Renewal of Let's Encrypt certificates fails

Discussion in 'Installation/Configuration' started by Bocki, Jan 4, 2018.

  1. Bocki

    Bocki New Member HowtoForge Supporter

    Hello,
    with my installation the renewal of Let's Encrypt certificates does not work. I find the following logged in /var/log/letsencrypt/*.log* for various domains:
    Code:
    letsencrypt.log.1:2018-01-03 23:45:26,043:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.de.conf produced an unexpected error: Failed authorization procedure. mydomain.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.de/.well-known/acme-challenge/specificauthcode: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    letsencrypt.log.1:FailedChallenges: Failed authorization procedure. mydomain.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.de/.well-known/acme-challenge/specificauthcode: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    
    After some waiting the initial issuing of certificates worked well, see here. I did not change anything knowingly since then. Do you have any idea what could be wrong?
    I can reach the domains in question by webbrowser without problem.
    Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have the latest ISPConfig version (3.1.10) installed? And which web server is it, Apache or Nginx?
     
  3. Bocki

    Bocki New Member HowtoForge Supporter

    Currently I have 3.1.7p1 - should I update first? It's Apache 2.4.25. The system runs on Debian 9.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I would try to update to 3.1.10, then go to the settings of that website, disable the letsencrypt checkbox, press save, then enable the letsencypt checkbox again. Then wait at least one minute before you check in a web browser if the LE cert is up to date now.
     
  5. Bocki

    Bocki New Member HowtoForge Supporter

    Thanks Till for this hint - it worked. The update to 3.1.10 went smooth and disabling and reenabling Let's Encrypt brought me two new certificates for the domains I tested it with.
    The rest of the affected domains I did not change up until now for testing purposes. For them unfortunately the regular update process failed in the night, again. I tested it now with another one of these domains: doing it manually (disabling and reenabling) worked there, too.
    Do you have any idea what could cause this? Automatic renewal fails but manually ordering a new cert works...
     
  6. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Are you sure, that you received no new certificate? Sometimes you receive new certs but you must restart apache (force-reload is not working on all systems).
     
  7. Bocki

    Bocki New Member HowtoForge Supporter

    Yes, there are no new certificates. I had a look in the logfiles in /var/log/letsencrypt where I found the corresponding error messages and in /etc/letsencrypt the relevant file dates are much too old, too.
     
  8. Bocki

    Bocki New Member HowtoForge Supporter

    As I got to know now I have this problem with another machine, too. Manual reissuing with deactivating and reactivating the Let's Encrypt option works, but the automatic process fails.
    As the certificates were nearly expired I corrected this by hand for now. But for the future a real solution would be great.
    In the meantime I created a script to check the used certificates for validity: Checking validity of Let's Encrypt certificates in ISPConfig.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The renewal should work in future after you deactivated and activated it once.
     
  10. Bocki

    Bocki New Member HowtoForge Supporter

    Ok, I'll have an eye on this. For now I manually reactivated all certs.
     

Share This Page