Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot renew my cert #2615

Closed
kierancassel opened this issue Mar 6, 2016 · 16 comments
Closed

Cannot renew my cert #2615

kierancassel opened this issue Mar 6, 2016 · 16 comments

Comments

@kierancassel
Copy link

@kierancassel kierancassel commented Mar 6, 2016

Okay so I got an email today about my certificate needing renewal soon so I tried:

./letsencrypt-auto renew

I cloned the latest version before doing this.

Result:


root@muadness:~/letsencrypt# sudo ./letsencrypt-auto renew
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/muadness.com.conf

Nothing ever seems to happen, so I ctrl-c'd in SSH and got this output:

root@muadness:~/letsencrypt# sudo ./letsencrypt-auto renew
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/muadness.com.conf
^CTraceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1993, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1024, in renew
    obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 690, in obtain_cert
    le_client = _init_le_client(config, authenticator, installer)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 214, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 183, in __init__
    acme = acme_from_config_key(config, self.account.key)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 41, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 63, in __init__
    self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 627, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 609, in _send_request
    response = requests.request(method, url, *args, **kwargs)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 559, in urlopen
    body=body, headers=headers)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 784, in _validate_conn
    conn.connect()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 217, in connect
    conn = self._new_conn()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 137, in _new_conn
    (self.host, self.port), self.timeout, **extra_kw)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/packages/urllib3/util/connection.py", line 81, in create_connection
    sock.connect(sa)
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
KeyboardInterrupt

Any advice? Python version is reporting as 2.7.6

@bmw

This comment has been minimized.

Copy link
Member

@bmw bmw commented Mar 7, 2016

@kierancassel, when you run the script to completion, do you see something like this near the bottom?

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/domain/fullchain.pem (skipped)

renew only renews certificates when they are less than 30 days from expiration, allowing you to run it in something like cron and only renew the cert when necessary.

@kierancassel

This comment has been minimized.

Copy link
Author

@kierancassel kierancassel commented Mar 7, 2016

The script never runs to completion, it hangs at processing forever and has
to be manually interrupted.
On Mon, 7 Mar 2016 at 9:59 p.m., bmw notifications@github.com wrote:

@kierancassel https://github.com/kierancassel, when you run the script
to completion, do you see something like this near the bottom?

The following certs are not due for renewal yet:
/etc/letsencrypt/live/domain/fullchain.pem (skipped)

renew only renews certificates when they are less than 30 days from
expiration, allowing you to run it in something like cron and only renew
the cert when necessary.


Reply to this email directly or view it on GitHub
#2615 (comment)
.

@bmw

This comment has been minimized.

Copy link
Member

@bmw bmw commented Mar 7, 2016

Oh! Does this happen on every run?

Looking at the traceback, I can tell you the Let's Encrypt client is trying to talk to the server for the first time.

@schoen

This comment has been minimized.

Copy link
Contributor

@schoen schoen commented Mar 7, 2016

It looks to me like it's timing out trying to connect from your machine to the CA. This could be due to something like a firewall that's blocking this outbound connection somehow.

Can you run

curl https://acme-v01.api.letsencrypt.org/directory

on that same server? It should immediately show you some JSON data if it's able to connect.

@kierancassel

This comment has been minimized.

Copy link
Author

@kierancassel kierancassel commented Mar 7, 2016

So I have just now tried again and now it processes with the error:

2016-03-07 17:20:58,217:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/muadness.com.conf produced an unexpected error: Failed authorization procedure. muadness.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to host for DVSNI challenge. Skipping.

The curl command seems to work correctly

@kierancassel

This comment has been minimized.

Copy link
Author

@kierancassel kierancassel commented Mar 9, 2016

Yeah so the whole issue seems to be something to do with connecting to a host for DVSNI challenge. I'm not quite sure what host it is trying to connect to, any guidance?

@WillTemeraire

This comment has been minimized.

Copy link

@WillTemeraire WillTemeraire commented Jul 12, 2016

I've got the very same problem. I have to terminate certbot and got the same errors. A verbose curl gives me this:
root@host:/opt/certbot# sudo curl -v https://acme-v01.api.letsencrypt.org/directory
* Hostname was NOT found in DNS cache
* Trying 2a02:26f0:10:28d::3d5...
* Connected to acme-v01.api.letsencrypt.org (2a02:26f0:10:28d::3d5) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to acme-v01.api.letsencrypt.org:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to acme-v01.api.letsencrypt.org:443

@Der4NDR3

This comment has been minimized.

