Letsencrypt certificate did not auto renew

wbilger · 2017-06-01 12:19:00 UTC

NethServer Version: 7.3.1611
Module: letsencrypt

My letsencrypt certificate has expired, and did not auto renew. I did receive my email from them that it was about to expire on 05/31, but that was just supposed to be a notification, and I thought it should auto-renew in NS.
I don’t know if I should uninstall and add a new certificate, or if there is a problem I should try to find so it auto-renews next time. Any help would be appreciated.

happnatious1 · 2017-06-01 13:22:14 UTC

I recently installed a new nethserver and got a letsencrypt certificate. I know that Port 80 has to be open but that seems like a security hole. I wonder if that Port needs to be open for auto renew? I haven’t gotten to that point yet but I will be watching this thread with interest.

wbilger · 2017-06-01 14:26:20 UTC

@happnatious1 Yes, I remember that now. But, I did not open port 80, seems like a security hole to me as well.
My plan, which I forgot, was to open up port 80 to do the update (certbot renew), and then close it again.
So, I did this, and I get the following error;

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/office.mydomain.com.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for office.mydomain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/office.mydomain.com.conf produced an unexpected error: Failed authorization procedure. office.lo
ndonrooftruss.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://office.mydomain.c
om/.well-known/acme-challenge/w3rH1Q5-xCfgrOSPYfVq_aMdYULzlFgontpNz5Ybfg8: "

<meta http-equiv=“X-UA-Compatible” content=“IE=edge”. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/office.mydomain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: office.mydomain.com
Type: unauthorized
Detail: Invalid response from
http://office.mydomain.com/.well-known/acme-challenge/w3rH1Q5-xCfgrOSPYfVq_aMdYULzlFgontpNz5Ybfg8:
<"!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
HTML>HEAD>
TITLE>404 Not Found
/HEAD>BODY>
H1>Not Found
Th"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address

wbilger · 2017-06-07 14:24:08 UTC

Just wanted to udpate on this in case same happened to someone else. I have a redirect setup in /etc/httpd/conf.d/redirect.conf, so I had to temporarily remove the redirect, restart apache, and then run ‘certbot renew’ and I was able to renew.