Letsencrypt certificate renewal failed

NethServer Version: 7.5.1804 (final)
Module: letsencrypt

Hi Guys,

I have an issue with letsencrypt and certificate renewals.
I have 6 virtual hosts set up, each has its own wordpress installation.
3 month ago i created the certificate for them via the dashboard, and they worked fine.
3 Days ago the certificate expired and all the domains show the errors.
Looking at the logs, it complains about 4 domains out of the 6.
They are all accessible frfom outside, so DNS should be fine.
These are in the logs:

2018-08-13 05:49:23,300:DEBUG:certbot.error_handler:Calling registered functions
2018-08-13 05:49:23,301:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-13 05:49:23,301:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/R5suuUvZQcJr1fzrr2hytZMu2h_8yM5yvHCX53YER_0
2018-08-13 05:49:23,302:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/ZqXRxcA8bnr3QX8vepq2–MB6AdtqMEwbM-4ewTCD00
2018-08-13 05:49:23,303:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/ckMOnMMHb7YY40FuKh8vvrR3lf1AVEDb_QITB6bxTX4
2018-08-13 05:49:23,303:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/ebBo6Gd0t_GZQalR2l-wI-sJGsDBMuv6y8gS4dxnUhs
2018-08-13 05:49:23,304:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/9BgGSCXx-9Hk9prHtNTD9KCrFYIPV5PjFHLynLZZMLw
2018-08-13 05:49:23,304:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/vGqHf79SH2u6-aClEvvcx4FYjbhAbXuLTCz5a7uAFkw
2018-08-13 05:49:23,305:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2018-08-13 05:49:23,305:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.26.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1254, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure.
domain1.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain1.com.well-known/acme-challenge/ebBo6Gd0t_GZQalR2l-wI-sJGsDBMuv6y8gS4dxnUhs: Error getting validation data,
domain2.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain2.com.well-known/acme-challenge/vGqHf79SH2u6-aClEvvcx4FYjbhAbXuLTCz5a7uAFkw: Error getting validation data,
domain3.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain3.com.well-known/acme-challenge/ckMOnMMHb7YY40FuKh8vvrR3lf1AVEDb_QITB6bxTX4: Error getting validation data,
domain4.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain4.com.well-known/acme-challenge/9BgGSCXx-9Hk9prHtNTD9KCrFYIPV5PjFHLynLZZMLw: Error getting validation data

I didnt really touch the server in the 3 month, apart from running some updates.
Any help would be appretiated

You’ve got a problem with your HTTPS redirects–they’re missing a trailing slash. This is causing the Let’s Encrypt servers to try to connect to domain1.com.well-known, which (of course) doesn’t exist.


Thanks for the quick response Dan.
You were right, the trailing slash was missing. Adding them solved the issue, and the certificate got renewed, but now i have another issue. Non of the sites can be opened. (not just the virtual host, but nextcloud or SOGo neither)

I tried to change the certificate to the default one, but it did throw the error:

What do the logs show.


[Mon Aug 13 21:32:22.445840 2018] [suexec:notice] [pid 4011] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Aug 13 21:32:22.447654 2018] [ssl:emerg] [pid 4011] AH02238: Unable to configure RSA server private key [Mon Aug 13 21:32:22.447673 2018] [ssl:emerg] [pid 4011] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Mon Aug 13 21:32:22.447676 2018] [ssl:emerg] [pid 4011] AH02312: Fatal error initialising mod_ssl, exiting.

The private key and certificate it’s trying to use don’t match, which will be a fatal error for apache. What’s the output of config show pki?

Thanks guys, the issue is solved.
I had a lot of key files and for some reason none of them was working.
I removed the letsencrypt certificates along with the keys as described here: Delete Let's Encrypt Certificate
Requested a new letsencypt cert and andjusted the conf files.

1 Like