Unable to renew cert

mizan · December 27, 2019, 2:16am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:portal.ieol.com.my

I ran this command:./letsencrypt-auto renew

It produced this output:
WARNING: unable to check for updates.
/opt/eff.org/certbot/venv/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python versio. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/portal.ieol.com.my.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Attempting to renew cert (portal.ieol.com.my) from /etc/letsencrypt/renewal/portal.ieol.com.my.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.apiry (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x2f26050>: Failed to establish a new connection: [Errno -2] Name or service not
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.ieol.com.my/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/portal.ieol.com.my/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):

The operating system my web server runs on is (include version):centos61

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

stevenzhu · December 27, 2019, 2:25am

Hi,

Can you try to manually check if api endpoint is accessible from your machine?
Try dig acme-v02.api.letsencrypt.org and curl https://acme-v02.api.letsencrypt.org/directory

Also, your Python version is being depreciated, could you please consider upgrade to a newer version? (Like Python3)

Thank you

mizan · December 27, 2019, 2:32am

Thanks Stevenzhu... below are the output... we have been renewing the cert every 3 months without problem since few years back

[root@centos61 ~]# dig acme-v02.api.letsencrypt.org

; <<>> DiG 9.7.3-RedHat-9.7.3-2.el6 <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@centos61 ~]# curl https://acme-v02.api.letsencrypt.org/directory
curl: (6) Couldn't resolve host 'acme-v02.api.letsencrypt.org'
[root@centos61 ~]#

stevenzhu · December 27, 2019, 2:53am

Hi,

The output you provided means you’ve got a network issue, since dig can’t even reach DNS servers.
Please contact your IT department and try to resolve this.

P.S. The error message certbot-auto provided means there’s some issue with your internet, so they can’t reach the api endpoint.

Thank you

mizan · December 27, 2019, 7:00am

Hi Stevenzhu ,

I have checked with our network. We can ping 8.8.8.8 and google.com. Look like there is no issue with the network.

Thanks
-Mizan-

stevenzhu · December 27, 2019, 7:08am

Hi,

In this case, can you try to run dig Google.com and the command I had requested before?

Thanks

mizan · December 27, 2019, 7:19am

Hi Stevenzhe,

No luck

; <<>> DiG 9.7.3-RedHat-9.7.3-2.el6 <<>> www.google.com
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@centos61 certbot]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=21.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=21.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=21.7 ms
^C
— 8.8.8.8 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2307ms
rtt min/avg/max/mdev = 21.531/21.632/21.767/0.196 ms

stevenzhu · December 27, 2019, 7:20am

Is curl google.com also failed?
Have you checked your resolv.conf file? I messed up my server once by setting an incorrect entry…

You can try this, but please do make backup and know what you are doing before executing any commands: https://serverfault.com/questions/335359/how-is-it-possible-that-i-can-do-a-host-lookup-but-not-a-curl

mizan · December 27, 2019, 2:09pm

Thanks Stevenzhu,

It works after I changed nameserver to 8.8.8.8 in resolv.conf.

Thanks again

system · January 26, 2020, 2:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.