LetsEncrypt failing to renew

My certificate failed to renew the last couple days, so I checked the modules and updated certificate manage form 13.0.34 to 13.0.34.4. No change.

There was an error updating the certificate: Verification ended with error: {"identifier":{"type":"dns","value":"fpbx.domain.com"},"status":"invalid","expires":"2016-12-23T16:43:50Z","challenges":[{"type":"dns-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>"},{"type":"tls-sni-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Incorrect validation certificate for TLS-SNI-01 challenge. Requested <snip>.acme.invalid from XXX.XXX.XXX.XXX:443. Received certificate containing 'fpbx.domain.com'","status":403},"uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>","keyAuthorization":"<snip>","validationRecord":[{"hostname":"fpbx.domain.com","port":"443","addressesResolved":["XXX.XXX.XXX.XXX"],"addressUsed":"XXX.XXX.XXX.XXX"}]},{"type":"http-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>"}],"combinations":[[0],[2],[1]]}
3 Likes

My certificate has a couple weeks left, I would prefer to refrain from using edge modules on a business production system.

Just realized what you linked. I am not using any non-standard ports. My system is stock port 443.

The only changes in Sysadmin edge are to fix this specific problem.

Did not resolve the problem.

Did you see this part?

Then all you need to do is go into Port management and click ‘Save’, which will generate a fixed httpd.conf!

2 Likes

We also can’t see the full error because you truncated it.

1 Like

I truncated because it was the same.

No, because the thread title did not look like it applied to my case. I am not using any special ports.

I have now done so and receive the same error.

Have you verified manually? The other thread suggests that it works correctly from two users.

Is there a reference for that? This was only ever setup from the GUI. Is it using Certbot behind the scenes? I know how to use that. If it is some other ACME client, which one?

It’s not using certbot but it tells you the url in the error string. You can try to hit that manually.

The URL in the error only load the status. It does not attempt a reauthentication.

But if you read the error, it is saying that the TLS failed to verify. It says it requested something from >hex string<.acme.invalid and received my fpbx.domain.com instead and thus failed.

I changed the update to use HTTP and not HTTPS and it successfully updated.

This is an error in your code. It should have successfully updated with HTTPS.

 "detail": "Incorrect validation certificate for TLS-SNI-01 challenge. Requested 059ccc1db1ba951d5ac8a10be503259d.80caebfc00326120e2ebb436dfa2091a.acme.invalid from 107.XXX.XXX.135:443. Received certificate containing 'fpbx.domain.com'",
"status": 403

I disagree. This is not an error in our code as is evident from other people successfully renewing with TLS in the other thread.

You didn’t do as I asked. But it’s too late now. Specifically you’d go to the https address and use the .well-known prefix that is “blocked” then you’d see if the token is in that folder and if you can hit it.

This is saying that you have not gone to ports and clicked save, as it’s still giving you a 403 error.

Lorne told you to do this.

But I did.

No, you said the URL was in the error string. I went to each of them. They was result messages.

If you wanted to to do something with .well-known then you should give clear instruction.

That means that when letsencrypt tried to reach that URL, your server returned 403, which means permission denied. There is a URL in the error. You can copy and paste that into a browser, and see what the problem is.

The problem will be a 403 permission denied. That 403 permission denied was due to a typo in /etc/httpd/conf.d/ssl.conf that did NOT allow .well-known. That is fixed as of sysadmin 14.0.5.3.

This is what it should look like

<VirtualHost _default_:443>
  ServerName sng7.xrobau.com:443
  LogLevel warn
  SSLEngine on
  SSLCertificateFile /etc/httpd/pki/webserver.crt
  SSLCertificateKeyFile /etc/httpd/pki/webserver.key
  SSLCertificateChainFile /etc/httpd/pki/ca-bundle.crt
  DocumentRoot /var/www/html/ucp/
  SetEnvIf User-Agent '.*MSIE.*' nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  Alias /.well-known /var/www/html/.well-known
  Alias /.freepbx-known /var/www/html/.freepbx-known
  RewriteEngine on
  RewriteRule ^/\.(well-known|freepbx-known)/ - [H=text/plain,L]
  RewriteRule (^\.|/\.) - [F]
</VirtualHost>

If you want to run the update manually, you can take a copy of /etc/httpd/conf.d/ssl.conf and then run the sysadmin hook (as root):

/var/www/html/admin/modules/sysadmin/hooks/update-ports

That will update BOTH http and https. If you just want to do SSL, you can run update-ssl (which is called by update ports)

2 Likes