SSL Certificate renewal after expiration and NPM update

[maxdd]

Hi,
i'm facing issues with certificate renewal after there has been an expiration and after i've updated with the latest npm docker image. Below my log

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_s6-secret-init.sh: executing... 
[cont-init.d] 01_s6-secret-init.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/default.conf
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/resolvers.conf
  ❯ /etc/nginx/conf.d/production.conf
❯ Enabling IPV6 in hosts: /data/nginx
  ❯ /data/nginx/proxy_host/7.conf
  ❯ /data/nginx/default_host/site.conf
[6/27/2021] [2:43:39 PM] [Global   ] › ℹ  info      Generating MySQL db configuration from environment variables
[6/27/2021] [2:43:39 PM] [Global   ] › ℹ  info      Wrote db configuration to config file: ./config/production.json
[6/27/2021] [2:43:40 PM] [Migrate  ] › ℹ  info      Current database version: 20210210154703
[6/27/2021] [2:43:40 PM] [Setup    ] › ℹ  info      Creating a new JWT key pair...
[6/27/2021] [2:43:58 PM] [Setup    ] › ℹ  info      Wrote JWT key pair to config file: /app/config/production.json
[6/27/2021] [2:43:58 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[6/27/2021] [2:43:58 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[6/27/2021] [2:43:59 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[6/27/2021] [2:43:59 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[6/27/2021] [2:43:59 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[6/27/2021] [2:43:59 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[6/27/2021] [2:43:59 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[6/27/2021] [2:43:59 PM] [Global   ] › ℹ  info      Backend PID 225 listening on port 3000 ...
[6/27/2021] [2:44:00 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/27/2021] [2:44:00 PM] [SSL      ] › ℹ  info      Renew Complete
[6/27/2021] [2:44:08 PM] [Express  ] › ⚠  warning   invalid signature
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[6/27/2021] [2:44:36 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/27/2021] [2:44:36 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #6: ***************
[6/27/2021] [2:44:40 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/27/2021] [2:44:40 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-6" --agree-tos --email "****" --preferred-challenges "dns,http" --domains "*****" 

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[6/27/2021] [2:45:34 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/27/2021] [2:45:34 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #7: *********
[6/27/2021] [2:45:38 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/27/2021] [2:45:38 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-7" --agree-tos --email "******" --preferred-challenges "dns,http" --domains "****" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.

[maxdd]

This is the letsencrypt.log

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: ************
  Type:   connection
  Detail: Fetching http://************/.well-known/acme-challenge/Cn50XLdix7BY8fgOmEgCnSPptSZY8U8s0-ghdNcJaNY: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2021-06-27 14:45:38,108:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-06-27 14:45:38,109:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-06-27 14:45:38,109:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-06-27 14:45:38,109:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/Cn50XLdix7BY8fgOmEgCnSPptSZY8U8s0-ghdNcJaNY
2021-06-27 14:45:38,110:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-06-27 14:45:38,111:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1552, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1414, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 445, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 375, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 425, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-06-27 14:45:38,114:ERROR:certbot._internal.log:Some challenges have failed.

Its seems like i have an issue to provide the following

http://************/.well-known/acme-challenge/Cn50XLdix7BY8fgOmEgCnSPptSZY8U8s0-ghdNcJaNY

Could it be due to HSTS or something similar?

[Haringstad]

I am seeing the same error here. Tried a lot of things to fix it on my end, but it won't work.
Maybe it is time that acme.sh is going to be used?

[smachi]

The same thing is happening to me. All my certificates have expired and NPM is not able to renew them since some versions ago

[maxdd]

Did any of you try a clean installation? I would like to avoid it since I have configured a lot lately.

[Haringstad]

@maxdd, I am sorry, but I didn't reinstall. I've got more than 30 proxies configured, so........ You can understand why I would not go through the full re-install.

…

On Mon, Jun 28, 2021 at 6:51 PM maxdd ***@***.***> wrote: Did any of you try a clean installation? I would like to avoid it since I have configured a lot lately. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1208 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3YEZU45RWDCWRVZLVEEVDTVCSAFANCNFSM47MPCCIA> .

[jc21]

On my production host I am not seeing this problem and I haven't started fresh in about 18months. Also using the latest image.

Are you able to request a new certificate for a new host?

[maxdd]

No i'm not.
I would say the first thing we should investigate is

Fetching http://**************/.well-known/acme-challenge/uzCFoWkEQTkfpP8VQEl3v1CR_VxonuXBssS-Ryy_nX8: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

How can we verify this? My 80 and 443 ports are is open though

EDIT: I correct myself, port 80 was needed in order to do the renewal and i decided to disabled it once i generated my previous certificates.
Now it works

[smachi]

@maxdd Thanks for the hint!

In my case, port 80 wasn't open and that was the cause. I've just opened it and the certificate renewals are working now :)

[Haringstad]

Fact remains that I use DNS for verification, and I do see the record being created in DNS, but it still gives an error. Regards, Jacco van Koll

…

On Sat, Jul 3, 2021 at 9:44 AM Salva Machí ***@***.***> wrote: @maxdd <https://github.com/maxdd> Thanks for the hint! In my case, port 80 wasn't open and that was the cause. I've just opened it and the certificate renewals are working now :) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1208 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3YEZUGYJCUSE67QHZPPU3TV25XVANCNFSM47MPCCIA> .

[talesam]

I'm facing the same error with myself, I can't renew any certificate. My server has been running for a long time, before I was able to renew, now not anymore.

[chaptergy]

The original author of this issue and others in the thread hat not forwarded port 80 in their router and were able to renew the certificate successfully after opening the port.In order to prevent this issue from becoming a graveyard for various different issues which arise for some people, I'm going to close this issue.

@talesam I have moved your comment to a new issue. You can also open a new one I you would like to be the author of the issue.

[talesam]

O autor original deste problema e outros no chapéu de discussão não encaminharam a porta 80 em seu roteador e foram capazes de renovar o certificado com sucesso após abrir a porta. Para evitar que este problema se torne um cemitério para vários problemas diferentes que surgem para alguns gente, vou encerrar este assunto.

@talesam Mudei seu comentário para um novo problema. Você também pode abrir um novo. Gostaria que fosse o autor do número.

Port 80 is open, that's not it.