Unable to renew cert after years of renewing with no problem

Hello. I've been using certbot for a long time with no major issues. I usually just shutdown my diaspora server & apache2 which is handling communications for it, run certbot renew --standalone, and it's good to go. All of the ports (80 & 443) are forwarded to the [virtual] machine that this is on within my network, and I don't have a clue why this isn't working. I only have 3 days left to renew, I really need some help here, or my site is going down; it requires the active certificate to communicate with other nodes. I would appreciate anything that you might be able to give me for assistance or pointers in the right direction; please let me know if you need more information to help with troubleshooting!

Standard informational template follows:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: d-resources.hopto.org

I ran this command: certbot renew --standalone

It produced this output:
--begin paste--

**root@diaspora:/home/sprite# certbot renew --standalone**
**Saving debug log to /var/log/letsencrypt/letsencrypt.log**

**- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**
**Processing /etc/letsencrypt/renewal/d-resources.hopto.org.conf**
**- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**
**Cert is due for renewal, auto-renewing...**
**Plugins selected: Authenticator standalone, Installer None**
**Running pre-hook command: service nginx stop**
**Renewing an existing certificate**
**Performing the following challenges:**
**http-01 challenge for d-resources.hopto.org**
**Waiting for verification...**
**Cleaning up challenges**
**Attempting to renew cert (d-resources.hopto.org) from /etc/letsencrypt/renewal/d-resources.hopto.org.conf produced an unexpected error: Failed authorization procedure. d-resources.hopto.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://d-resources.hopto.org/.well-known/acme-challenge/SGBG_YSSZYcs1cnYAl45NorcwImLaAH_YUxnkN0anMI: Connection refused. Skipping.**
**All renewal attempts failed. The following certs could not be renewed:**
**  /etc/letsencrypt/live/d-resources.hopto.org/fullchain.pem (failure)**

**- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**

**All renewal attempts failed. The following certs could not be renewed:**
**  /etc/letsencrypt/live/d-resources.hopto.org/fullchain.pem (failure)**
**- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -**
**Running post-hook command: service nginx start**
**Hook command "service nginx start" returned error code 1**
**Error output from service:**
**Failed to start nginx.service: Unit nginx.service is masked.**

**1 renew failure(s), 0 parse failure(s)**

**IMPORTANT NOTES:**
** - The following errors were reported by the server:**

**   Domain: d-resources.hopto.org**
**   Type:   connection**
**   Detail: Fetching**
**   http://d-resources.hopto.org/.well-known/acme-challenge/SGBG_YSSZYcs1cnYAl45NorcwImLaAH_YUxnkN0anMI:**
**   Connection refused**

**   To fix these errors, please make sure that your domain name was**
**   entered correctly and the DNS A/AAAA record(s) for that domain**
**   contain(s) the right IP address. Additionally, please check that**
**   your computer has a publicly routable IP address and that no**
**   firewalls are preventing the server from communicating with the**
**   client. If you're using the webroot plugin, you should also verify**
**   that you are serving files from the webroot path you provided.**
**root@diaspora:/home/sprite#**

--end paste--

My web server is (include version): apache2 -- version 2.4.25-3+deb9u9

The operating system my web server runs on is (include version): Debian GNU/Linux 9

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

2 Likes

So, after viewing the fact that my certbot was horrifically out of date, I decided to upgrade to the newest certbot using snap after removing the old one from my system. I'm now running certbot 1.10.1, and I'm still having the exact same errors, whether running without apache2 running via certbot renew --standalone or with apache running via certbot renew --apache. :frowning:

2 Likes

Hello @dgets,

Is your web server listening right now on port 80? I'm asking because I can only connect to your domain using port 443 so if your web server is listening on port 80 maybe the problem is the redirection configured on your router or a firewall rule.

Cheers,
sahsanu

1 Like

It is now, yes. AFAIK it should be returning an apache2 default page at this point... It is possible that I was reconfiguring things while you were trying to hit it and had apache2 down for a bit. Could you try hitting it again now? I've stopped all configuration attempts right now...

TIA!

1 Like

Strike that, the router forwarding was inactive for 80, my bad. Oopsie why do I have the feeling that it'll work just fine now? grin God I feel like an idiot.

