Hey guys, I’m having an issue with my let’s encrypt CA renewal and, web development really isn’t my jam. My setup is quite simple, I run a Ubiquiti Unifi Controller On Ubuntu 16.04. I use a DDNS and registered it’s address to the cert. It’s been almost 3 months and everything runned well until the renewal time arrived. Here’s the error I get:
2019-02-07 15:37:12,409:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/jtcunifi.d
dns.net.conf produced an unexpected error: Failed authorization procedure. jtcunifi.ddns.net (tls-sni-01): urn:ac
me:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sn
i-01 challenge. Requested xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.acme.invalid from 35.
227.18.103:443. Received 1 certificate(s), first certificate had names “jtcunifi.ddns.net”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES: - The following errors were reported by the server: Domain: jtcunifi.ddns.net Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.invalid from 18.104.22.168:443. Received 1 certificate(s), first certificate had names “jtcunifi.ddns.net” To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
Anyone could help with that?
You cannot run lets encrypt on a subdomain like that unless you own the root FQDN (that I know of).
Although I’m not 100% sure. I’m not sure because I don’t know if NoIP is doing anything to the request headers. If they’re mangling them beforehand then there’s not much we can do besides actually buy a FQDN,
I was able to get a certificate running using it in the first place, so, I can’t say. But, I have the same issue with a Proper FQDN for a production server: https://net.negotel.com
The error message is telling you what is wrong:
Since you don’t have a static IP, you probably initially requested the certificate from an address other than 22.214.171.124. Just request a new certificate instead of trying to renew the expiring one.
Also, It looks like you are using tls-sni-01 as your validation method. Let’s Encrypt is currently disabling that validation method: https://community.letsencrypt.org/t/march-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
You’re right. But, I’m having the same issue with my production server which has a static ip and an actual fqdn.
How old is your certbot version?
Read somewhere a while ago that the letsencrypt script has been discontinued, and that certbot has to be used directly.
I recently setup a few ubuntu servers using certbot, and all I had to do was.
sudo apt install certbot python-certbot-apache
Something was also implemented recently, where it’s possible to get one certificate for primary domain and all subdomains. Maybe there’s a parameter to enable or disable this functionality.
Hi just updated it and still have the same issue. But, yeah, it was 3 years old. 0.4.1. I now have 0.28.0 but still can’t renew it. It still says:
Attempting to renew cert (jtcunifi.ddns.net) from /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf produced an unexpected error: Failed authorization procedure. jtcunifi.ddns.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8d28395f04e820bfe1efa7c2e0ca5dbf.6df11ab5008f046ab2f5ab9d2e3c1670.acme.invalid from 126.96.36.199:443. Received 1 certificate(s), first certificate had names “jtcunifi.ddns.net”. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/jtcunifi.ddns.net/fullchain.pem (failure)
I installed the python-certbot-apache package and when I force --preffered-challenges http it now says:
Attempting to renew cert (jtcunifi.ddns.net) from /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/jtcunifi.ddns.net/fullchain.pem (failure)
The bind error sounds like you either didn’t run as root so didn’t have permission to bind to port 80 or you didn’t stop your web server before running certbot.
Why don’t you try a different authentication method?
I’m logged in as root, but, yes, I also simply tried in sudo.
Well, the next thing I’d do, would be to go back to zero. Remove everything that has to do with the certificate, remove certbot, letsencrypt, python-certbot-apache, certificates. Edit the conf files for the websites and remove everything that has to do with certificates.
Then I’d install certbot and python-certbot-apache and try to get the certs a new.
Alright guys! I figured out the last issue!
So, I updated my certbot with a new ppa as suggested and the error changed to being unable to get to port 80, as if the web service was still running.
Then, I updated it and installed python-certbot-apache which also installed apache2 on my server.
I had redirections on my server from port 80 to 8080 hiding the apache2 instance running without my knowledge. So, I removed the redirection and stopped the apache2 service. After that, I simply did:
letsencrypt renew --preferred-challenges http
Everything worked out from there.
Thank you for the help! You saved my but!