Let's Encrypt certificate expired, did not autorenew and not possible to re-obtain

Problem Description
Lets Encrypt certificate expired but did not autorenew and cannot re-obtain. Same problem as [SOLVED] Letsencrypt certificate expired, did not autorenew and not possible to re-obtain but slightly different error message and the solution does not work for me. I’m opening a new thread so as not to contaminate a Solved problem.

Steps to Reproduce

  1. Login to FreedomBox as Admin.
  2. Go to System / Let’s Encrypt application page.
  3. Two domains listed: mydomain.org with certificate status Valid; app1.mydomain.org with certificate status Expired.
  4. Select ‘Re-obtain’ on expired certificate.

Expected Results
I expected to see a message confirming that the certificate was re-obtained and showing a new expiry date.

Actual results
I get an error with the following message:

Failed to obtain certificate for domain app1.mydomain.org: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for app1.mydomain.org Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. app1.mydomain.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://app1.mydomain.org/.well-known/acme-challenge/5nCF...xyz [xx.xxx.xx.xx]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Information

  • FreedomBox version: Debian GNU/Linux 10 (buster) and FreedomBox version 21.1
  • Hardware: Raspberry Pi 3

Other notes
The Freedombox is accessible from the Internet. My router is set via DMZ to route traffic to the Freedombox. All other Freedombox apps are working fine. It’s just this Let’s Encrypt certificate that’s a problem.

Additionally, I cannot see the debug log or any files in /var/log/letsencrypt because Permission denied, despite having administrator privileges.

Thanks.

?

Thanks, @NickA. I’ve seen that post, and similar ones, but I am not getting a No valid IP address error so think I have a different problem. Mine seems to be permission-related, or at least that’s my suspicion and as noted in a new question. (This thread was getting no attention after six days so I refined it and reposted.)

I’ve not changed anything about the Freedombox configuration, or my network, and up until the certificate expiration, everything has been working fine.

Did you try the diagnostics?
Did you close port 80 (http), IIRC needs to be open for renewal.

Port 80 is open but Diagnostics does show an error in the Networks app:

Using DNSSEC on IPv4 failed

Using DNSSEC on IPv6 failed

I do not know what this means or how to fix it,

Sorry, don’t know what more could be related here. Someone else?

Make sure that your router firewall port 80 is forwarded to your freedombox, if your freedombox is behind a router. If your freedombox is on the DMZ, you should not have to do this, as freedombox has a built in firewall that you can look at in the System menu.
Hope this helps!:slight_smile:

Freedombox is on the DMZ and is accessible from outside the network. I can get to mydomain.org (certificate still valid) but cannot get to app1.mydomain.org because the certificate has expired.

I have pi-hole running on the network too, and even disabled it in case it was interfering with the certificate renewal process. This made no difference and I’m still stuck.

The initial Lets’ Encrypt certification process was a very easy out-of-the box experience, but certificate renewal has been the opposite :frowning_face:

I think my next option will be to rebuild the Freedombox from scratch, obtain new certificates and hope the same thing does not happen at certificate renewal time.

Just a few thoughts - Did you originally have it set to auto renew certs in the settings for letsencrypt? Letsencrypt now provides up to 20 cert renewals a week, up from the original 5, which could be a real PITA, if you had to set up a fresh install more than a couple of times, due to other technical issues.

When you say app1.mydomain.org, are you referring to pagekite? I remember the first time I had ever installed freedombox on my network, I had to set up and use pagekite to get the certs for letsencrypt in the first place, because of my ISP’s CGNAT blocking port 80. Also, from my own use of freedombox, I noticed that matrix does not need to have a separate subdomain set to be able to use it, it can be served from your tld with the appropriate ports forwarded, or open in this case, since you have your freedombox on the DMZ.

Which reminds me, if you have a subdomain within your tld, i.e. app1.mydomain.org, you may have to change your DNS settings at your registrar’s control panel to reflect that the subdomain is handled by the same server (ip address) as your tld server, i.e. mydomain.org.

From what I read of your log in your first post about this, it looks as though the letsencrypt servers cannot reach your freedombox to verify that it actually exists in the first place. I don’t know if, or think that starting over with a fresh install would help resolve this issue, but I could be wrong…

I sincerely hope that something I have stated here helps with your problem…

Thanks for your reply, @mtinman. I’ll do my best to answer the questions while I think some more about the points you have raised.

I honestly cannot remember, but probably Yes.

I don’t use Pagekite. The app1 application is shaarli, a bookmark app that I’ve run concurrently with Freedombox on the same hardware. It has never interfered with FB functions but I now find that it’s a problem because I cannot renew the certificate.

Most of the posted solutions to “Cannot renew” errors point towards blocked port 80 as the culprit, but mine is definitely open.

If I find a solution, I’ll update this post. Thanks again for your thoughtful reply.

Glad to help!:slight_smile:

It might be unrelated, but I had a similar issue. I had set up apache to require a password on my default site, which I believe was causing errors / bad interaction with the LetsEncrypt certificate renewal. I disabled the password requirements for 10 min, renewed the certificate, and reinstated the password. More of a quick-fix than a workable solution.

Good suggestion … Unfortunately, I am not using a password on Apache.

I didn’t solve the problem but have side-stepped it by removing the shaarli bookmark app from the Freedombox and have deleted the subdomain that it required. I now have only a single Let’s Encrypt certificate that is due for renewal in a few months. I’m hoping that that renewal is trouble-free, otherwise I’ll be back here to re-activate this question!

The score is currently Certificate Renewal Bug: 1; Me: 0.

Thanks to everyone who suggested a solution.