Unable to renew


#1

My domain is: jtcaron.ddns.net

I ran this command: letsencrypt renew

It produced this output:
Processing /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf
2019-02-07 16:38:05,197:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf produced an unexpected error: Failed authorization procedure. jtcunifi.ddns.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 88e0e5b31bed1413e8717a40d9b2c866.23d4f062129481699e3ea9edb1d3e283.acme.invalid from 35.227.18.103:443. Received 1 certificate(s), first certificate had names “jtcunifi.ddns.net”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jtcunifi.ddns.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: jtcunifi.ddns.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested 88e0e5b31bed1413e8717a40d9b2c866.23d4f062129481699e3ea9ed
    b1d3e283.acme.invalid from 35.227.18.103:443. Received 1
    certificate(s), first certificate had names “jtcunifi.ddns.net
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): I don’t know, Apache with mongodb I think, It’s a Unifi Controller

The operating system my web server runs on is (include version): Ubuntu 16.04.5

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): letsencrypt 0.4.1


#2

Hi @jtip

tls-sni-01 - validation is deprecated, support ends 2019-02-13 and 2019-03-13.

So you have to switch to another validation method.

Checking your domain ( https://check-your-website.server-daten.de/?q=jtcaron.ddns.net):

Domainname Http-Status redirect Sec. G
http://jtcaron.ddns.net/
76.64.186.132 -14 10.023 T
Timeout - The operation has timed out
https://jtcaron.ddns.net/
76.64.186.132 -14 10.027 T
Timeout - The operation has timed out
http://jtcaron.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
76.64.186.132 -14 10.027 T
Timeout - The operation has timed out

To use http-01 - validation, you need an open port 80 and a running webserver.

Or you switch to dns-01 - validation.

Or you use tls-alpn-01 - validation. But this isn’t supported from Certbot. acme.sh supports that.


#3

Hi, I simply wrote the wrong domain, my bad, it’s jtcunifi.ddns.net.
Is there a simple way to change the renew challenge? I tried --preferred-challenges http but, with no success. Thank you!


#4

Then more informations are required.

Rechecked your domain ( https://check-your-website.server-daten.de/?q=jtcunifi.ddns.net ):

Domainname Http-Status redirect Sec. G
http://jtcunifi.ddns.net/
35.227.18.103 302 http://jtcunifi.ddns.net/manage 0.224 D
http://jtcunifi.ddns.net/manage 302 https://jtcunifi.ddns.net:8443/manage 0.217 A
https://jtcunifi.ddns.net/
35.227.18.103 302 https://jtcunifi.ddns.net/manage 3.327 N
Certificate error: RemoteCertificateChainErrors
https://jtcunifi.ddns.net/manage 302 https://jtcunifi.ddns.net/manage/account/login?redirect=%2Fmanage 2.083 N
Certificate error: RemoteCertificateChainErrors
https://jtcunifi.ddns.net:8443/manage 302 https://jtcunifi.ddns.net/manage/account/login?redirect=%2Fmanage 2.120 N
Certificate error: RemoteCertificateChainErrors
https://jtcunifi.ddns.net/manage/account/login?redirect=%2Fmanage 200 2.130 N
Certificate error: RemoteCertificateChainErrors
http://jtcunifi.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.227.18.103 404 0.226 A

this looks good. You have ha redirect http -> https, but not, if the path starts with /.well-known/acme-challenge.

Checking a not existing file there is the (good) answer http status 404 - Not Found.

But: What webserver is there? There are no header informations. Unifi SDN?

That may be a problem. Is there a running Apache or nginx? If yes, try to find your DocumentRoot / root. Then use

certbot run -a webroot -i apacheOrnginx -w yourDocumentRoot -d jtcunifi.ddns.net

#5

The --apache mode didn’t support anything other than TLS-SNI-01 for a long time after Certbot 0.4.1, which is now almost three years old. You could upgrade to a newer version by using the PPA

or try @JuergenAuer’s advice to switch to --webroot if you don’t want to upgrade your Certbot.


#6

Yes, it’s a Unifi SDN.
The error is as followed: letsencrypt: error: unrecognized arguments: --preferred-challenges http
Otherwise, I’m really unable to say if it’s apache or nginx, I’m pretty sure it’s apache as I don’t have nginx installed. I only had to install a package to get it running.


#7

Do I need to revoke my certificate first and re-obtain it with the new version as it doesn’t have the same name? my version is simply called letsencrypt. Thanks!


#8

Oh, then your certbot is really too old.

No, don’t revoke a certificate if your private key is ok.

Letsencrypt = certbot = certbot-auto - it’s the same.


#9

I updated Certbot and here’s what I get when I try dns and http:

Attempting to renew cert (jtcunifi.ddns.net) from /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/jtcunifi.ddns.net/fullchain.pem (failure)


#10

Please share your complete command and the output of

/var/log/letsencrypt/letsencrypt.log

Use certbot, not letsencrypt as command. And add -vvv to see more informations.


#11

Alright guys! I figured it out!
So, when I updated certbot and installed python-certbot-apache, it also installed apache2 on my server.

I had redirections on my server from port 80 to 8080 hiding the apache2 instance running without my knowledge. So, I removed the redirection and stopped the apache2 service. After that, I simply did:

letsencrypt renew --preferred-challenges http

Everything worked out from there.

Thank you for the help!


#12

Also, I created a cron job to get my certificate automatically, do you think it will work?
0 */12 * * * root letsencrypt renew --preferred-challenges http --deploy-hook “/usr/local/bin/unifi_ssl_import.sh”
The bash script is simply to import it to my service afterward. Thank you!


#13

You should not need to force this in the cron job.
Who knows, that may cause problems in the future.
letsencrypt will use the latest setting found in the renewal.conf file.


#14

There’s are two problems with that:

The Certbot package also installed a systemd timer to renew your certificates, and it doesn’t include your --deploy-hook option. So the hook may or may not be used depending on which cron job happens to run first and if it’s saved elsewhere in your configuration.

In addition, it’s problematic to run the renew command at a fixed time of day. (The package’s timer runs twice a day at random times.)

Your deploy hook might be saved in the /etc/letsencrypt/renewal/ configuration files for your certificate(s). If that’s the case, it will keep working (but you’ll also have to specify it when manually issuing new certificates, so Certbot doesn’t forget about it).

(There are other places you could have saved it, like /etc/letsencrypt/cli.ini, but that’s uncommon.)

You can copy/symlink the script in /etc/letsencrypt/renewal-hooks/deploy/ to have Certbot automatically run it without having to edit any cron jobs or timers.


#15

Thank you for the feedback! When you say save it, do you mean that I have to add these parameters in the jtcunifi.ddns.net.conf file? Like so: --pre-hook “ufw allow http&&service apache2 stop” --deploy-hook “/usr/local/bin/unifi_ssl_import.sh” --post-hook “ufw deny http”
Also, to get the package runtime running twice a day, is there a configuration to do, and, how do I ensure it does run?
Thanks!


#16

Alright, so, I did a bit of research and found that I actually have to add the arguments to the cli.ini file and that by default it will take the config from this file. So, I added these lines:

pre-hook “ufw allow http&&service apache2 stop”
deploy-hook “/usr/local/bin/unifi_ssl_import.sh”
post-hook “ufw deny http”

For the automatic renewal that you mention, I couln’t find anything tho.


#17

You might want to include:
service apache2 start

Or not stop it at all.
[unless you are running in --standalone mode]