LetsEncrypt failing to renew


(Jared Busch) #1

My certificate failed to renew the last couple days, so I checked the modules and updated certificate manage form 13.0.34 to 13.0.34.4. No change.

There was an error updating the certificate: Verification ended with error: {"identifier":{"type":"dns","value":"fpbx.domain.com"},"status":"invalid","expires":"2016-12-23T16:43:50Z","challenges":[{"type":"dns-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>"},{"type":"tls-sni-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Incorrect validation certificate for TLS-SNI-01 challenge. Requested <snip>.acme.invalid from XXX.XXX.XXX.XXX:443. Received certificate containing 'fpbx.domain.com'","status":403},"uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>","keyAuthorization":"<snip>","validationRecord":[{"hostname":"fpbx.domain.com","port":"443","addressesResolved":["XXX.XXX.XXX.XXX"],"addressUsed":"XXX.XXX.XXX.XXX"}]},{"type":"http-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>"}],"combinations":[[0],[2],[1]]}

(Lorne Gaetz) #2

(Jared Busch) #3

My certificate has a couple weeks left, I would prefer to refrain from using edge modules on a business production system.


(Jared Busch) #4

Just realized what you linked. I am not using any non-standard ports. My system is stock port 443.


(Rob Thomas) #5

The only changes in Sysadmin edge are to fix this specific problem.


(Jared Busch) #6

Did not resolve the problem.


(Lorne Gaetz) #7

Did you see this part?

Then all you need to do is go into Port management and click ‘Save’, which will generate a fixed httpd.conf!


(Andrew Nagy) #9

We also can’t see the full error because you truncated it.


(Jared Busch) #10

I truncated because it was the same.


(Jared Busch) #11

No, because the thread title did not look like it applied to my case. I am not using any special ports.

I have now done so and receive the same error.


(Andrew Nagy) #12

Have you verified manually? The other thread suggests that it works correctly from two users.


(Jared Busch) #13

Is there a reference for that? This was only ever setup from the GUI. Is it using Certbot behind the scenes? I know how to use that. If it is some other ACME client, which one?


(Andrew Nagy) #14

It’s not using certbot but it tells you the url in the error string. You can try to hit that manually.


(Jared Busch) #15

The URL in the error only load the status. It does not attempt a reauthentication.

But if you read the error, it is saying that the TLS failed to verify. It says it requested something from >hex string<.acme.invalid and received my fpbx.domain.com instead and thus failed.

I changed the update to use HTTP and not HTTPS and it successfully updated.

This is an error in your code. It should have successfully updated with HTTPS.

 "detail": "Incorrect validation certificate for TLS-SNI-01 challenge. Requested 059ccc1db1ba951d5ac8a10be503259d.80caebfc00326120e2ebb436dfa2091a.acme.invalid from 107.XXX.XXX.135:443. Received certificate containing 'fpbx.domain.com'",
"status": 403

(Andrew Nagy) #16

I disagree. This is not an error in our code as is evident from other people successfully renewing with TLS in the other thread.

You didn’t do as I asked. But it’s too late now. Specifically you’d go to the https address and use the .well-known prefix that is “blocked” then you’d see if the token is in that folder and if you can hit it.


(Rob Thomas) #17

This is saying that you have not gone to ports and clicked save, as it’s still giving you a 403 error.

Lorne told you to do this.


(Jared Busch) #18

But I did.


(Jared Busch) #19

No, you said the URL was in the error string. I went to each of them. They was result messages.

If you wanted to to do something with .well-known then you should give clear instruction.


(Rob Thomas) #20

That means that when letsencrypt tried to reach that URL, your server returned 403, which means permission denied. There is a URL in the error. You can copy and paste that into a browser, and see what the problem is.

The problem will be a 403 permission denied. That 403 permission denied was due to a typo in /etc/httpd/conf.d/ssl.conf that did NOT allow .well-known. That is fixed as of sysadmin 14.0.5.3.

This is what it should look like

<VirtualHost _default_:443>
  ServerName sng7.xrobau.com:443
  LogLevel warn
  SSLEngine on
  SSLCertificateFile /etc/httpd/pki/webserver.crt
  SSLCertificateKeyFile /etc/httpd/pki/webserver.key
  SSLCertificateChainFile /etc/httpd/pki/ca-bundle.crt
  DocumentRoot /var/www/html/ucp/
  SetEnvIf User-Agent '.*MSIE.*' nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  Alias /.well-known /var/www/html/.well-known
  Alias /.freepbx-known /var/www/html/.freepbx-known
  RewriteEngine on
  RewriteRule ^/\.(well-known|freepbx-known)/ - [H=text/plain,L]
  RewriteRule (^\.|/\.) - [F]
</VirtualHost>

If you want to run the update manually, you can take a copy of /etc/httpd/conf.d/ssl.conf and then run the sysadmin hook (as root):

/var/www/html/admin/modules/sysadmin/hooks/update-ports

That will update BOTH http and https. If you just want to do SSL, you can run update-ssl (which is called by update ports)