Hostname letsencrypt renew

Discussion in 'ISPConfig 3 Priority Support' started by Stelios, Dec 17, 2020.

  1. Stelios

    Stelios Active Member HowtoForge Supporter

    I've noticed that on one of my email servers expired the Letsencrypt today and when I tried to run it manually so I can see what was causing the problem I get:
    [email protected]:~# certbot -q renew
    Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout during connect (likely firewall problem). Skipping.
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/ (failure)
    How can I pass to the renew script the option to not look for a domain in order to work as the server has only email, not apache at all.

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    How did you create that LE cert? renewal uses the same way that was used to originally create it. There are several ways that LE uses, e.g. an installed Apache or nginx server or LE can start a standalone server, if standalone mode has been used. In any case, you must allow port 80 access to the server to be able to renew the cert in the same way it was possible during le cert creation.
  3. Stelios

    Stelios Active Member HowtoForge Supporter

    I run certbot -q renew --standalone and it worked but I had to open 443 port. This is why it was failing to renew.
    One question please. How can I check that the certificate it is indeed renewed and is working?

    I tried:
    echo | openssl s_client -connect myhostname:443 2>/dev/null | openssl x509 -noout -dates

    but it returns:
    unable to load certificate
    139840759460992:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
  4. Stelios

    Stelios Active Member HowtoForge Supporter

  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You can check it with openssl as well, but your command connected to port 443, and you said this is a mail server, not a web server - you need to connect to 25, 465, 587, 110, 143, 993 and 995 (with appropriate -starttls options for 25, 587, 110 and 143).
    Stelios likes this.

Share This Page