Unable to renew certificate (was working previously)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: terelearning.com

I ran this command: sudo certbot renew --dry-run

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/terelearning.com.conf

Simulating renewal of an existing certificate for terelearning.com

Certbot failed to authenticate some domains (authenticator: apache). The Certifi cate Authority reported these problems:
Domain: terelearning.com
Type: unauthorized
Detail: 2606:4700:3032::ac43:c50c: Invalid response from http://terelearning.c om/.well-known/acme-challenge/J3KgrbhYDCJMv0FoSotmSOtyOWdxcwbBw83cQP2G4LM: 522

Hint: The Certificate Authority failed to verify the temporary Apache configurat ion changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate terelearning.com with error: Some challenges have fa iled.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/terelearning.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See t he logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for mo re details.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: Physical Server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

2

Hi @tsd24, and welcome to the LE community forum :slight_smile:

Your site is using CloudFlare ("CF") CDN.
Thus, the Internet can only connect to CF.
The 522 error shown indicates that CF can't connect to your server.

There is not much we can do here about either of those things.

1 Like
3

Hi, I'm not sure I follow. Currently my website is up and running. I got an email indicating that my SSL certificate will expire and that's when I started trying to renew from the server and got an error.
Cloudflare handles my dn records and SSL is set to strict. Is it that Cloudflare is the issue here?

4

According to SSL Labs, the CF cert expires in two months:
SSL Server Test: terelearning.com (Powered by Qualys SSL Labs)

What does the email notice say exactly?

2 Likes
5

Only HTTPS is working. HTTP is not. It is possible to get certs "behind" your proxied domain using the --apache plugin. But, something in your config is not right to support that.

The 522 is a timeout between the Cloudflare CDN and your origin

# HTTPS is good
curl -I -m8 https://terelearning.com
HTTP/2 200
server: cloudflare

# HTTP times out
curl -I -m8 http://terelearning.com
curl: (28) Operation timed out after 8002 milliseconds with 0 bytes received

# If timeout not restricted to 8s it eventually gets 522 from Cloudflare
curl -I http://terelearning.com
HTTP/1.1 522
Server: cloudflare
3 Likes
6

I used that same website and I saw it indicated 2 months. This is the email I got.

Your certificate (or certificates) for the names listed below will expire in 19 days (on 2024-02-15). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.

terelearning.com

1 Like
7

Thanks for the analysis

2 Likes
8

What shows?:

  • certbot certificates
  • sudo apachectl -t -D DUMP_VHOSTS
2 Likes
9

These are the outputs I'm getting

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: terelearning.com
Serial Number: 3d11d1a2a496feaccaaebc0b975e037af06
Key Type: RSA
Domains: terelearning.com
Expiry Date: 2024-02-15 01:10:41+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/terelearning.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/terelearning.com/privkey.pem

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified doma in name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress th is message
VirtualHost configuration:
*:443 terelearning.com (/etc/apache2/sites-enabled/000-default- le-ssl.conf:2)
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

10

That might be problematic - might not.

I'd say your best chance at renewal [in this particular scenario], is to use --webroot.
To find the webroot, let's have a look at the file:

1 Like
11 
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/moodle

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
ServerName terelearning.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/terelearning.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/terelearning.com/privkey.pem
</VirtualHost>
</IfModule>
12

Okay.
Let's run a test on that, with:

certbot renew --webroot -w /var/www/html/moodle --cert-name terelearning.com --dry-run
1 Like
13

They need to change Cloudflare to redirect all HTTP to HTTPS at their CDN Edge first.

Right now the webroot challenge would still fail with timeout/522

2 Likes
14

I'm not a CF expert - I missed that (cuz I didn't even look there) :frowning:
I kinda thought that was always in effect [automatically].

2 Likes
15

The root does redirect to HTTPS:

curl -Ii http://terelearning.com/
HTTP/1.1 301 Moved Permanently
Date: Fri, 26 Jan 2024 23:57:56 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 27 Jan 2024 00:57:56 GMT
Location: https://terelearning.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hmqHLW%2FusylO961pXRPKOvqACnnFvE5MRllp1pqfL05SpVJ8XKKxaZHa4vGiLG1kW4Loy9qnUp6w2Dp8I0jzRlJfx1ltllfk3DaT8RrB22uXntct01bgFAI5ySU3OjqjI8844KLSYkwORZ8Y6jd9"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84bcb378fffa288e-MIA
alt-svc: h3=":443"; ma=86400

But for whatever reason(s) the ACME challenge path does NOT redirect:
[Lord only knows where that (tries/fails to) go!]

curl -Ii http://terelearning.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 522     <<<<<<<<<<<<<<<<<<<<<<<<< ?????
Date: Fri, 26 Jan 2024 23:58:29 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 15
Connection: keep-alive
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7vt4w0g5YSVPnyLTubIoFztU1yP60OSl%2FtIGCCN4o1l%2BhhbSODrr05z0sYFtmgcQvqiazqZInl%2BK2pbsIqBHEXz%2FPQCrLyc06WXQ%2F7SZsA3RVLMMZukmEyVAP8IA6O4B2eCaTGAxTS2zWbBlInAZ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 84bcb387a9758dd2-MIA
alt-svc: h3=":443"; ma=86400
2 Likes
16

The Cloudflrare redirect is set to redirect all HTTP to HTTPS. Here is the output from the last test.

sudo certbot renew --webroot -w /var/www/html/moodle --cert-name terelearning.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/terelearning.com.conf

Simulating renewal of an existing certificate for terelearning.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: terelearning.com
Type: unauthorized
Detail: 2606:4700:3033::6815:1550: Invalid response from http://terelearning.com/.well-known/acme-challenge/9grzpmFXIX8AdP5vc556YxOz9hmdrIl15gjdSpCYns8: 522

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate terelearning.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/terelearning.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

17

Ah, yes, it is now but was not earlier (see my post #5). I don't have any guess as to why the acme-challenge path still times out (522) either.

@tsd24 Are you using one of the advanced tunneling features or similar at Cloudflare? Are you forcing the acme-challenge URL back to your origin as HTTP rather than HTTPS?

Also, is there a specific reason you want your own cert on your origin server? Rather than just using Cloudflare's Origin CA Cert?

2 Likes
18

Honestly. I set this up several years ago and was working fine (auto renew) until I got that email a few days ago about the renewal. I'm not using any of the advanced tunnelling features from Cloudflare. The only thing I was using cloudflare for was to handle my dns and send all the traffic to my physical server.

Not sure what you mean by this?

Also, is there a specific reason you want your own cert on your origin server? Rather than just using Cloudflare's Origin CA Cert?

19

Something must have changed to have the renew start failing. It looks like your origin server is no longer accepting connections on port 80. Would you provide the public IP of your origin? Because your domain is proxied we can't test connections to it without the IP. Or, just tell us more about it. Who hosts the origin server? What is the ISP? Have you added any kind of firewall?

A Cloudflare Origin CA Cert can be used on an origin server for the HTTPS connection between the Cloudflare CDN and your origin. You can use this instead of having to get a public cert. There are some limitations but it is often helpful.

2 Likes
20

I agree, something has to have changed. On my end, I upgraded my Internet connection a few months ago and I recently updated my home router. The physical server (Lenovo) is at my physical location. The server is connected directly to the Internet, so no firewall is blocking anything as far as I can tell.

IP 190.83.176.167

Thanks for the suggestion abou the Origin CA certificate

1 Like