Certbot renewal failed on Ubuntu 18

October 14, 2019 525 views
Let's Encrypt

I have converted my Apache2 webserver running on an Ubuntu 18 LTS server in my home to use SSL through Certbot and a certificate from LetsEncrypt. This was done back in August/Sept, I believe.
Today I got a message from Lets Encrypt with this content:

“Your certificate (or certificates) for the names listed below will expire in 19 days (on 03 Nov 19 17:35 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration.”

I thought that renewal would be done automatically by certbot, but that seems not to be the case. So I tried to do it manually on the ubuntu command line:

sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/svn.xxxxxxxx.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxxx.xxxxxxxx.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (svn.xxxxxxxxx.com) from /etc/letsencrypt/renewal/svn.xxxxxxxx.com.conf produced an unexpected error:                                                             Failed authorization procedure. video.xxxxxxxx.com (http-01): urn:ietf:params:acme:error:connection :: The server could not conn                                                            ect to the client to verify the domain :: Fetching https://192.168.119.216/.well-known/acme-challenge/A6D3gPG0WaepHg0ynv6AW8xdRU78                                                            ta96HSwoug0iTME: Invalid host in redirect target "192.168.119.216". Only domain names are supported, not IP addresses. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.xxxxxxxxxxx.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.xxxxxxxxxxx.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

So what can I do in order to fix this?

The certificate I created is valid for three sites I run on the server (svn, video and home) all with a dynamic domain name pointing to the same external address for my fiber router.
All of the sites are user/password protected (Apache htpasswd).
I have opened the router with a port forward into the ubuntu server.

1 Answer

Hello,

The renewal it’s failing because for some reason certbot can’t find the domain name/s:

The server could not connect to the client to verify the domain. Invalid host in redirect target “192.168.119.216”. Only domain names are supported, not IP addresses.

Can you please let me know what happens when you test the renewal with this command:

sudo certbot renew --dry-run

Also can you please check that the DNS is working fine as well?

Have another answer? Share your knowledge.