Letsencrypt not renewing

Discussion in 'ISPConfig 3 Priority Support' started by HenrysCat, Jun 24, 2020.

  1. HenrysCat

    HenrysCat Member

    I have searched the forum over the last few days and tried many tips, including https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ to no avail.
    I have 9 domians on a VPS all working fine for over 6 months, last time round all certs updated every 60 days, but now they are nearing expiry, between 2 and 10 days on 6 domains, 3 renewed successfully.
    So I have updated certbot to v1.5.0, restarted the server and waited 24 hours and no updates.
    I ran sudo 'certbot-auto renew --dry-run' and the result for all 6 is
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/mydomain.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator webroot, Installer None
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for www.mydomain.com
    http-01 challenge for mydomain.com
    Waiting for verification...
    Challenge failed for domain www.mydomain.com
    http-01 challenge for www.mydomain.com
    Cleaning up challenges
    Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
    The following certs could not be renewed:
      /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
     - The following errors were reported by the server:
       Domain: mydomain.com
       Type:   connection
       Detail: Fetching
       Connection refused
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address. Additionally, please check that
       your computer has a publicly routable IP address and that no
       firewalls are preventing the server from communicating with the
       client. If you're using the webroot plugin, you should also verify
       that you are serving files from the webroot path you provided.
    If I run 'curl http://serverip/' it returns a load of html, which I assume means its working.
    So the last part says DNS problems, but everything works, all sites load, all email works etc
    I have also tried https://letsdebug.net. result is Green All OK!
    All out of ideas now, any pointers?
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You wrote you followed LE FAQ to no avail. What results did you get? Following the FAQ should find out why LE fails.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Connecting to the server IP is not specific enough for a test in this case. To simulate the LE verification, use this:

    1) Create a test token:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt

    2) Now you must be able to retrieve that token with a web browser over the internet:

  4. HenrysCat

    HenrysCat Member

    till, yes I can access that file if I create it.
    I tried the debugging method from https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
    25.06.2020-17:00 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    25.06.2020-17:00 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    Taleman, I found this in the log
      "detail": "DNS problem: NXDOMAIN looking up A for www.mydomain.co.uk - check that a DNS record exists for this domain",
    None of my sites can be access by www.mydomain.com only mydomain.com, will this make a difference?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, if you don't have DNS records for www, then auto subdomain must be set to 'none' in the website settings. Otherwise, let's encrypt will try to create a cert for the nonexisting www subdomain and must fail.
    HenrysCat likes this.
  6. HenrysCat

    HenrysCat Member

    Thanks, I'll add the DNS records and wait :)
    Such a simple thing, yet easily overlooked, by me anyway lol
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can choose to add the www records, or disable the subdomain in the website settings.

Share This Page