Unable to renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: elisa-builder-00.iol.unh.edu

I ran this command: acme.sh --issue --alpn -d elisa-builder-00.iol.unh.edu --debug 2 --log

It produced this output:

[Fri Jul 30 22:21:49 UTC 2021] Running cmd: issue
[Fri Jul 30 22:21:49 UTC 2021] _main_domain='elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:49 UTC 2021] _alt_domains='no'
[Fri Jul 30 22:21:49 UTC 2021] Using config home:/root/.acme.sh
[Fri Jul 30 22:21:49 UTC 2021] default_acme_server
[Fri Jul 30 22:21:49 UTC 2021] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Jul 30 22:21:49 UTC 2021] DOMAIN_PATH='/root/.acme.sh/elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:49 UTC 2021] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Fri Jul 30 22:21:49 UTC 2021] _init api for server: https://acme.zerossl.com/v2/DV90
[Fri Jul 30 22:21:49 UTC 2021] Retrying GET
[Fri Jul 30 22:21:49 UTC 2021] GET
[Fri Jul 30 22:21:49 UTC 2021] url='https://acme.zerossl.com/v2/DV90'
[Fri Jul 30 22:21:49 UTC 2021] timeout=
[Fri Jul 30 22:21:49 UTC 2021] displayError='1'
[Fri Jul 30 22:21:49 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.r48fQULn1z  -g '
[Fri Jul 30 22:21:50 UTC 2021] ret='0'
[Fri Jul 30 22:21:50 UTC 2021] _hcode='0'
[Fri Jul 30 22:21:50 UTC 2021] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Fri Jul 30 22:21:50 UTC 2021] ACME_NEW_AUTHZ
[Fri Jul 30 22:21:50 UTC 2021] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Fri Jul 30 22:21:50 UTC 2021] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Fri Jul 30 22:21:50 UTC 2021] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Fri Jul 30 22:21:50 UTC 2021] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20201020_Certificate_Subscriber_Agreement_v_2_4_click.pdf'
[Fri Jul 30 22:21:50 UTC 2021] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Fri Jul 30 22:21:50 UTC 2021] Le_NextRenewTime='1625567746'
[Fri Jul 30 22:21:50 UTC 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Jul 30 22:21:50 UTC 2021] _on_before_issue
[Fri Jul 30 22:21:50 UTC 2021] _chk_main_domain='elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:50 UTC 2021] _chk_alt_domains
[Fri Jul 30 22:21:50 UTC 2021] Le_LocalAddress
[Fri Jul 30 22:21:50 UTC 2021] d='elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:50 UTC 2021] Check for domain='elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:50 UTC 2021] _currentRoot='alpn'
[Fri Jul 30 22:21:50 UTC 2021] Standalone alpn mode.
[Fri Jul 30 22:21:50 UTC 2021] _checkport='443'
[Fri Jul 30 22:21:50 UTC 2021] _checkaddr
[Fri Jul 30 22:21:50 UTC 2021] d
[Fri Jul 30 22:21:50 UTC 2021] _saved_account_key_hash is not changed, skip register account.
[Fri Jul 30 22:21:50 UTC 2021] Read key length:
[Fri Jul 30 22:21:50 UTC 2021] _createcsr
[Fri Jul 30 22:21:50 UTC 2021] Single domain='elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:50 UTC 2021] Getting domain auth token for each domain
[Fri Jul 30 22:21:50 UTC 2021] d
[Fri Jul 30 22:21:50 UTC 2021] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Fri Jul 30 22:21:50 UTC 2021] payload='{"identifiers": [{"type":"dns","value":"elisa-builder-00.iol.unh.edu"}]}'
[Fri Jul 30 22:21:50 UTC 2021] RSA key
[Fri Jul 30 22:21:50 UTC 2021] Retrying post
[Fri Jul 30 22:21:50 UTC 2021] HEAD
[Fri Jul 30 22:21:50 UTC 2021] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Fri Jul 30 22:21:50 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.RFAQGBKkRW  -g  -I  '
[Fri Jul 30 22:21:50 UTC 2021] _ret='0'
[Fri Jul 30 22:21:50 UTC 2021] _hcode='0'
[Fri Jul 30 22:21:50 UTC 2021] Retrying post
[Fri Jul 30 22:21:50 UTC 2021] POST
[Fri Jul 30 22:21:50 UTC 2021] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Fri Jul 30 22:21:50 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.RFAQGBKkRW  -g '
[Fri Jul 30 22:21:51 UTC 2021] _ret='0'
[Fri Jul 30 22:21:51 UTC 2021] _hcode='0'
[Fri Jul 30 22:21:51 UTC 2021] code='201'
[Fri Jul 30 22:21:51 UTC 2021] Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/zv1Rpusx9gcxPWgMVR-qWw'
[Fri Jul 30 22:21:51 UTC 2021] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/zv1Rpusx9gcxPWgMVR-qWw/finalize'
[Fri Jul 30 22:21:51 UTC 2021] url='https://acme.zerossl.com/v2/DV90/authz/hDiGPqa3dgP6XGG2N2iVZQ'
[Fri Jul 30 22:21:51 UTC 2021] payload
[Fri Jul 30 22:21:51 UTC 2021] Retrying post
[Fri Jul 30 22:21:51 UTC 2021] POST
[Fri Jul 30 22:21:51 UTC 2021] _post_url='https://acme.zerossl.com/v2/DV90/authz/hDiGPqa3dgP6XGG2N2iVZQ'
[Fri Jul 30 22:21:51 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.RFAQGBKkRW  -g '
[Fri Jul 30 22:21:51 UTC 2021] _ret='0'
[Fri Jul 30 22:21:51 UTC 2021] _hcode='0'
[Fri Jul 30 22:21:51 UTC 2021] code='200'
[Fri Jul 30 22:21:51 UTC 2021] d='elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:51 UTC 2021] Getting webroot for domain='elisa-builder-00.iol.unh.edu'
[Fri Jul 30 22:21:51 UTC 2021] _w='alpn'
[Fri Jul 30 22:21:51 UTC 2021] _currentRoot='alpn'
[Fri Jul 30 22:21:51 UTC 2021] entry
[Fri Jul 30 22:21:51 UTC 2021] Not a wildcard domain, lets check whether the validation is already valid.
[Fri Jul 30 22:21:51 UTC 2021] Error, can not get domain token entry elisa-builder-00.iol.unh.edu for tls-alpn-01
[Fri Jul 30 22:21:51 UTC 2021] The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01
[Fri Jul 30 22:21:51 UTC 2021] pid
[Fri Jul 30 22:21:51 UTC 2021] No need to restore nginx, skip.
[Fri Jul 30 22:21:51 UTC 2021] _clearupdns
[Fri Jul 30 22:21:51 UTC 2021] dns_entries
[Fri Jul 30 22:21:51 UTC 2021] skip dns.
[Fri Jul 30 22:21:51 UTC 2021] _on_issue_err
[Fri Jul 30 22:21:51 UTC 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Fri Jul 30 22:21:51 UTC 2021] Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.1f  31 Mar 2020
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.3 on Oct 26 2019 17:42:04
   running on Linux version #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021, release 5.4.0-70-generic, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

