Renew Letsencrypt cert fails

Discussion in 'Installation/Configuration' started by Zague, Apr 19, 2022.

  1. Zague

    Zague Member

    Hello,
    I am using ispconfig 3.2.8p1 with ubuntu 20.04, I am using the server only as mail server. It was installed without issues and previously there was no issues to renew the letsencrypt cert.
    Today checking the log I saw there was an error trying to renew the cert:
    Code:
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator webroot, Installer None
    Renewing an existing certificate
    Performing the following challenges:
    Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
    Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/domain.com.mx/fullchain.pem (failure)
    and the log is showing:
    Code:
    2022-04-19 14:31:45,672:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/99718720250 HTTP/1.1" 200 386
    2022-04-19 14:31:45,673:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Tue, 19 Apr 2022 19:31:45 GMT
    Content-Type: application/json
    Content-Length: 386
    Connection: keep-alive
    Boulder-Requester: 364640610
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0101ZZnHd8q5ozVGmbU8ablipGjam-dXnwkHmvyjw4oUIHE
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    {
      "identifier": {
        "type": "dns",
        "value": "domain.com"
      },
      "status": "pending",
      "expires": "2022-04-26T01:03:47Z",
      "challenges": [
        {
          "type": "dns-01",
          "status": "pending",
          "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99718720250/SziBVQ",
          "token": "b_tQOzDXjfkqM8OrR1A0vopnwIFwrjMv1psY4iEhENo"
        }
      ],
      "wildcard": true
    }
    2022-04-19 14:31:45,673:DEBUG:acme.client:Storing nonce: 0101ZZnHd8q5ozVGmbU8ablipGjam-dXnwkHmvyjw4oUIHE
    2022-04-19 14:31:45,674:DEBUG:acme.client:JWS payload:
    b''
    2022-04-19 14:31:45,681:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/99718720260:
    {
      "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzY0NjQwNjEwIiwgIm5vbmNlIjogIjAxMDFaWm5IZDhxNW96VkdtYlU4YWJsaXBHamFtLWRYbndrSG12eWp3NG9VSUhFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My85OTcxODcyMDI2MCJ9",
      "signature": "P-TCaEOZlzm0GFynY_ykESWC3pSNT3rhpAHdzGdMJQU2ca-qolGIZ0mCW_TR3JHXuoB4Z8QWMHxLKcMjF3dzqjiIwqlBkMJEIj79jTB5iRn27RBJaBIfHmsyDjA_lYOKow8H0w-d8nlYdDxRdTFFaKnQP8mI3m7VhaXeLPHDWSUMkGFko74pGexRP8L8mJKxwaDD65qskPc9MX0t7ZeO0-2fXx2AC21L6jM-MnoZu4MdQfybYOBXzOTjRzowyzjonkTqiuSHjTweGEWrQlG7hOZrASpWHfbf5v24xyaLMCzK0vCjbsYeSXKOTj8KaQeNcxfp0zhZJweCFtCa7rJ56ogLWvpQX4bF572JL-_9uN6hkaSnMPb0z1pKT9S5A2VVzXQ4tG8TTkqLFVr3ErCGGo1perSpQNR18_CcUkxWNndvPHdHudZ9XL_pyG2AxR4qo8TI0Y_QyQObry6k7qgzKufx6_jEthlulljcLmB2VjYVmgLbaaqzNfksjQt3ix1U54kwX7uEtUlT7Iei_5ZDaTpP-AZycYWYJsEqjSCdX3aB8PvkzthTPSGOD1DH1m7VaUxbBOnIsGmW0iff6Wk0eqINuCO1qD6YMQdqCArYH-UvB5FgDo-mk9IWoAnTPqSRJZoJoSxggU9gfScoqF95aBRMViHoGedgqeIrahZjKJo",
      "payload": ""
    }
    2022-04-19 14:31:45,729:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/99718720260 HTTP/1.1" 200 381
    2022-04-19 14:31:45,731:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Tue, 19 Apr 2022 19:31:45 GMT
    Content-Type: application/json
    Content-Length: 381
    Connection: keep-alive
    Boulder-Requester: 364640610
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0101nhdYr3dRN4ekOGDX2V3lk8ADMmF1DN1Kg60_BJ3O4dM
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    {
      "identifier": {
        "type": "dns",
        "value": "domain2.com"
      },
      "status": "pending",
      "expires": "2022-04-26T01:03:47Z",
      "challenges": [
        {
          "type": "dns-01",
          "status": "pending",
          "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99718720260/X-s1pw",
          "token": "uDfw_0e2mQZzoShd6NMLSYUUatxWHjM1_4S7gGYaPeI"
        }
      ],
      "wildcard": true
    }
    2022-04-19 14:31:45,731:DEBUG:acme.client:Storing nonce: 0101nhdYr3dRN4ekOGDX2V3lk8ADMmF1DN1Kg60_BJ3O4dM
    2022-04-19 14:31:45,732:INFO:certbot.auth_handler:Performing the following challenges:
    2022-04-19 14:31:45,732:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
    2022-04-19 14:31:45,733:WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping.
    2022-04-19 14:31:45,741:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 462, in handle_renewal_request
        main.renew_cert(lineage_config, plugins, renewal_candidate)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1208, in renew_cert
        renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
        renewal.renew_cert(config, domains, le_client, lineage)
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert
        new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
        orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
        authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 62, in handle_authorizations
        achalls = self._choose_challenges(authzrs)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 204, in _choose_challenges
        path = gen_challenge_path(
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 320, in gen_challenge_path
        return _find_smart_path(challbs, preferences, combinations)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 356, in _find_smart_path
        _report_no_chall_path(challbs)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 395, in _report_no_chall_path
        raise errors.AuthorizationError(msg)
    certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
    
