After several years Lets encrypt doesnt work

after some years I don't get a new certificat from lets encrypt:

My Command:
/letsencrypt/letsencrypt-auto -d MYDOMAIN --redirect -m MYEMAIL --agree-tos --renew-by-default

Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit to check for other alternatives.
/opt/ CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for MYDOMAIN
Waiting for verification...
Challenge failed for domain MYDOMAIN
http-01 challenge for MYDOMAIN
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: MYDOMAIN
    Type: connection
    Detail: Fetching
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

With this error message, it's only going to be possible to help you if we know your domain name.

This is usually an indication of either a networking error, or some kind of HTTP protocol error.

You can plug your domain into some testing tools like to see whether that can identify any issues, but otherwise, you will need to post your real domain name if you need help.


No problem:
My Domain is: and I get below message.
The company selfhost said, that from her side everything is ok. The error must be on my side :frowning:


Error has an A (IPv4) record ( but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "": dial tcp connect: no route to host

@0ms: Making a request to (using initial IP
@0ms: Dialing
@92ms: Experienced error: dial tcp connect: no route to host



A test authorization for to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

Fetching Error getting validation data


Error is currently affected by Let's Encrypt-based rate limits (Rate Limits - Let's Encrypt). You may review certificates that have already been issued by visiting | . Please note that it is not possible to ask for a rate limit to be manually cleared.

The 'Certificates per Registered Domain' limit (50 certificates per week that share the same Registered Domain: has been exceeded. There is no way to work around this rate limit. The next non-renewal certificate for this Registered Domain should be issuable after 2022-03-17 10:58:45 +0000 UTC (53m0s from now).

That's the problem there. "No route to host" is a message commonly seen when a firewall disallows access to a port. Sometimes there are other causes.

  1. Check the IP address of your domain is correct.
  2. Check that port 80 is allowed on all firewalls.
  3. Check that your ISP does not block port 80 inbound connections.

I can't access your domain from my laptop's internet connection either, so it's not just a Let's Encrypt issue.


Confirmed. The website just doesn't work: Let's Debug


Thank you, but what can be the reason?
I don't change anything on FritzBox 7590 Router.
Does maybe my internet provider change something?
Port 80 is open for Raspberry, who try to connect DNS.

1 Like

Maybe, your IPv4 address has changed.

Check if curl -4 and dig a yourdomain give the same answer.

1 Like

pi@raspberrypi:/var/www/html $ curl -4
pi@raspberrypi:/var/www/html $ curl -4
curl: (7) Failed to connect to port 80: Keine Route zum Zielrechner

But Port 80 is open on FritzBox

dig, not curl.

; <<>> DiG 9.16.11 <<>> a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2408
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;          IN      A

;; ANSWER SECTION:   60      IN      A

;; Query time: 83 msec
;; WHEN: Thu Mar 17 12:24:10 CET 2022
;; MSG SIZE  rcvd: 65


They're different IP addresses.


pi@raspberrypi:/var/www/html $ dig a
-bash: dig: Kommando nicht gefunden.

This is the real IP from my internet provider, read on FritzBox:

Then you should edit your A record to use it. You probably need a dynamic DNS provider.

It works if I connect to it (and your current certificate is good, don't need to renew).

~ $ openssl s_client -connect -servername -verify 5
verify depth is 5
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  1 23:00:23 2022 GMT; NotAfter: May 30 23:00:22 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
Server certificate
subject=CN =
issuer=C = US, O = Let's Encrypt, CN = R3
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 4729 bytes and written 452 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 598A4DF4C323D7EB07DE8E52049383B3A39EAE0525B912873417CCE960CA33C0
    Master-Key: 2E911960A34463E645A359429979297B541006A04E77DC21BAF4CDB465CED5CBC8272166D8D380BC9A591F1A08A69FDE
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7f 16 b6 f2 ef c8 65 f5-9b b9 f2 aa f3 cc 76 b2   ......e.......v.
    0010 - a2 f0 81 21 b1 38 e4 37-3d 21 39 3f e4 45 3e 4d   ...!.8.7=!9?.E>M
    0020 - 09 51 c9 d4 a2 72 d1 a2-57 b9 78 bd 05 29 6f fd   .Q...r..W.x..)o.
    0030 - 8f cb e5 16 1c 44 0f 96-7a 4c 77 6c 6c 55 65 17   .....D..zLwllUe.
    0040 - 30 3d 34 c7 2e a7 8b 80-c2 fa 83 33 49 bc 76 bb   0=4........3I.v.
    0050 - 5e e6 0c c6 d1 83 7e 15-85 17 7e a2 ab 4c b1 d7   ^.....~...~..L..
    0060 - 05 41 cc 48 aa cb 06 67-e7 7c da 3e d3 3e 7a af   .A.H...g.|.>.>z.
    0070 - 0f 9d 4e 7c 6e 50 3f 2b-b2 e1 f1 dd ae f6 98 bb   ..N|nP?+........
    0080 - 41 25 76 94 6c db 0a 81-e9 26 ce 4d 93 07 0d 4c   A%v.l....&.M...L
    0090 - 7a 44 a5 55 65 a2 7c 8f-4c 26 d3 06 e9 e7 04 8c   zD.Ue.|.L&......
    00a0 - 2a 0d a4 32 4e a8 d6 2e-26 6b c3 ef f3 df ea bc   *..2N...&k......
    00b0 - 41 6f 0e 86 a7 09 64 b7-43 ed 78 a6 a9 33 3b 57   Ao....d.C.x..3;W
    00c0 - e6 e8 71 4f 22 e9 cf ff-24 26 ff fb b5 43 90 5b   ..qO"...$&...C.[

    Start Time: 1647516531
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
~ $

I install the DNS Util on Raspberry with:
sudo apt-get install dnsutils

And this is the answer from dig a
IP is not the same, so what I can do?

; <<>> DiG 9.10.3-P4-Raspbian <<>> a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10795
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
; IN A


;; Query time: 40 msec
;; WHEN: Thu Mar 17 12:32:09 CET 2022
;; MSG SIZE rcvd: 65

Login to wherever you set the DNS records for your domain, and replace the old IP with the new one.

NB: if your IP changes regularly, you really need a dynamic DNS provider. (Isn't one of them? Check their api, you probably have to add a crontab line to curl them every 5 minutes.)

1 Like is a dynamic DNS and I have a crontab on Raspberry to get update.
This is the command:
/letsencrypt/letsencrypt-auto -d --redirect -m MYEMAIL --agree-tos --renew-by-default

No idea where I can check the wrong IP adress, it worked many years.

Login in the dynamic DNS panel. For some reason it has stopped updating.

That command is not good for a crontab. You will get ratelimited. Just use certbot renew twice a day.

1 Like

My DNS provider has an old IP-Adress, thats right. But I can't set the new one.
I think, this must come from Raspberry, but it doesn't work :frowning:

It can probably come from wherever you want. Try setting it up from scratch and maybe check any logs you can find.

1 Like

I checked the logs by dns provider: nothing find.
Let's Debug also doesn't work.
What do you mean with Scratch?

I mean set up your dynamic DNS client from the beginning: generate a new token and configure the updater on the Pi.

1 Like