After several years Lets encrypt doesnt work

Hello,
after some years I don't get a new certificat from lets encrypt:

My Command:
/letsencrypt/letsencrypt-auto -d MYDOMAIN --redirect -m MYEMAIL --agree-tos --renew-by-default

Text:
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for MYDOMAIN
Waiting for verification...
Challenge failed for domain MYDOMAIN
http-01 challenge for MYDOMAIN
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: MYDOMAIN
  Type: connection
  Detail: Fetching
  http://MYDOMAIN/.well-known/acme-challenge/eE6RcetfDVsw0pkAPGw7Wyq5BN24agFWk_M_RUiSygg:
  Error getting validation data

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

With this error message, it's only going to be possible to help you if we know your domain name.

This is usually an indication of either a networking error, or some kind of HTTP protocol error.

You can plug your domain into some testing tools like letsdebug.net to see whether that can identify any issues, but otherwise, you will need to post your real domain name if you need help.

No problem:
My Domain is: wojtacki.selfhost.eu and I get below message.
The company selfhost said, that from her side everything is ok. The error must be on my side

ANotWorking

Error

wojtacki.selfhost.eu has an A (IPv4) record (185.44.200.187) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "http://wojtacki.selfhost.eu/.well-known/acme-challenge/letsdebug-test": dial tcp 185.44.200.187:80: connect: no route to host

Trace:
@0ms: Making a request to http://wojtacki.selfhost.eu/.well-known/acme-challenge/letsdebug-test (using initial IP 185.44.200.187)
@0ms: Dialing 185.44.200.187
@92ms: Experienced error: dial tcp 185.44.200.187:80: connect: no route to host

IssueFromLetsEncrypt

Error

A test authorization for wojtacki.selfhost.eu to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

Fetching http://wojtacki.selfhost.eu/.well-known/acme-challenge/qUhVnSHP_m7BoQY2vMxFkwR4o1iK5M4e-HSclSkGT04: Error getting validation data

RateLimit

Error

wojtacki.selfhost.eu is currently affected by Let's Encrypt-based rate limits (Rate Limits - Let's Encrypt). You may review certificates that have already been issued by visiting crt.sh | %selfhost.eu . Please note that it is not possible to ask for a rate limit to be manually cleared.

The 'Certificates per Registered Domain' limit (50 certificates per week that share the same Registered Domain: selfhost.eu) has been exceeded. There is no way to work around this rate limit. The next non-renewal certificate for this Registered Domain should be issuable after 2022-03-17 10:58:45 +0000 UTC (53m0s from now).

That's the problem there. "No route to host" is a message commonly seen when a firewall disallows access to a port. Sometimes there are other causes.

1. Check the IP address of your domain is correct.
2. Check that port 80 is allowed on all firewalls.
3. Check that your ISP does not block port 80 inbound connections.

I can't access your domain from my laptop's internet connection either, so it's not just a Let's Encrypt issue.

Confirmed. The website just doesn't work: Let's Debug

Thank you, but what can be the reason?
I don't change anything on FritzBox 7590 Router.
Does maybe my internet provider change something?
Port 80 is open for Raspberry, who try to connect DNS.

Maybe, your IPv4 address has changed.

Check if curl -4 ifconfig.co and dig a yourdomain give the same answer.

pi@raspberrypi:/var/www/html $ curl -4 ifconfig.co
185.119.35.149
pi@raspberrypi:/var/www/html $ curl -4 wojtacki.selfhost.eu
curl: (7) Failed to connect to wojtacki.selfhost.eu port 80: Keine Route zum Zielrechner

But Port 80 is open on FritzBox

dig, not curl.

; <<>> DiG 9.16.11 <<>> a wojtacki.selfhost.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2408
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wojtacki.selfhost.eu.          IN      A

;; ANSWER SECTION:
wojtacki.selfhost.eu.   60      IN      A       185.44.200.187

;; Query time: 83 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Mar 17 12:24:10 CET 2022
;; MSG SIZE  rcvd: 65

~

They're different IP addresses.

pi@raspberrypi:/var/www/html $ dig a wojtacki.selfhost.eu
-bash: dig: Kommando nicht gefunden.

This is the real IP from my internet provider, read on FritzBox:
185.119.35.149

Then you should edit your A record to use it. You probably need a dynamic DNS provider.

It works if I connect to it (and your current certificate is good, don't need to renew).

