Letsencrypt not renewing any SSL certificates

Discussion in 'Installation/Configuration' started by manuuu777, Jan 26, 2017.

  1. manuuu777

    manuuu777 New Member

    I recently noticed that the letsencrypt certificates don't get renewed automatically. I vaguely remember that - when using it without ISPconfig - it does so about 30 days before the certificate becomes invalid. So anyhow I waited for one of the sites to reach the date of expiration in the hope that it would renew then, but it didn't. So right now I see that one website after the other expires and I don't really know where to start looking to fix this. Could some of you wise people let me know where I should look at to figure out what the problem could be? I can't make much of the letsencrypt logfile but maybe some of you can. I'd also like to note that I secured the ISPconfig backend with a letsencrypt certificate as well. I remember that installing it was different to what had to be done for the websites. Any help is very much appreciated. Thanks.


    2017-01-26 02:00:21,229:DEBUG:certbot.main:Root logging level set at 20
    2017-01-26 02:00:21,230:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-01-26 02:00:21,230:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2017-01-26 02:00:21,230:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/share/letsencrypt/bin/letsencrypt / {'MAILTO': 'myemailadress', 'LANG': 'de_DE.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin', '_': '/root/.local/share/letsencrypt/bin/letsencrypt'}
    2017-01-26 02:00:21,230:DEBUG:certbot.main:certbot version: 0.9.3
    2017-01-26 02:00:21,230:DEBUG:certbot.main:Arguments: ['-n']
    2017-01-26 02:00:21,230:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
    2017-01-26 02:00:21,236:INFO:certbot.renewal:Cert not yet due for renewal
    2017-01-26 02:00:21,237:WARNING:certbot.renewal:renewal config file {} is missing a required file reference
    2017-01-26 02:00:21,237:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/www.domain.de.conf is broken. Skipping.
    2017-01-26 02:00:21,238:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 62, in _reconstitute
    full_path, configuration.RenewerConfiguration(config))
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/storage.py", line 242, in __init__
    "file reference".format(self.configfile))
    CertStorageError: renewal config file {} is missing a required file reference

    2017-01-26 02:00:21,239:INFO:certbot.renewal:Cert not yet due for renewal
    2017-01-26 02:00:21,241:INFO:certbot.renewal:Cert not yet due for renewal
    2017-01-26 02:00:21,243:INFO:certbot.renewal:Cert not yet due for renewal
    2017-01-26 02:00:21,244:INFO:certbot.renewal:Cert not yet due for renewal
    2017-01-26 02:00:21,245:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
    File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 776, in main
    return config.func(config, plugins)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 592, in renew
    renewal.renew_all_lineages(config)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 365, in renew_all_lineages
    len(renew_failures), len(parse_failures)))
    Error: 0 renew failure(s), 1 parse failure(s)
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    looks like that's the relevant error. see what's in that file, I suppose. did you happen to change letsencrypt/certbot installations at some point? maybe pick one of your websites, turn letsencrypt off for it (wait a minute), then remove all the config for it in /etc/letsencrypt/ (live, archive, renewal and anywhere else) then enable letsencrypt again and see if you still get that error; if not, compare the .conf contents before and after doing that and you might see what you could fix manually in the other domains.
     
  3. zenny

    zenny Member

    In my case, all domains were working fine with LE certificates a while ago, but failed to renew all of sudden for all domains. The relevant portion of the letsencrypt.log could be:

    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP
    address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. 2017-02-26
    02:01:20,082:INFO:certbot.auth_handler:Cleaning up challenges 2017-02-26 02:01:20,083:DEBUG:certbot.plugins.webroot:Removing
    /var/www/clients/client2/web38/web/.well-known/acme-challenge/4acLIjwDIZJunix4s3W4TUymls0cPpaPSozCu_G45zw 2017-02-26 02:01:20,084:DEBUG:certbot.plugins.webroot:Removing
    /var/www/clients/client2/web38/web/.well-known/acme-challenge/qXQi_yMnBeg_cO01OBDci17eAsOHLgaHH5RF2Pn5XSU 2017-02-26 02:01:20,086:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing
    /var/www/clients/client2/web38/web/.well-known/acme-challenge 2017-02-26 02:01:20,086:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/DOMAIN.TLD.conf produced an unexpected error: Failed
    authorization procedure. DOMAIN.TLD (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to www.DOMAIN.TLD. Skipping. 2017-02-26
    There were hardly any change made except php7.1 was compiled in between (Ref. https://www.howtoforge.com/tutorial/how-to-install-php-7-on-debian/). All DNS entries are pointing where they should!!!
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I don't know if 'could not connect to the client' means a tcp connection problem (ie. can't connect to port 80 on your webserver) or that it can't find the verification file. Try:
    Code:
    echo 'Here I am.' > /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt
    
    Then see if you can access http://www.DOMAIN.TLD/.well-known/acme-challenge/test.txt from the internet.
     