Copy link

@Der4NDR3 Der4NDR3 commented Jul 19, 2016

Hi,
I've got the same problem and have exactly the same verbose curl output as @WillTemeraire
Certbot don't give me a error or something. It just stuck...
Has anybody a solution or workaround for this ?

@WillTemeraire

This comment has been minimized.

Copy link

@WillTemeraire WillTemeraire commented Jul 19, 2016

The problem's apparently the IPv6 network interface.
with sudo curl -v -4 https://acme-v01.api.letsencrypt.org/directory
the output appears quite normal to me:

* Hostname was NOT found in DNS cache
*   Trying 23.0.33.82...
* Connected to acme-v01.api.letsencrypt.org (23.0.33.82) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: CN=*.api.letsencrypt.org; O=INTERNET SECURITY RESEARCH GROUP;                                    L=Mountain View; ST=California; C=US
*        start date: 2015-06-26 17:05:45 GMT
*        expire date: 2018-06-25 17:05:45 GMT
*        subjectAltName: acme-v01.api.letsencrypt.org matched
*        issuer: C=US; O=IdenTrust; OU=TrustID Server; CN=TrustID Server CA A52
*        SSL certificate verify ok.
> GET /directory HTTP/1.1
> User-Agent: curl/7.35.0
> Host: acme-v01.api.letsencrypt.org
> Accept: */*
>
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Content-Type: application/json
< Content-Length: 280
< Boulder-Request-Id: DtR_dWdAimq7NP4Kppw6beNPRu6vfNbplKb-o1_M2bs
< Replay-Nonce: HT8EzQuvnEcqfPJYTuDQJnDkt4hpewKj0ziD5kYcZLc
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Tue, 19 Jul 2016 10:33:23 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Tue, 19 Jul 2016 10:33:23 GMT
< Connection: keep-alive
<
{
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v01.api.letsencrypt.org left intact

`

@Der4NDR3

This comment has been minimized.

Copy link

@Der4NDR3 Der4NDR3 commented Jul 19, 2016

With IPv4 I get the same output 👍
Strange think: For a few weeks everything is works fine with LE/Certbot on the same server.
So what happend and how can we teach Certbot or the os to use only the IPv4 address ?
I'm on a VPS and can't switch between IPv6 and IPv4...

@WillTemeraire

This comment has been minimized.

Copy link

@WillTemeraire WillTemeraire commented Jul 19, 2016

I'm on a VPS too and you can simply deactivate the IPv6-Stack.
For example (Ubuntu 14.04 LTS):
open /etc/sysctl.conf with your favourite text editor and add the following lines at the end of the file!

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Then check the contents with sudo sysctl -p. It should show you the newly added lines of code.
To make sure everything works, you can add a
cat /proc/sys/net/ipv6/conf/all/disable_ipv6 which will report a 1
After that, try certbot renew again :)

It worked for me! :)

@Der4NDR3

This comment has been minimized.

Copy link

@Der4NDR3 Der4NDR3 commented Jul 19, 2016

Perfect ! Thank you # @WillTemeraire
With these workaround I can renew and request new certs over Certbot :)

@WillTemeraire

This comment has been minimized.

Copy link

@WillTemeraire WillTemeraire commented Jul 19, 2016

Gern geschehen ;)

@Der4NDR3

This comment has been minimized.

Copy link

@Der4NDR3 Der4NDR3 commented Jul 29, 2016

Danke Will :)

Note: LE is now supporting IPv6 !
https://letsencrypt.org/2016/07/26/full-ipv6-support.html

So I reactivate the IPv6 option in the network stack, try to renew my cert and it works 😁
If someone else get in future the same error, it should be another reasons as the missing IPv6 support.

@palxex

This comment has been minimized.

Copy link

@palxex palxex commented Jul 29, 2016

Cannot renew my ipv6-only cert, still. I notice that it still bind to ipv4 only interface 0.0.0.0.

@ohemorange

This comment has been minimized.

Copy link
Contributor

@ohemorange ohemorange commented Nov 7, 2018

IPv6 support should be working now, feel free to reopen if that's not the case.

@ohemorange ohemorange closed this Nov 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.