Let's Encrypt certificates stopped renewing for some reason?

O

open4biz

Verified User
Joined
Mar 22, 2009
Messages
123
Hi All,

About two months ago I noticed that the Let's Encrypt certificates stopped renewing on my server's URL. Here's the error I'm seeing:

2024/08/28 00:53:56 info executing task task=action=ssl&force=true&value=server_acme exec ["/usr/local/bin/lego" "--accept-tos" "[email protected]" "--key-type=ec256" "--server=https://acme-v02.api.letsencrypt.org/directory" "--path=/usr/local/directadmin/data/.lego" "--http" "--http.webroot=/var/www/html" "--domains=subdomain.mydomains.com" "run" "--no-bundle" "--preferred-chain=ISRG Root X1"]
2024/08/28 00:53:56 [INFO] [subdomain.mydomains.com] acme: Obtaining SAN certificate
2024/08/28 00:53:56 [INFO] [subdomain.mydomains.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/396135859856
2024/08/28 00:53:56 [INFO] [subdomain.mydomains.com] acme: Could not find solver for: tls-alpn-01
2024/08/28 00:53:56 [INFO] [subdomain.mydomains.com] acme: use http-01 solver
2024/08/28 00:53:56 [INFO] [subdomain.mydomains.com] acme: Trying to solve HTTP-01
2024/08/28 00:54:02 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/396135859856
2024/08/28 00:54:02 Could not obtain certificates:
error: one or more domains had a problem:
subdomain.mydomains.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: 2606:4700:3032::ac43:8c67: Invalid response from http://subdomain.mydomains.com/.well-known/acme-challenge/juBXA111k_utFEwy3111z0d7802mgFv111JyIlnl111: 403
2024/08/28 00:54:02 info finished task duration=6.47753499s task=action=ssl&force=true&value=server_acme
exit status 1
Failed to issue new certificate

When I go to /var/www/html/.well-known/acme-challenge/ directory I don't see any files except for the test.txt file created running through the Troubleshooting Let's Encrypt Errors help doc.

Since the error seems to be related to permissions, here's the owner I see when I ls -la /var/www/html:

drwxr-xr-x 3 root root 4096 Aug 28 01:12 .well-known

And the same for /var/www/html/.well-known:

drwxr-xr-x 2 root root 4096 Aug 28 00:54 acme-challenge
-rw-r--r-- 1 root root 163 Jan 18 2023 .htaccess

Should the owner be root and do the permissions look right?

I should note that the domain is sitting behind CloudFlare's WAF and I don't know if it's screwing things up but it used to work so something seems to have changed?

Any nudge in the right direction would be appreciated.

Cheers
 
Last edited:
When I curled the auth URL (https://acme-v02.api.letsencrypt.org/acme/authz-v3/396135859856) I noticed at the bottom it seems to be choosing Cloudflare's IP instead of my servers - is that normal?

"addressesResolved": [
"172.67.140.103",
"104.21.54.165",
"2606:4700:3032::ac43:8c67",
"2606:4700:3030::6815:36a5"
],
"addressUsed": "2606:4700:3032::ac43:8c67"

I'm still trying to figure out why lego isn't writing anything to the .well-known/acme-challenge challenge directory... I'm not sure if it did before because I never needed to look.
 
did you read this ?
K

Thread 'Let's Encrypt stopped renewing for all domains'

We've been running DirectAdmin with Let's Encrypt on one specific server for years, without any issues. But all of a sudden, it's not possible to create or renew SSL certificates for any of the domains on the server.
The error we're getting for all domains is more or less:
my.domain was skipped due to unreachable http://my.domain/.well-known/acme-challenge/letsencrypt_cbc569309e0eaaecea80f917e070bc81 file.
www.my.domain was skipped due to unreachable http://www.my.domain/.well-known/acme-challenge/letsencrypt_0c3667bb8c9b20a82d401c58a038ffde file.
No domains pointing...
Click to expand...
 
Active8 said:
did you read this ?
K

Thread 'Let's Encrypt stopped renewing for all domains'

We've been running DirectAdmin with Let's Encrypt on one specific server for years, without any issues. But all of a sudden, it's not possible to create or renew SSL certificates for any of the domains on the server.
The error we're getting for all domains is more or less:
my.domain was skipped due to unreachable http://my.domain/.well-known/acme-challenge/letsencrypt_cbc569309e0eaaecea80f917e070bc81 file.
www.my.domain was skipped due to unreachable http://www.my.domain/.well-known/acme-challenge/letsencrypt_0c3667bb8c9b20a82d401c58a038ffde file.
No domains pointing...
Click to expand...
Click to expand...
Thank you, that helped.

I logged into my host's control panel and verified that I do not have an IP6 ip attached to the server then disabled IP on the server. I rebooted and tried again - no change.

Then I revisited my Cloudflare WAF rules and disabled two of them and it worked. I'm pretty sure it's this one, because I disabled the other one last week and it didn't make any difference:

(not ip.geoip.country in {"US" "CA"}) >> JavaScript Challenge

Which means the Let's Encrypt servers are probably located outside the US or Canada.

So thank you, that helped me dig into it again and find the root cause.

Cheers
 
You must log in or register to reply here.
Back
Top