Join the community today
Register Now

Letsencrypt Suddenly Let's encrypt doesn't autorenew

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Kintaro, May 23, 2019.

  1. Kintaro

    Kintaro Member

    63
    3
    8
    Dec 2, 2016
    Italy
    Ratings:
    +14
    Local Time:
    1:46 PM
    1.15.x
    MariaDB 10
    Hello,

    I have a server with two vhosts and one of them suddenly is not renewing let's encrypt. Other then basic cmupdate (centmin) updates I didn't changed anything in it.

    The problem seems to access the well-know directory.

    This is the part of the log about the error:

    Code:
    [Thu May 23 00:18:08 CEST 2019] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Fetching https://domain.com/.well-known/acme-challenge/T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q: Connection refused","status": 400},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/XH9vVGzGFFnlxjPaJv5FzH4yCOozDjI38Qasy0zYzic/16167131915","token":"T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q","validationRecord":[{"url":"http://domain.com/.well-known/acme-challenge/T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q","hostname":"domain.com","port":"80","addressesResolved":["xxx.xxx.xxx.xxx","xxxx:xxxx::xxxx:xxxx:xxxx:xxxx"],"addressUsed":"2a01:7e01::f03c:91ff:fef0:21dd"},{"url":"http://domain.com/.well-known/acme-challenge/T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q","hostname":"domain.com","port":"80","addressesResolved":["xxx.xxx.xxx.xxx","xxxx:xxxx::xxxx:xxxx:xxxx:xxxx"],"addressUsed":"xxx.xxx.xxx.xxx"},{"url":"https://domain.com/.well-known/acme-challenge/T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q","hostname":"domain.com","port":"443","addressesResolved":["xxx.xxx.xxx.xxx","xxxx:xxxx::xxxx:xxxx:xxxx:xxxx"],"addressUsed":"2a01:7e01::f03c:91ff:fef0:21dd"}]}'
    [Thu May 23 00:18:08 CEST 2019] error='"error":{"type":"urn:acme:error:connection","detail":"Fetching https://domain.com/.well-known/acme-challenge/T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q: Connection refused","status": 400'
    [Thu May 23 00:18:08 CEST 2019] errordetail='Fetching https://domain.com/.well-known/acme-challenge/T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q: Connection refused'
    [Thu May 23 00:18:08 CEST 2019] domain.com:Verify error:Fetching https://domain.com/.well-known/acme-challenge/T_brlhFnHJylgCe8tG6iC2r94E3B5cTwwQHXs7oNc0Q: Connection refused
    [Thu May 23 00:18:08 CEST 2019] pid
    [Thu May 23 00:18:08 CEST 2019] No need to restore nginx, skip.
    [Thu May 23 00:18:08 CEST 2019] _clearupdns
    [Thu May 23 00:18:08 CEST 2019] skip dns.
    [Thu May 23 00:18:08 CEST 2019] _on_issue_err
    [Thu May 23 00:18:08 CEST 2019] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-151118-135512.log
    
    The strange thing is that the other domain renewed without any problem.

    Code:
    x# HTTPS-DEFAULT
     server {
    
       server_name domain.it www.domain.it;
       return 302 https://domain.it$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    #       listen   80;
    #       server_name domain.it www.domain.it;
    #       return 302 https://$server_name$request_uri;
    
    server {
      listen 443 ssl http2 reuseport;
      server_name domain.it www.domain.it;
    
      include /usr/local/nginx/conf/ssl/domain.it/domain.it.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.it/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.it/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.it/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.it/autoprotect-domain.it.conf;
      root /home/nginx/domains/domain.it/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
      #location per far funzionare invoiceninja
      location /fatture/public {
        root /home/domain/public_html/fatture/public;
        index index.html index.htm index.php;
        try_files $uri $uri/ /fatture/public/index.php?$query_string;
      }
    
      #location per far funzionare invoiceplane
      location /invoiceplane {
        index index.php;
        try_files $uri $uri/ /invoiceplane/index.php?q=$uri;
      }
    
      #location per il google script di xxxxx
      location /ebay {
               autoindex on;
        }
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.it.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
    }
    
    as you can see staticfiles.conf is there (both http and https)
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,060
    9,491
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,602
    Local Time:
    10:46 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I see IPv6 referenced addresses, does your domains you have letsencrypt ssl certs have DNS AAAA IPv6 records and do they have additional nginx vhost IPv6 listeners associated with them so the when letsencrypt validates your domain over IPv6 it hits your nginx vhost on your server ? If you have IPv6 but letesncrypte can't validate, it could be your server's IPv6 network connectivity is messed up.
     
  3. Kintaro

    Kintaro Member

    63
    3
    8
    Dec 2, 2016
    Italy
    Ratings:
    +14
    Local Time:
    1:46 PM
    1.15.x
    MariaDB 10
    the only nginx configuration for the vhost is the one I reported here, so I think that the problem is that.

    So I need to disable ipv6 or add it to the nginx configuration.

    The strange thing is happening now, the configuration isn't changed from 6 months ago, maybe is changed something on the letsencrypt side?

    edit:
    I solved adding this to the 443 server directive:
    listen [::]:443 ssl http2;

    Code (Text):
    server {
      listen 443 ssl http2 reuseport;
      listen [::]:443 ssl http2;
      server_name domain.it www.domain.it;
    


    Now... in case of nginx upgrade (I a little behind), that configuration will be overwritten, right?
     
  4. eva2000

    eva2000 Administrator Staff Member

    42,060
    9,491
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,602
    Local Time:
    10:46 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    nope, nginx upgrades usually do not touch existing nginx vhost config files unless it's a security of ssl config security/cipher update so it's safe for stuff like listeners etc :)

    only thing i can think of is when you first got letsencrypt you didn't have DNS AAAA record so letsencrypt validated your domain on IPv4 DNS A record instead.
     
    • Agree Agree x 1
  5. RichardWilliams

    RichardWilliams New Member

    2
    0
    1
    Aug 21, 2019
    Ratings:
    +0
    Local Time:
    2:46 PM
    Execute commands
    v-add-letsencrypt-user admin
    v-add-letsencrypt-domain admin site.com
    Certificates can only be renewed this way.
     
  6. eva2000

    eva2000 Administrator Staff Member

    42,060
    9,491
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,602
    Local Time:
    10:46 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Centmin Mod doesn't have such commands, you might be thinking of a different LEMP stack