Checked forum, but still can't fix LetsEncrypt not working...

Discussion in 'ISPConfig 3 Priority Support' started by peterpetr, Sep 29, 2020.

  1. peterpetr

    peterpetr Member HowtoForge Supporter

    Hello,
    I checked https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ and still don't understand why my working SSL cert did not renew after expiring today.

    Below, I'm pasting the last section of my letsencrypt.log (I've change the domain name and ip address for security reasons, but can make that info available privately upon request).

    2020-09-29 12:13:05,265:DEBUG:certbot.error_handler:Calling registered functions
    2020-09-29 12:13:05,265:INFO:certbot.auth_handler:Cleaning up challenges
    2020-09-29 12:13:05,266:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/_GvGuW4nCfjlRxPSvPGeDq8FnqTBNZoBua7sUCIF8Pw
    2020-09-29 12:13:05,266:DEBUG:certbot.plugins.webroot:All challenges cleaned up
    2020-09-29 12:13:05,266:WARNING:certbot.renewal:Attempting to renew cert (mysubdomain.mydomain.com) from /etc/letsencrypt/renewal/mysubdomain.mydomain.com.conf produced an unexpected error: Failed authorization procedure. mysubdomain.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysubdomain.mydomain.com/.we...e/_GvGuW4nCfjlRxPSvPGeDq8FnqTBNZoBua7sUCIF8Pw [199.99.99.99]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n<html dir=ltr>\r\n\r\n<head>\r\n<style>\r\na:link\t\t\t{font:8pt/11pt verdana; col". Skipping.
    2020-09-29 12:13:05,274:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1197, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 115, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 305, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
    File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
    File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
    File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
    File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
    File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
    certbot.errors.FailedChallenges: Failed authorization procedure. mysubdomain.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysubdomain.mydomain..com/.w...e/_GvGuW4nCfjlRxPSvPGeDq8FnqTBNZoBua7sUCIF8Pw [199.99.99.99]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n<html dir=ltr>\r\n\r\n<head>\r\n<style>\r\na:link\t\t\t{font:8pt/11pt verdana; col"

    2020-09-29 12:13:05,276:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
    2020-09-29 12:13:05,280:ERROR:certbot.renewal: /etc/letsencrypt/live/mysubdomain.mydomain..com/fullchain.pem (failure)
    2020-09-29 12:13:05,281:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1276, in renew
    renewal.handle_renewal_request(config)
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
    certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

    I'm hoping the above provides sufficient info for you to reply with a suggested solution or further diagnostics to perform. Thank you.
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That's the error, your subdomain failed authorization. There are numerous reasons that can happen, many in the faq you linked to. What version of ISPConfig are you using?
    That sounds old, you might try updating certbot (though I don't remember exactly what version is required).
     
  3. peterpetr

    peterpetr Member HowtoForge Supporter

    This is a 3 month old VPS (Server running Ubuntu 18.04 with NGINX).

    I used the automated script referenced at HowToForge.com ( https://www.howtoforge.com/tutorial/ubuntu-ispconfig-automated-install-script/ )to install MariaDb, Nginx, PHP... and the then current ISPconfig. So this server is running the latest non-beta version of ISPconfig.

    So, I expect the "certbot" is correct, as long as the install script is correct.

    I'm checking into the other possible reasons in the FAQ, but I'm stumped.
     
  4. peterpetr

    peterpetr Member HowtoForge Supporter

    At /var/www/clients/client1/web1/ssl/
    There are three files: mysubdomain.mydomain.com-le.bundle, mysubdomain.mydomain.com-le.crt, and mysubdomain.mydomain.com-le.key
    All three files have a lastModified data of 2020-06-30. The cert is expired as of September 28, 2020. I thought SSL certificates were supposed to last 1 year. Anyway, it's failing to renew the cert.

    In ISPconfig, under Website in the domain tab, this domain mysubdomain.mydomain.com had the "WWW" selected in the drop-list just above the SSL and LetsEncrypt checkboxes. I added an A Record in my DNS (at Godaddy) as follows: Type: A, Name: www.mysubdomain, Value: 199.99.99.99 TT: 600 seconds.

    Eventually, I removed the "WWW" in the ISPconfig drop-list.

    I need only mysubdomain.mydomain.com to function. And, this A Record is also set for 600 seconds. It's been more than 4 hours since these DNS changes. I'm not using Bind in the VPS so the Godaddy DNS records should be valid.

    This is a live eCommerce site that's down so really need to fix this as my top priority. Any further suggestions leading to a fix would be appreciated. Thank you.
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Let's Encrypt certificates are valid for 90 days, and are renewed 30 days before they expire. So, your current site is set up under "Websites" as subdomain.example.com? What do you have selected for subdomain on that site?

    If you sent me a PM with the hostname I can check the DNS records.
     
  6. peterpetr

    peterpetr Member HowtoForge Supporter

    Hi Th0m
    I just sent you a private message using Conversations on this website.
    Thanks.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    These are symlinks, the symlink do not change when you renew an SSL cert, only the cert itself changes.

    Try disabling the Let#s encrypt checkbox of the website, press save, edit the site settings again and re-enable let's encrypt. if you still get no new SSL cert, then check letsencrypt.log again as the error with the non-existing subdomain should be fixed now after you turned off the www subdomain.
     

Share This Page