Renewal Certificat Nitrokey Nextbox

ffo · January 27, 2022, 3:36pm

Hi,

My Nextbox is not able to renew the TLS certificates. I had a look at the logs, and there are repeated errors, both in letsencrypt.log and nextbox.log, e.g.

2022-01-27 00:24:48,960:INFO:certbot.hooks:Output from nextbox-desec-hook.sh:
Deleting challenge XXXX ...
e[32mToken deleted. Returning to certbot.e[0m

2022-01-27 00:24:48,961:ERROR:certbot.hooks:Error output from nextbox-desec-hook.sh:
curl: (22) The requested URL returned error: 401 
curl: (22) The requested URL returned error: 401 
curl: (22) The requested URL returned error: 401 

2022-01-27 00:24:48,964:WARNING:certbot.renewal:Attempting to renew cert (AAA.dedyn.io) from /srv/letsencrypt/renewal/AAA.dedyn.io.conf produced an unexpected error: Failed authorization procedure. AAA.dedyn.io (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.AAA.dedyn.io - check that a DNS record exists for this domain. Skipping.
2022-01-27 00:24:48,980:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 465, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 323, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. AAA.dedyn.io (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.AAA.dedyn.io - check that a DNS record exists for this domain

2022-01-27 00:24:48,981:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2022-01-27 00:24:48,982:ERROR:certbot.renewal:  /srv/letsencrypt/live/AAA.dedyn.io/fullchain.pem (failure)
2022-01-27 00:24:48,983:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 490, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2022-01-27 03:22:32,526:DEBUG:certbot.main:certbot version: 0.31.0

How get it to be renewed?

Thanks for any hints!

daringer · January 27, 2022, 8:43pm

Hey @ffo,

this is weird, http error 401 means unauthorized, which I would assume means you cannot be authorized by desec to create your dns entry there. So I would first recommend to renew these:

login into your desec account (make sure this is the account which has your subdomain registered) go to “tokens” and create a new one, note down the auth token you receive
disable tls
in guided dns also disable it
then you should see your last domain + e-mail, verify that this is the e-mail which has the domain registered at desec
then go to step two directly without registering (button on the right side: “Next (without register)”)
insert your earlier received desec auth token
enable dns
enable tls

hope this helps
best

ffo · January 28, 2022, 8:28am

Hi @daringer ,

Thanks for the help. I went through all steps, and that seemed to work fine, until I went to the page where the certificate information is shown. It turns out the certificate was not renewed, and is still expiring on 3 Feb. So, unfortunately, the problem is not solved yet. Was the certificate not removed?

daringer · January 28, 2022, 1:37pm

Hey @ffo,

yes this is expected, as enabling TLS with an (locally) existing certificate will re-use this certificate, now please wait 24h so certbot can try to renew it, hopefully the expiry date should then be back at 90days again, if not, please recheck the logs.

best

ffo · January 29, 2022, 5:56pm

The certificate renewal has worked now. Thanks!