Letsencrypt certificate renewal failed


(Gabor) #1

NethServer Version: 7.5.1804 (final)
Module: letsencrypt

Hi Guys,

I have an issue with letsencrypt and certificate renewals.
I have 6 virtual hosts set up, each has its own wordpress installation.
3 month ago i created the certificate for them via the dashboard, and they worked fine.
3 Days ago the certificate expired and all the domains show the errors.
Looking at the logs, it complains about 4 domains out of the 6.
They are all accessible frfom outside, so DNS should be fine.
These are in the logs:

2018-08-13 05:49:23,300:DEBUG:certbot.error_handler:Calling registered functions
2018-08-13 05:49:23,301:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-13 05:49:23,301:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/R5suuUvZQcJr1fzrr2hytZMu2h_8yM5yvHCX53YER_0
2018-08-13 05:49:23,302:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/ZqXRxcA8bnr3QX8vepq2–MB6AdtqMEwbM-4ewTCD00
2018-08-13 05:49:23,303:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/ckMOnMMHb7YY40FuKh8vvrR3lf1AVEDb_QITB6bxTX4
2018-08-13 05:49:23,303:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/ebBo6Gd0t_GZQalR2l-wI-sJGsDBMuv6y8gS4dxnUhs
2018-08-13 05:49:23,304:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/9BgGSCXx-9Hk9prHtNTD9KCrFYIPV5PjFHLynLZZMLw
2018-08-13 05:49:23,304:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/vGqHf79SH2u6-aClEvvcx4FYjbhAbXuLTCz5a7uAFkw
2018-08-13 05:49:23,305:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2018-08-13 05:49:23,305:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.26.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1254, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure.
domain1.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain1.com.well-known/acme-challenge/ebBo6Gd0t_GZQalR2l-wI-sJGsDBMuv6y8gS4dxnUhs: Error getting validation data,
domain2.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain2.com.well-known/acme-challenge/vGqHf79SH2u6-aClEvvcx4FYjbhAbXuLTCz5a7uAFkw: Error getting validation data,
domain3.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain3.com.well-known/acme-challenge/ckMOnMMHb7YY40FuKh8vvrR3lf1AVEDb_QITB6bxTX4: Error getting validation data,
domain4.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://domain4.com.well-known/acme-challenge/9BgGSCXx-9Hk9prHtNTD9KCrFYIPV5PjFHLynLZZMLw: Error getting validation data

I didnt really touch the server in the 3 month, apart from running some updates.
Any help would be appretiated

(Dan) #2

You’ve got a problem with your HTTPS redirects–they’re missing a trailing slash. This is causing the Let’s Encrypt servers to try to connect to domain1.com.well-known, which (of course) doesn’t exist.

(Gabor) #3

Thanks for the quick response Dan.
You were right, the trailing slash was missing. Adding them solved the issue, and the certificate got renewed, but now i have another issue. Non of the sites can be opened. (not just the virtual host, but nextcloud or SOGo neither)

(Gabor) #4

I tried to change the certificate to the default one, but it did throw the error:

(Eddie Atherton) #5

What do the logs show.


(Gabor) #6

[Mon Aug 13 21:32:22.445840 2018] [suexec:notice] [pid 4011] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Aug 13 21:32:22.447654 2018] [ssl:emerg] [pid 4011] AH02238: Unable to configure RSA server private key [Mon Aug 13 21:32:22.447673 2018] [ssl:emerg] [pid 4011] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Mon Aug 13 21:32:22.447676 2018] [ssl:emerg] [pid 4011] AH02312: Fatal error initialising mod_ssl, exiting.

(Dan) #7

The private key and certificate it’s trying to use don’t match, which will be a fatal error for apache. What’s the output of config show pki?

(Gabor) #8

Thanks guys, the issue is solved.
I had a lot of key files and for some reason none of them was working.
I removed the letsencrypt certificates along with the keys as described here: Delete Let's Encrypt Certificate
Requested a new letsencypt cert and andjusted the conf files.