2 Likes

Okay so now it got a lot further along in the process, however I did stumble into this error after it was working for a bit:

sprite@diaspora:~$ sudo certbot renew --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/d-resources.hopto.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OCSP check failed for /etc/letsencrypt/archive/d-resources.hopto.org/cert7.pem (are we offline?)
Traceback (most recent call last):
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/connection.py", line 159, in _new_conn
    conn = connection.create_connection(
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/util/connection.py", line 61, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/snap/certbot/793/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
    httplib_response = self._make_request(
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/connectionpool.py", line 392, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/snap/certbot/793/usr/lib/python3.8/http/client.py", line 1255, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/snap/certbot/793/usr/lib/python3.8/http/client.py", line 1301, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/snap/certbot/793/usr/lib/python3.8/http/client.py", line 1250, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/snap/certbot/793/usr/lib/python3.8/http/client.py", line 1010, in _send_output
    self.send(msg)
  File "/snap/certbot/793/usr/lib/python3.8/http/client.py", line 950, in send
    self.connect()
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/connection.py", line 187, in connect
    conn = self._new_conn()
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/connection.py", line 171, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f5afab426a0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/793/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/connectionpool.py"
, line 724, in urlopen
    retries = retries.increment(
  File "/snap/certbot/793/lib/python3.8/site-packages/urllib3/util/retry.py", line 439, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='ocsp.int-x3.letsencrypt.org', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f5afab426a0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/793/lib/python3.8/site-packages/certbot/ocsp.py", line 186, in _check_ocsp_cryptography
    response = requests.post(url, data=request_binary,
  File "/snap/certbot/793/lib/python3.8/site-packages/requests/api.py", line 119, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/snap/certbot/793/lib/python3.8/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/snap/certbot/793/lib/python3.8/site-packages/requests/sessions.py", line 530, in request  
    resp = self.send(prep, **send_kwargs)
  File "/snap/certbot/793/lib/python3.8/site-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/snap/certbot/793/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='ocsp.int-x3.letsencrypt.org', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f5afab426a0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (d-resources.hopto.org) from /etc/letsencrypt/renewal/d-resources.hopto.org.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f5afab45b50>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/d-resources.hopto.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/d-resources.hopto.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
sprite@diaspora:~$
1 Like

Seems there is some problem in your host trying to resolve acme-v02.api.letsencrypt.org

Could you please show the output of this command?
curl -m10 -v https://acme-v02.api.letsencrypt.org/directory

1 Like

Hi @dgets

now your internal dns doesn't work.

So Certbot

can't check the OCSP-status of your certificate.

2 Likes

Here 'tis:
sprite@diaspora:~$ curl -m10 -v https://acme-v02.api.letsencrypt.org/directory

  • Resolving timed out after 10533 milliseconds
  • Curl_http_done: called premature == 1
  • stopped the pause stream!
  • Closing connection 0
    curl: (28) Resolving timed out after 10533 milliseconds
    sprite@diaspora:~$
1 Like

Now this is strange... I have never had a problem resolving DNS before on this machine...

1 Like

So your host is not able to resolve any domain right now, maybe a conf error, maybe a firewall rule... but you must resolve it before trying to renew your cert.

1 Like

The OCSP check is ~~ new.

May be you have hardcoded the Letsencrypt ip in your hosts file.

ping www.google.de
ping letsencrypt.org

2 Likes

I've not hardcoded it in the hosts file, I just double checked... I have no idea why this machine has stopped resolving hostnames (and now it appears, since I'm checking, that it's not able to resolve any of them)...

I'll try to figure out what's going on with DNS on this machine, it's working just fine from other machines on my LAN. :expressionless: Thanks for the help, guys, I really appreciate it.

2 Likes

Sooo... Instead of using my router's nameserver functionality I've switched my /etc/resolv.conf to use google's nameservers at 8.8.8.8 and 8.8.4.4. Looks like they're resolving that host just fine...

Trying to see if I can renew my cert now.

All renewals successful. Thank you guys!

5 Likes

It sounds like your router got an update that wiped out your settings.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.