Unable to Re-Obtain Certificate after Expiration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: thegeekden.net

I ran this command: I attempted to Re-Obtain the cert by using the Let's Encrypt controls in Freedombox.

It produced this output: Failed to obtain certificate for domain thegeekden.net: ('Error obtaining certificate: Saving debug log to /var/log/letsencrypt/letsencrypt.log\nSome challenges have failed.\nAsk for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.\n', b'', b'\x1b[31m ERROR\x1b[0m \x1b[94m__main__ \x1b[0m Error executing action: Error obtaining certificate: Saving debug log to /var/log/letsencrypt/letsencrypt.log\nSome challenges have failed.\nAsk for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.\nTraceback (most recent call last):\n File "/usr/share/plinth/actions/actions", line 93, in _call\n return_values = func(*arguments['args'], **arguments['kwargs'])\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/lib/python3/dist-packages/plinth/modules/letsencrypt/privileged.py", line 171, in obtain\n raise RuntimeError('Error obtaining certificate: {error}'.format(\nRuntimeError: Error obtaining certificate: Saving debug log to /var/log/letsencrypt/letsencrypt.log\nSome challenges have failed.\nAsk for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.\n\n')

My web server is (include version): apache2, ver. 2.4.57-2

The operating system my web server runs on is (include version): Debian (Freedombox)

My hosting provider, if applicable, is: Self Hosted, on Dynamic IP

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): FreedomBox version 24.4

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Hello @mtinman, welcome to the Let's Encrypt community. :slightly_smiling_face:

I am assuming you are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt.
And using the online tool Let's Debug yields these results https://letsdebug.net/thegeekden.net/1811369

ANotWorking
ERROR
thegeekden.net has an A (IPv4) record (69.131.231.196) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with thegeekden.net/69.131.231.196: Get "http://thegeekden.net/.well-known/acme-challenge/letsdebug-test": dial tcp 69.131.231.196:80: i/o timeout

Trace:
@0ms: Making a request to http://thegeekden.net/.well-known/acme-challenge/letsdebug-test (using initial IP 69.131.231.196)
@0ms: Dialing 69.131.231.196
@10001ms: Experienced error: dial tcp 69.131.231.196:80: i/o timeout
IssueFromLetsEncrypt
ERROR
A test authorization for thegeekden.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
69.131.231.196: Fetching http://thegeekden.net/.well-known/acme-challenge/gesRdiSUlJD2MTUedasx_3bbn5IQ4kK6QTexzgblxhw: Timeout during connect (likely firewall problem)

note the last line "Timeout during connect (likely firewall problem)"

And using nmap I see

$ nmap -Pn -p80,443 thegeekden.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-22 01:38 UTC
Nmap scan report for thegeekden.net (69.131.231.196)
Host is up.
rDNS record for 69.131.231.196: h69-131-231-196.slkmwa.broadband.dynamic.tds.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.32 seconds

Give this make ask how was Certbot installed?

2 Likes

@mtinman,

Here are a couple links that maybe of help

  1. https://wiki.debian.org/FreedomBox/Manual/LetsEncrypt
  2. Error Message After Running Let's Encrypt - #2 by jvalleroy - Support - FreedomBox Forum
1 Like

@Bruce5051,

Thanks for fast reply, in my case Certbot was installed with the Freedombox software suite, I'm not sure of the backend mechanism it uses for doing so, it looks like python scripting to me, from what I see in the logs. I will check out those links you provided, but I can tell you that the dynamic IP address you received in nmap was not what my modem is currently reporting. It does not appear to have been updated by my dynamic dns tool, and that my be the issue here. I'll check it and get back to you shortly.

3 Likes

That would definitely be an issue.

2 Likes

Definitely a problem, can you try the nmap -Pn -p80,443 thegeekden.net one more time for me, so I can see the output? When I run it, I get the lan IP for the Freedombox. The dynamic DNS updater just completed, shows new external (WAN) address from the control panel, but may take time to propagate...

$ nmap -Pn -p80,443 thegeekden.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-22 02:16 UTC
Nmap scan report for thegeekden.net (69.131.231.196)
Host is up.
rDNS record for 69.131.231.196: h69-131-231-196.slkmwa.broadband.dynamic.tds.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds
1 Like

And using the online tool https://unboundtest.com/

https://unboundtest.com/m/A/thegeekden.net/2YROSIE4
shows

Query results for A thegeekden.net

Response:
;; opcode: QUERY, status: NOERROR, id: 37449
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;thegeekden.net.	IN	 A

;; ANSWER SECTION:
thegeekden.net.	0	IN	A	69.131.231.196
thegeekden.net.	0	IN	RRSIG	A 13 2 180 20240229000000 20240208000000 40563 thegeekden.net. xaErDYw4KbFXw0VRkB0BLES+75heDvDZx87EZMQWQXaTdIVrk3F5PwNonK9heDgXzrTHUfq8tKvhUOOADBZi5g==

----- Unbound logs -----
2 Likes

@Bruce5051,
Thanks very much for the help, I genuinely appreciate it, I'm gonna check into my domain registrar settings, and see where that leads. Just checked there, everything looks good, so far as I can tell. I will wait for this dynamic DNS to propagate for a while, maybe that will help.

Also,I have a question - Do you know of a way that I can run nmap from within my home LAN as if I am somewhere outside my home LAN, so that I can see what you see? I hope that makes sense. I would like to be able to see something other than the internal IP when I run nmap from within my LAN, maybe going through a proxy might work?

1 Like

It is not possible to see your "house" from the outside world - while still inside your "house".
For that, you would have to:

  • use a VPN service
  • use an online "public tool" designed for this purpose
  • go outside your "house" [any public WiFi area will work]
2 Likes

@rg305,
Thanks for reply, and I will do that.

2 Likes

Here are some online tools that can do similar function to some of nmap's functions.

1 Like

UPDATE:

Fixed issue with dynamic IP update tool to resolve the issue. For some reason, the dynamic IP updater added the last known external dynamic IP (after a random power outage, maybe?) to the login information link for my dynamic DNS provider, which essentially kept reporting the same (incorrect) external IP address to the Internet's DNS resolvers every time it reported. I did not see this because the login link data string is so long it overlaps the viewable data window field in the settings for the dynamic IP updater.

Note to self, and others: Make sure to look at the WHOLE login information link for your dynamic IP updater client when checking the settings, it can override what the client reports to your dynamic DNS provider! My client appeared to be reporting the correct external IP address for my domain, but was not, because the login link had an ip=xxx.xxx.xxx.xxx section, which FORCED the external IP reported by the client to be overridden.

Many thanks to all of you that helped me with this, and provided me with some great links for tools that helped! Kudos to Ya'll!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.