    2022-04-19 14:31:45,743:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
    2022-04-19 14:31:45,743:ERROR:certbot.renewal:  /etc/letsencrypt/live/domain.com/fullchain.pem (failure)
    2022-04-19 14:31:45,744:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/certbot", line 11, in <module>
        load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1287, in renew
        renewal.handle_renewal_request(config)
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 486, in handle_renewal_request
        raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
    certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
    I have reading other post related to letsencrypt issues but I was not able to get a clue.

    Any ideas?
    Thank you
     
  2. Zague

    Zague Member

    UPDATE:
    I found this article with description of the issue. it said the cerbot needs to be updated but I have the version 0.40
    Code:
    certbot --version || /path/to/certbot-auto --version
    certbot 0.40.0
    Also I have tried remove and reinstall cerbot and same results.
    Thank you
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  4. Zague

    Zague Member

    Thank you for the answer ahrasis, I did these steps:
    1.- apt-get remove certbot
    2.- apt autoremove
    3.- snap install core; sudo snap refresh core
    4.- snap install --classic certbot
    5.- ln -s /snap/bin/certbot /usr/bin/certbot
    6.- certbot renew
    got the same result, thinking that the certs can be the problem, I have removed the folder /etc/letsencrypt/archive/domain.com
    removed /usr/local/ispconfig/interface/ssl/* and the CF file in /etc/letsencrypt/renewal and send the ispconfig_update.sh --force to create again the ssl.
    The cert was created correctly however this is an mail server handle 2 email domains (domain.com and domain2.com) my previous cert contain reference to *.domain and *.domain2.com.

    The new cert only has reference for hostname.domain.com and did not set *domain.com and *.domain2.com like previous one.
    When I ran the ispconfig_update.sh --force I selected the reconfigure services and create ssl cert, all the remain options were default.

    Any ideas?
    Thank you for your time
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig installer sets up an SSL cert for the hostname only, if you had more domains in that cert before, then it was not created by ISPConfig installer and you must set it up manually again in the same way you did before to have more domains in that cert.
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    To use wildcard you have to use dns challenge which is currently unsupported by ISPConfig installer nor its LE web config. You will need to do this manually which I believe @Th0m has written a tutorial about it but his method does not support wildcard either but multiple FQDN will work using his method. I personally use wildcard for my ISPConfig and I did share the general method to use it in tips and tricks board.
     
  7. tamaga

    tamaga New Member

    Hallo, Kann das bei mir auch das Probelem sein. Ich habe nach meinem Update ispconfig 3.2.8p1 mit neu erstelltem Zertifakt das Problem dass ich keine Mails mehr über meine Domain die vorher funktioniert hat versenden kann, das Eigenartige ist nach wiederholtem erzwungenen Update liefen alle Domains für ein kurze Zeit auf dem Server aber nur eine Domain meldet wieder Zertifakt soll nicht im Hostamen vorhanden sein. Und die anderen Domains versenden sehr langsam oder gar nicht.
    Außerdem gibt es diesene Fehler in mail.log
    TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
    postfix/smtps/smtpd[5978]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please communicatie in English on this forum, or head over to the forum on https://howtoforge.de
     
  9. Wilt

    Wilt Member HowtoForge Supporter

    I am seeing the same problem. We just upgraded from 3.2.7p1 to 3.2.8p1 (Ubuntu 20.04) and started seeing SSL errors with email accounts and checking the LetsEncrypt logs we found the same errors as above. Everything was working fine before the upgrade (and we used the upgrade tool from the control panel to do the upgrade). Any suggestions as to what could cause this please?
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    How did you set up the cert for the mailserver before?
     
  11. Wilt

    Wilt Member HowtoForge Supporter

    Using LetsEncypt for the domain - and it was working fine before the upgrade.
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I already advised on how to fix certbot problem earlier so do read and apply if you are using certbot too.
     
  13. Wilt

    Wilt Member HowtoForge Supporter

    I don’t want to reinstall certbot until I understand how the upgrade broke it in the first place.
    Also, we have these errors in the logs suggesting some symlinks have be broken by the upgrade?
    postfix-script (total: 5)
    1 symlink leaves directory: /etc/postfix/./smtpd.key-202103271327...
    1 symlink leaves directory: /etc/postfix/./smtpd.cert-20210327132...
    1 symlink leaves directory: /etc/postfix/./makedefs.out
    1 symlink leaves directory: /etc/postfix/./smtpd.cert
    1 symlink leaves directory: /etc/postfix/./smtpd.key
     
    Last edited: May 10, 2022
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Well certbot code has a lot of changes version to version and installing via snap is the current recommended ways to get certbot installed or upgraded. It got nothing to do with ISPConfig or its upgrade.

    I have been advising this in various ISPConfig threads, so this is not a new advise but all that is up to you and that is your server. :rolleyes:
     

Share This Page