Trouble Renewing Certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.musicrepo.com

I ran this command:
ee site update musicrepo.com --letsencrypt=renew

It produced this output:
Renewing SSl cert for https://musicrepo.com

ERROR : Cannot RENEW SSL cert !

Your current cert already EXPIRED !

Check logs for reason tail /var/log/ee/ee.log & Try Again!!!

My web server is (include version): Ubuntu 16.04.6 LTS

The operating system my web server runs on is (include version): nginx/1.10.0

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.23.0

I set up a wordpress hosting environment using EasyEngine. And until recently I have renewed my LetsEncrypt certificates without problem. Unfortunately this time I have allowed them to expire. And although I am not aware of any DNS or server configuration changes I am unable to renew.

I have tried to use certbot instead of the easyengine script but with no success.

Can anyone suggest how to proceed?

Request a new certificate rather than a renewal.

I am not sure how best to do that say using certbot. I have tried
ee site update musicrepo.com --letsencrypt=off
and then
ee site update musicrepo.com --letsencrypt
but it still does not work.

I don’t see anything in the EasyEngine docs about forcing a new certificate, but you can use certbot directly.

Although I have not changed anything from when it was working I am worried about my server/dns config

musicrepo.com has an AAAA (IPv6) record (2a01:7e00::f03c:91ff:fee0:333c) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.

Hi @frw

you have a difficult error you should fix. There is an older check of your domain ( https://check-your-website.server-daten.de/?q=musicrepo.com ) (~~5 hours old).

There are ipv4- and ipv6 - addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
musicrepo.com A 176.58.111.170 yes 1 0
AAAA 2a01:7e00::f03c:91ff:fee0:333c yes
www.musicrepo.com A 176.58.111.170 yes 1 0
AAAA 2a01:7e00::f03c:91ff:fee0:333c yes

http / port 80 works with ipv4 and ipv6, there is a redirect http -> https:

Domainname Http-Status redirect Sec. G
http://musicrepo.com/
176.58.111.170 301 https://musicrepo.com/ 0.043 A
http://musicrepo.com/
2a01:7e00::f03c:91ff:fee0:333c 301 https://musicrepo.com/ 0.044 A
http://www.musicrepo.com/
176.58.111.170 301 https://musicrepo.com/ 0.043 E
http://www.musicrepo.com/
2a01:7e00::f03c:91ff:fee0:333c 301 https://musicrepo.com/ 0.043 E
https://musicrepo.com/
176.58.111.170 301 https://www.musicrepo.com/ 0.394 N
Certificate error: RemoteCertificateChainErrors
https://musicrepo.com/
2a01:7e00::f03c:91ff:fee0:333c -2 1.070 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a01:7e00::f03c:91ff:fee0:333c]:443
https://www.musicrepo.com/
176.58.111.170 200 0.377 N
Certificate error: RemoteCertificateChainErrors
https://www.musicrepo.com/
2a01:7e00::f03c:91ff:fee0:333c -2 1.063 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a01:7e00::f03c:91ff:fee0:333c]:443
http://musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
176.58.111.170 301 https://musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 A
Visible Content: 301 Moved Permanently nginx
http://musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a01:7e00::f03c:91ff:fee0:333c 301 https://musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 A
Visible Content: 301 Moved Permanently nginx
http://www.musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
176.58.111.170 301 https://musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 E
Visible Content: 301 Moved Permanently nginx
http://www.musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a01:7e00::f03c:91ff:fee0:333c 301 https://musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.046 E
Visible Content: 301 Moved Permanently nginx
https://musicrepo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 3.410 N
Not Found

But your https + ipv6 doesn’t work, there is a ConnectFailure error.

The redirect is ok, Letsencrypt follows that redirect. But the next step is to connect your ipv6 via https - that doesn’t work -> that’s fatal.

That’s critical because Letsencrypt prefers ipv6.

So

  • remove your ipv6, try to create a certificate, fix your ipv6 (or)
  • fix your ipv6 directly.

Thanks.
After installing the plugin “python-certbot-nginx” and following instructions at

ie running command
certbot certonly --pre-hook “service nginx stop” --standalone --cert-name yourdomain.tld -d yourdomain.tld -d www.yourdomain.tld --post-hook “service nginx start” --rsa-key-size 4096 -n --agree-tos -m me@yourdomain.tld

for musicrepo.com

I have managed to update the certificate.

However the issue with ivp6 remains with as you suggest I now need to fix.
I think the issue is my nginx configuration. So I will investigate

Thanks for help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.