Unable to renew one particular domain

ashfame · September 27, 2017, 10:12am

My domain is: https://redirecto.ashfame.com

I ran this command: sudo /usr/bin/letsencrypt renew

It produced this output:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/redirecto.ashfame.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for redirecto.ashfame.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (redirecto.ashfame.com) from /etc/letsencrypt/renewal/redirecto.ashfame.com.conf produced an unexpected error: Failed authorization procedure. redirecto.ashfame.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://redirecto.com/.well-known/acme-challenge/ogzq3oFSFmmDxhWZY7B238rYqored2cFSoyvhHOhCKM: Timeout. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/redirecto.ashfame.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: redirecto.ashfame.com
   Type:   connection
   Detail: Fetching
   https://redirecto.com/.well-known/acme-challenge/ogzq3oFSFmmDxhWZY7B238rYqored2cFSoyvhHOhCKM:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): Nginx 1.10.3

The operating system my web server runs on is (include version): Ubuntu Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: Linode, self managed VPS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

=====
I have my other domains working normally, getting renewed by the command above (fired from root crontab), but this one particular site is timing out.

Directly putting a file in .well-known works - https://redirecto.ashfame.com/.well-known/ashfame.txt I didn’t had iPv6, so I went ahead & set that up (verified using http://ipv6-test.com/validate.php) & still getting timeout error.

Clueless as to what else I can check. Please advice!

sahsanu · September 27, 2017, 11:49am

Hello @ashfame,

You are using http-01 challenge to validate your domain so it means that Let’s Encrypt will try to validate the challenge using http not https:

http://redirecto.ashfame.com/.well-known/acme-challenge/ogzq3oFSFmmDxhWZY7B238rYqored2cFSoyvhHOhCKM

But you have a redirection in place which redirects http://redirecto.ashfame.com/whatever to https://redirecto.com/whatever so Let’s Encrypt tries to reach this site and it is not possible to reach it:

https://redirecto.com/.well-known/acme-challenge/ogzq3oFSFmmDxhWZY7B238rYqored2cFSoyvhHOhCKM

So you should review your redirection conf.

Good luck,
sahsanu

ashfame · September 28, 2017, 5:51pm

Thank you @sahsanu

I was able to make it accessible via http and got it to renew. Is it possible to change the method the letsencrypt client uses. I would like to make it use https for renew?

ashfame · September 28, 2017, 6:18pm

Reading from http://letsencrypt.readthedocs.io/en/latest/challenges.html tells me that a redirection to https should work too. I guess it has a very small timeout value that it couldn’t renew it.

Other domains on the same server renew fine via http to https redirection. Anyway, I am good, thanks for your help!

sahsanu · September 28, 2017, 6:57pm

Hi @ashfame,

I see that you have found Let's Encrypt follows redirects so no problem to use http-01 challenge, if you redirect http to https Let's Encrypt will follow it.

Good luck.
sahsanu

system · October 28, 2017, 6:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.