Permanently Deleted

  • Tabitha ☢️[she/her]
    ·
    9 months ago
    uname -a
    
    curl -v letsencrypt.org
    
    traceroute letsencrypt.org
    
    sudo certbot renew --dry-run
    

    share output from these and recent log entries from /var/log/letsencrypt/.

    • TankieTanuki [he/him]
      hexagon
      ·
      edit-2
      9 months ago
      spoiler
      $ uname -a
      Linux [redacted] 6.7.1-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 21 Jan 2024 22:14:10 +0000 x86_64 GNU/Linux
      
      $ curl -v letsencrypt.org
      * Host letsencrypt.org:80 was resolved.
      * IPv6: 2a05:d014:275:cb02::c8, 2a05:d014:275:cb00::c8
      * IPv4: 3.72.140.173, 3.70.101.28
      *   Trying 3.72.140.173:80...
      * Connected to letsencrypt.org (3.72.140.173) port 80
      > GET / HTTP/1.1
      > Host: letsencrypt.org
      > User-Agent: curl/8.5.0
      > Accept: */*
      > 
      < HTTP/1.1 301 Moved Permanently
      < Content-Type: text/plain; charset=utf-8
      < Date: Sun, 03 Mar 2024 14:25:33 GMT
      < Location: https://letsencrypt.org/
      < Server: Netlify
      < X-Nf-Request-Id: 01HR2B9B0D8VKSFR5K5ES23ZKA
      < Content-Length: 39
      < 
      * Connection #0 to host letsencrypt.org left intact
      Redirecting to https://letsencrypt.org/
      
      $ traceroute letsencrypt.org
      traceroute to letsencrypt.org (3.70.101.28), 30 hops max, 60 byte packets
       1  * * *
       2  * * *
       3  ae0.984-2.edge01.egh.as49581.net (80.91.223.29)  0.650 ms  0.614 ms  0.578 ms
       4  ae0.1176-2.edge01.egh.as49581.net (80.91.223.27)  1.064 ms  0.936 ms  0.888 ms
       5  92.223.127.44 (92.223.127.44)  3.430 ms *  3.374 ms
       6  be3458.ccr42.ams03.atlas.cogentco.com (154.54.39.185)  4.126 ms ae-8.a01.amstnl07.nl.bb.gin.ntt.net (157.238.227.144)  3.699 ms *
       7  amsix02-ams1.amazon.com (80.249.210.217)  3.831 ms ae-3.r21.amstnl07.nl.bb.gin.ntt.net (129.250.7.88)  4.405 ms ae-3.r20.amstnl07.nl.bb.gin.ntt.net (129.250.7.86)  4.925 ms
       8  ae-1.a00.amstnl07.nl.bb.gin.ntt.net (129.250.7.71)  4.192 ms 54.239.114.46 (54.239.114.46)  4.851 ms 52.93.112.12 (52.93.112.12)  4.443 ms
       9  ae-0.amazon.amstnl07.nl.bb.gin.ntt.net (129.250.207.114)  4.707 ms 54.239.114.101 (54.239.114.101)  24.337 ms ae-0.amazon.amstnl07.nl.bb.gin.ntt.net (129.250.207.114)  4.386 ms
      10  52.93.112.161 (52.93.112.161)  5.052 ms 52.93.112.153 (52.93.112.153)  4.747 ms *
      11  54.239.114.105 (54.239.114.105)  3.949 ms * 54.239.114.31 (54.239.114.31)  7.732 ms
      12  * * *
      13  * * *
      14  * * *
      15  * * *
      16  * * *
      17  * * *
      18  * * *
      19  * * *
      20  * * *
      21  * * *
      22  * * *
      23  * * *
      24  * * *
      25  * * *
      26  * * *
      27  * * *
      28  * * *
      29  * * *
      30  * * *
      
      
      $ sudo certbot renew --dry-run
      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Processing /etc/letsencrypt/renewal/tankietanuki.com.conf
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Account registered.
      Simulating renewal of an existing certificate for tankietanuki.com and 12 more domains
      
      Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
        Domain: files.tankietanuki.com
        Type:   dns
        Detail: DNS problem: NXDOMAIN looking up A for files.tankietanuki.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for files.tankietanuki.com - check that a DNS record exists for this domain
      
        Domain: matrix.tankietanuki.com
        Type:   dns
        Detail: DNS problem: NXDOMAIN looking up A for matrix.tankietanuki.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for matrix.tankietanuki.com - check that a DNS record exists for this domain
      
        Domain: toot.tankietanuki.com
        Type:   dns
        Detail: DNS problem: NXDOMAIN looking up A for toot.tankietanuki.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for toot.tankietanuki.com - check that a DNS record exists for this domain
      
        Domain: ttk.sh
        Type:   unauthorized
        Detail: 2606:4700:3035::ac43:85e2: Invalid response from http://ttk.sh/.well-known/acme-challenge/f8CpDtPROuez3hIMxEa4moZYGGVERGrASN2tdMFRO-E: 409
      
        Domain: www.ttk.sh
        Type:   unauthorized
        Detail: 2606:4700:3035::ac43:85e2: Invalid response from http://www.ttk.sh/.well-known/acme-challenge/2ScBqEvqE6r_FJcHEtJ0WSZZmeFOV3-iTidV1inRL9I: 409
      
      Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
      
      Failed to renew certificate tankietanuki.com with error: Some challenges have failed.
      
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      All simulated renewals failed. The following certificates could not be renewed:
        /etc/letsencrypt/live/tankietanuki.com/fullchain.pem (failure)
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      1 renew failure(s), 0 parse failure(s)
      Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
      
      

      When I transfered the DNS nameserver to cloudfare, I chose to enable a couple https-only settings that it recommended but I didn't fully understand.

      I'll edit this to add the logs soon.

      • TheCaconym [any]
        ·
        edit-2
        9 months ago

        Two options:

        • Disable the cloudflare shit entirely - you can let it host your DNSes but that's it (what I'd suggest). It'll be an instant fix.
        • Update all your vhosts to make them match the fact that cloudflare is now between your visitors and your webserver. This also means you'll have to deploy Cloudlare's certs, not let's encrypt ones.

        I'd also remove this entire post, by the way; I haven't checked but it likely gives too much info about you. I'll happily help you with either of those two options in DM, or matrix, if you want.