Let’s Encrypt unable to renew SSL certificate (SH v5.5.8)

We are having issues to renew the Let’s Encrypt SSL certificate in our server, this is the first time we have issues, last month we upgraded from 5.4.4 to latest.

Any ideas on what could be the issue here?

This is the current log output:

07/02 08:12:12.309: M649-07 13:12:12.309 (+ 5541) [ProxyServer] Keystore certificate will expire on 1741150859000 (25 days)
07/02 08:12:12.434: M649-07 13:12:12.434 (+ 125) [SimpleHelpLEUtil] https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf
07/02 08:12:12.631: M649-07 13:12:12.631 (+ 197) [SimpleHelpLEUtil] Registered a new user, URL: https://acme-v02.api.letsencrypt.org/acme/acct/1********7
07/02 08:12:12.989: M649-07 13:12:12.989 (+ 358) [SimpleHelpLEUtil] Authorization for domain our-domain
07/02 08:12:12.990: M649-07 13:12:12.990 (+ 1) [LetsEncryptUtil] Creating HTTP challenge response for our-domain
07/02 08:12:12.991: M649-07 13:12:12.991 (+ 1) [LetsEncryptUtil] Writing challenge response (xxna{code}8A.bkM7{code}WaO8)
07/02 08:12:13.145: M649-07 13:12:13.145 (+ 154) [WebDownloadServer][ACME-Challenge] From (xxna{code}8A) retrieved (xxna{code}8A)
07/02 08:12:13.146: M649-07 13:12:13.146 (+ 1) [WebDownloadServer] Insecure request for /opt/SimpleHelp/configuration/sslconfig/challenges/xxna{code}8A
07/02 08:12:13.321: M649-07 13:12:13.321 (+ 175) [Peer] No peer servers configured
07/02 08:12:13.768: M649-07 13:12:13.768 (+ 447) [SecureMessengerDB] secmsg SG_-2657961746942368577 is not yet ready
07/02 08:12:13.768: M649-07 13:12:13.768 (+ 0) [Monitoring] Unable to proxy messages to remote machines x1 - SG_-2657961746942368577
07/02 08:12:16.091: M649-07 13:12:16.090 (+ 2322) [SimpleHelpLetsEncrypt] Challenge failed: server-ip: Invalid response from http://our-domain/.well-known/acme-challenge/xxna*****************************************8A: 403
07/02 08:12:16.091: M649-07 13:12:16.090 (+ 0) {“type”:“urn:ietf:params:acme:error:unauthorized”,“detail”:“server-ip: Invalid response from http://our-domain/.well-known/acme-challenge/xxna{code}8A: 403”,“status”:403}
07/02 08:12:16.091: M649-07 13:12:16.090 (+ 0) [LetsEncryptUtil] Challenged failed for server-url: null (server-ip: Invalid response from http://our-domain/.well-known/acme-challenge/xxna{code}8A: 403)
07/02 08:12:16.091: M649-07 13:12:16.090 (+ 0) org.shredzone.acme4j.exception.AcmeException: Challenge failed… Giving up.
07/02 08:12:16.091: M649-07 13:12:16.091 (+ 1) at utils.letsencrypt.SimpleHelpLetsEncryptUtil.checkChallenge(SimpleHelpLetsEncryptUtil.java:317)
07/02 08:12:16.091: M649-07 13:12:16.091 (+ 0) at utils.letsencrypt.SimpleHelpLetsEncryptUtil.checkChallenges(SimpleHelpLetsEncryptUtil.java:125)
07/02 08:12:16.091: M649-07 13:12:16.091 (+ 0) at com.aem.shelp.proxy.LetsEncryptUtil.proceedWithCertificate(LetsEncryptUtil.java:74)
07/02 08:12:16.091: M649-07 13:12:16.091 (+ 0) at com.aem.shelp.proxy.LetsEncryptUtil.requestCertificate(LetsEncryptUtil.java:136)
07/02 08:12:16.091: M649-07 13:12:16.091 (+ 0) at com.aem.shelp.proxy.tasks.LERequestTask.run(LERequestTask.java:58)
07/02 08:12:16.091: M649-07 13:12:16.091 (+ 0) at java.base/java.lang.Thread.run(Thread.java:840)

There might be some filtering on my side but it doesn’t work for me either.

Assuming it is a Linux box… use certbot to generate the files and then upload all three of them through the SimpleHelpAdmin interface.

I’ll give more details if it helps you out.

I was having the failure message in the logs and in the Technican console in Notifications

Going back into the Administration Settings > Network Settings > HTTPS/ SSL

I attempted to use the renew button and triggered the same failure

I hit “Set a SSL Certificate” button and “Create” Lets Encrypt Certificate

I used Automated on Port 443 same domain and email as before and the certificate renewal was successful and shows “Certificate Expires in 89 days.”

I’m not sure if its a program issue or something changes with letsencrypt but I’ll keep a eye on the next automated renewal.

The HTTP challenge is being blocked by the v5.5.8 changes, but as @meisnick mentioned using TLS validation (port 443) should allow the challenge to succeed.

Yes, It is a Linux box, I temporary disable security measures that could interfere with this, but it is still not working.

I would appreciate if you can share details on how you did with certbot.

Thanks.

This worked! Thanks.

I’m curious why Simple Help hasn’t implemented a DNS Challenge to obtain Let’s Encrypt certificates like we see with Nginx?

We ran into this to. SH support responded pretty quick for them. Saying to create vs renew and it worked.

Must be a known issue. However no issues after creating a new one.

I just wanted to add that I had the same exact issue. Creating a new cert with the same details and enabling the TLS vs port 443 renewal fixed it.
Also, I have a GeoIP filter on both inbound and outbound traffic for my SH server. This makes the renewal fail since Let’sEncrypt started using servers across the globe a year or 2 ago. I just quickly remove the GeoIP filter, manually renew from within SH Technician Admin tab, then reapply the GeoIP filtering on my firewall.

I’ve been doing it manually with following steps. A bit of a chore but it works.

apt install certbot
sudo certbot certonly --key-type rsa --manual --preferred-challenges=dns -d yourserver.com

Download privkeyX.pem, certX.pem, and chainX.pem from /etc/letsencrypt/archive/yourserver.com/. Note that trailing X will start with 1 and then increment every time it is renewed.

Use the SimpleHelpAdmin account to upload those 3 files.

Thanks. It worked with the other suggestions, but will consider if next time it fails. However, doing it this way don’t you have to update DNS record due the TXT entry changing?

Ya, you have to change the TXT record for the DNS challenge. I’ve had the automated system work before but it hasn’t been reliable. I always try it first though. Glad you are up and running

@meisnick - Thanks that was an easy work around. Will just do that when I get the 5 day warning that it couldn’t renew

Confirmed this as the fix. No need for a workaround as other suggest.