My web server is (include version): NA

The operating system my web server runs on is (include version): Ubuntu Focal

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh with HEAD at

a199fc6113d23a715896d31b60530795408b0da3

Hi @sudipm, and welcome to the LE community forum

Sadly, the ACME client you are using is not maintained by LE ("acme.sh").
And the CA it has defaulted to is also not supported by this community:

So there is nothing left for us to help you with.

Thanks for the fast reply @rg305.
I only have port 443 opened in that sever, can you please advise me which client will be the best one for my purpose.

For ZeroSSL certificates issued with acme.sh please refer to the ZeroSSL and/or acme.sh support. This Community is for Let's Encrypt certificate support.

Thanks @Osiris.
I am now trying to get a new certificate using certbot. And have tried both the standalone and webroot option. And in both the option its trying to use http for the challenge.

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: elisa-builder-00.iol.unh.edu
  Type:   connection
  Detail: Fetching http://elisa-builder-00.iol.unh.edu/.well-known/acme-challenge/1Pi79TlPDgX4J_CYekWwXFjCfNL2f5sbQ2u4v5_L5kI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Is there any way I can ask certbot to use https instead of http? I tried to find related options for "--preferred-challenges" but could not find any. Any help will be really appreciated.

Certbot doesn't support the TLS-ALPN-01 unfortunately. You really don't have an option to use port 80?

@Osiris I found from https://letsencrypt.org/docs/challenge-types/#tls-alpn-01 that certbot does not support TLS-ALPN-01 and so started trying with lego. But that is also failing with:

2021/07/31 10:49:53 [INFO] [elisa-builder-00.iol.unh.edu] acme: Obtaining bundled SAN certificate
2021/07/31 10:49:53 [INFO] [elisa-builder-00.iol.unh.edu] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/17737034030
2021/07/31 10:49:53 [INFO] [elisa-builder-00.iol.unh.edu] acme: use tls-alpn-01 solver
2021/07/31 10:49:53 [INFO] [elisa-builder-00.iol.unh.edu] acme: Trying to solve TLS-ALPN-01
2021/07/31 10:50:00 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/17737034030
2021/07/31 10:50:00 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/17737034030
2021/07/31 10:50:00 Could not obtain certificates:
	error: one or more domains had a problem:
[elisa-builder-00.iol.unh.edu] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused

Not sure what it means by "Unable to deactivate the authorization".
Port 80 is blocked, I have never asked for Port 80 to be opened as I only intended to use https. I can ask to open Port-80 but that will be a complicated process.

An open port 80 is also necessary for HTTP to HTTPS redirects.

Also, the connection refused while using the tls-alpn-01 challenge suggests LE wasn't connecting to the same host/IP as where lego was running. Does the host have multiple IP addresses? A firewall perhaps?

Thanks @Osiris for that hint about the host/IP. I was using lego in a docker and I thought just giving the port 443 to it should be enough. But after your hint I used --network host with the docker and I have a certificate now. Thanks a lot for your help, also @rg305.
I have also opened an issue with acme.sh at https://github.com/acmesh-official/acme.sh/issues/3636 but I think I will just stick to lego for my next renewal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.