  5. zenny

    zenny Member

    @Jesse Norell: Thanks for replying. But I am getting 404 error whereas the sites are rendering alright in browser.

    1. One site gives this:
    2. Another site gives to the same location in the same ISPConfig installation:
    3. And with another domain which was working with several alias tld pointing to the same site, it gives an error with an alias domain (ALIAS.DOMAIN)

    Isnät this a really random response in the same ISPConfig 3.1.2 server!?
     
    Last edited: Mar 6, 2017
  6. sjau

    sjau Local Meanie Moderator

    Check that site if there's a .htaccess anywhere.
     
  7. zenny

    zenny Member

    @sjau

    Thanks, but nope as mine is nginx variant of ISPConfig, fyi.
     
  8. sjau

    sjau Local Meanie Moderator

    no idea then.
     
  9. iNet Specialists

    iNet Specialists New Member

    This is most likely a side effect of a known "feature" in Certbot.
    Certbot does not support conf files that have more than one VirtualHost container.
    ISPConfig 3 creates conf files that have more than one VirtualHost container for sites that use SSL certificates.
    see: ( I would link to the issue, but the forum won't let me) github.com/certbot/certbot/issues/1042
    The only current workaround if you wish to automate renewal is to split the two VirtualHost containers into different conf files.
     
  10. zenny

    zenny Member

    @iNet Specialists and @sjau: Thanks for replying.

    1. Can you elaborate more about splitting the conf files? I am using nginx, fyi.

    2. Checked [github.com/certbot/certbot/issues/1042], and tried to get certs manually without luck. Fyi, I have four domains pointing to the same site. All others except FIRST-DOMAIN.ORG are aliases. I tried to obtain certificate manually, yet one of the alias domain fails as of below:
     
    Last edited: Mar 6, 2017
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    This bug is in the apache plugin for certbot, it has nothing whatsoever to do with ISPConfig. If you want ISPConfig to manage the letsencrypt certificate configuration and renewals, do not use certbot's apache plugin.
     
  12. iNet Specialists

    iNet Specialists New Member

    @zenny
    My post was directed at the OP and the domain is broken error. I cannot speak to whether nginx is affected by the same problem because it uses a different plugin to Certbot.
    However, the errors that you get point to a different problem.
    SCRATCH that: was incorrect, I confused the webroot option with the standalone option.
    Check to make sure that the domains have correct DNS A records that point to the correct IP.
    Check to make sure that the server is listening on both port 80 and port 443 for those domains on the correct IP.
     
    Last edited: Mar 6, 2017
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    @zenny, I'm not familiar with the nginx config. In apache, the mapping to .well-known/acme-challenge is global for all vhosts, and I would expect that nginx would do that as well, but I don't know for sure.

    Compare the vhost config from this site to the second one, which is working. If the above mapping is global, I would expect that test.txt file to be accessible on all vhosts; as it is on some, but not all, maybe that .well-known/acme-challenge/ location is setup per-vhost, and this first site isn't updating for some reason (syntax error, leaving a .vhost.err file ?). Someone with an nginx setup will probably have to help if you don't find anything from comparing those files / looking at nginx config.
     
  14. zenny

    zenny Member

    @iNet Specialists, the problem persisted whether the nginx server is running or not while manually pulling the LE certs with the command earlier.
    @Jesse Norell I have not install any other plugin related to apache, yet cannot renew the LE certs! I checked .vhost files as well as .vhost.err files without any issues, fyi.
    Thanks to both of you for your time.

    Update: @Jesse Norell, I restarted the nginx server. Thereafter,
    Code:
    http://www.FIRSTDOMAIN.ORG/.well-known/acme-challenge/test.txt
    returned 'Here I am'.

    Yet the LE certificates fails to get issued/renewed with an error that read:

    But after a while, the same link gives an Error 404 without making any changes to any configs!!! :confused::rolleyes:
     
    Last edited: Mar 6, 2017

Share This Page