '-i', 'apache', '-w', '/var/www/html', '-d', 'intuineo002.pro', '-d', 'www.intuineo002.pro']
2019-01-29 12:13:25,831:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-29 12:13:25,847:DEBUG:certbot.log:Root logging level set at 20
2019-01-29 12:13:25,848:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-29 12:13:25,854:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer apache
2019-01-29 12:13:25,939:DEBUG:certbot_apache.configurator:Apache version is 2.4.18
2019-01-29 12:13:26,313:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fc8f85597f0>
Prep: True
2019-01-29 12:13:26,315:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fc8f8559198>
Prep: True
2019-01-29 12:13:26,316:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fc8f8559198> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7fc8f85597f0>
2019-01-29 12:13:26,316:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer apache
2019-01-29 12:13:26,320:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri='https://acme-v01.api.letsencrypt.org/acme/reg/22362322', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', body=Registration(only_return_existing=None, contact=('mailto:tech@intuineo.fr',), agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fc8f849fa20>)>), status=None, terms_of_service_agreed=None), new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz'), 29b050103c0efb16c2d50bc9b607ff4c, Meta(creation_dt=datetime.datetime(2017, 10, 7, 20, 51, 55, tzinfo=), creation_host='vps463490'))>
2019-01-29 12:13:26,322:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-01-29 12:13:26,325:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-01-29 12:13:26,549:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2019-01-29 12:13:26,550:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 29 Jan 2019 11:13:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 29 Jan 2019 11:13:26 GMT
Connection: keep-alive

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
"skehR9wD_cU": "Adding random entries to the directory"
}
2019-01-29 12:13:26,554:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1089, in run
should_get_cert, lineage = _find_cert(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 286, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 313, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 266, in _find_lineage_for_domains
return _handle_subset_cert_request(config, domains, subset_names_cert)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 163, in _handle_subset_cert_request
force_interactive=True):
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 218, in yesno
no=_parens_around_char(no_label)))
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 85, in input_with_timeout
raise EOFError
EOFError
2019-01-29 12:13:26,556:ERROR:certbot.log:An unexpected error occurred:

force_interactive = True - your Certbot want's an input.

But there is no input, so it's a timeout.

:grinning:

Yes but the script is so fast I don’t have any chance to press a key…

More seriously, I’m running the script via webmin console and this is (may be) related (the script is not waiting for input and exits right away).

I will try to run it with plain ssl/putty and let you know

Running the script with putty solved the problem.

I just need to check the next letsencrypt renewal deadline now!

Thanks Jeurgen for your help

Cheers

1 Like

You don't have to remove IPv6 from the server; Only remove it from the global DNS zone.
If that is not possible, then I don't think you will be able to use HTTP validation.
Maybe DNS validation can work for your case.

He has already created a new certificate.

CN=intuineo002.pro
	29.01.2019
	29.04.2019
	intuineo002.pro, www.intuineo002.pro - 2 entries

So Letsencrypt accepts these Teredo tunneling addresses.

1 Like

Accepts it? Like it actually uses it?
Or it just ignores it (and falls back to any other available address - like the IPv4 address in this case)?

The ipv6 Teredo is there:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
intuineo002.pro A 92.222.84.144 yes 1 0
AAAA 2001:41d0:401:3100::702d yes
www.intuineo002.pro A 92.222.84.144 yes 1 0
AAAA 2001:41d0:401:3100::702d yes

And the Topic uses this address.

Now the file was ok -> new certificate.

OK, the confusion is that this is actually a normal IPv6 address (assigned to OVH France).
See: Webupdates — RIPE Network Coordination Centre

So this is incorrect assumption:

It isn't a normal IPv6 address, it's a Teredo tunneling address. So as I know, it should be used as client address (sample: mobile clients), that may change. Not as a static server address.

How do you know this?

From: https://en.wikipedia.org/wiki/Teredo_tunneling#IPv6_addressing
Bits 0 to 31 hold the Teredo prefix (2001::/32).

That doesn’t cover: 2001:40d0::
Only 2001:0000::

1 Like

Yep, thanks, it's my error.

There

2001::/32 2001:: 2001::ffff:ffff:ffff:ffff:ffff:ffff

is a ::, not

2001::/32 2001:: 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff

So all with 2001:0000: as start is a Teredo address. Must fix it.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.