~ $ openssl s_client -connect 185.119.35.149:443 -servername wojtacki.selfhost.eu -verify 5
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = wojtacki.selfhost.eu
verify return:1
---
Certificate chain
 0 s:CN = wojtacki.selfhost.eu
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  1 23:00:23 2022 GMT; NotAfter: May 30 23:00:22 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLzCCBBegAwIBAgISBKmv/lk3JFKR5bg+IF+tMpXcMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAzMDEyMzAwMjNaFw0yMjA1MzAyMzAwMjJaMB8xHTAbBgNVBAMT
FHdvanRhY2tpLnNlbGZob3N0LmV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0v2B2iCxtHC5DBCodfEjWmK6C/HFYAb4DQBCZQh0etrhhSICfGXbaL6h
O0bOGraedEtdVSRo9v3+LX5fDngfYdhrJ4S984M4fOzYG5ZMzwpD8jbpQuYrVLYZ
h/Z8QeCoH6zuEoTZ0CHLnffSbgBIbrKi/EKp9JgnbTHw+kiFmeEgNmhFLKxs4kcy
AQ7I0D+uXutxtQApVIDRg5wFxud2V9F5gY2QsmIKZ0M89Yxhf0FT9QfuxVjNOIlA
KOVMivIe4pKsdTTBNRlk08/pJNn2p0IT5T7J/IMYiL8lV9JZwCfKpysK7kDAixwu
pMcF2qJWxWz0xoE7YKEAt8in9DriXQIDAQABo4ICUDCCAkwwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBTNYGnTXjS7mJKzUBjSXCLqgDSCcTAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghR3b2p0YWNraS5zZWxmaG9zdC5ldTBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3
ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABf0fth+wAAAQDAEgw
RgIhAMLN6uJlrUG6HPC1jffsL85BRyay9uvOs8ptDxkLuKECAiEA5Scxb5kie2Fn
Q9VDYbTgAIy4OXp9QzknAWJOLS4JhiUAdgDfpV6raIJPH2yt7rhfTj5a6s2iEqRq
Xo47EsAgRFwqcwAAAX9H7YhKAAAEAwBHMEUCIDKaltGt7TLlDnQI+Gd3cwW0Jxc0
po7JGwt+egURvFJEAiEA05W9P5muTXO5asF9o43WO8MEXLevmLgfSz6CPaPcfm8w
DQYJKoZIhvcNAQELBQADggEBAGEdytnNPXrym0Zi7njCfmfTF6jLfuOCSJ13Y0fJ
Q73Df5Zbs1f9sYZdQyu0TbMb3/Gr4aRckbVEMeKBpVpahvKZS6xlzbioT6oMOLrY
RvgmENAFgH3sNXPGVJTaU40aRQDvw0dlMzekeEAiVrmeBMjTF5Y49WOFLl54FOjU
LGxTkJE3uiL8Q4KYM5KHg4ogmNCD6K2r1ldM6pn0F4geB29CXm6JlXAh5Er3ZJLr
u0R82rmDrMd7tvUMsCKfLf5GIZ6soWiTw4EnKO6XdNy2KdkfGSSJVXsRy6JyT5Hb
XWHE64RQMHf7VDvevLYTHibND90Vm4NWxm20Ob5linz5/rw=
-----END CERTIFICATE-----
subject=CN = wojtacki.selfhost.eu
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4729 bytes and written 452 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 598A4DF4C323D7EB07DE8E52049383B3A39EAE0525B912873417CCE960CA33C0
    Session-ID-ctx:
    Master-Key: 2E911960A34463E645A359429979297B541006A04E77DC21BAF4CDB465CED5CBC8272166D8D380BC9A591F1A08A69FDE
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7f 16 b6 f2 ef c8 65 f5-9b b9 f2 aa f3 cc 76 b2   ......e.......v.
    0010 - a2 f0 81 21 b1 38 e4 37-3d 21 39 3f e4 45 3e 4d   ...!.8.7=!9?.E>M
    0020 - 09 51 c9 d4 a2 72 d1 a2-57 b9 78 bd 05 29 6f fd   .Q...r..W.x..)o.
    0030 - 8f cb e5 16 1c 44 0f 96-7a 4c 77 6c 6c 55 65 17   .....D..zLwllUe.
    0040 - 30 3d 34 c7 2e a7 8b 80-c2 fa 83 33 49 bc 76 bb   0=4........3I.v.
    0050 - 5e e6 0c c6 d1 83 7e 15-85 17 7e a2 ab 4c b1 d7   ^.....~...~..L..
    0060 - 05 41 cc 48 aa cb 06 67-e7 7c da 3e d3 3e 7a af   .A.H...g.|.>.>z.
    0070 - 0f 9d 4e 7c 6e 50 3f 2b-b2 e1 f1 dd ae f6 98 bb   ..N|nP?+........
    0080 - 41 25 76 94 6c db 0a 81-e9 26 ce 4d 93 07 0d 4c   A%v.l....&.M...L
    0090 - 7a 44 a5 55 65 a2 7c 8f-4c 26 d3 06 e9 e7 04 8c   zD.Ue.|.L&......
    00a0 - 2a 0d a4 32 4e a8 d6 2e-26 6b c3 ef f3 df ea bc   *..2N...&k......
    00b0 - 41 6f 0e 86 a7 09 64 b7-43 ed 78 a6 a9 33 3b 57   Ao....d.C.x..3;W
    00c0 - e6 e8 71 4f 22 e9 cf ff-24 26 ff fb b5 43 90 5b   ..qO"...$&...C.[

    Start Time: 1647516531
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
DONE
~ $

I install the DNS Util on Raspberry with:
sudo apt-get install dnsutils

And this is the answer from dig a wojtacki.selfhost.eu
IP is not the same, so what I can do?

; <<>> DiG 9.10.3-P4-Raspbian <<>> a wojtacki.selfhost.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10795
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;wojtacki.selfhost.eu. IN A

;; ANSWER SECTION:
wojtacki.selfhost.eu. 6 IN A 185.44.200.187

;; Query time: 40 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Thu Mar 17 12:32:09 CET 2022
;; MSG SIZE rcvd: 65

Login to wherever you set the DNS records for your domain, and replace the old IP with the new one.

NB: if your IP changes regularly, you really need a dynamic DNS provider. (Isn't selfhosted.eu one of them? Check their api, you probably have to add a crontab line to curl them every 5 minutes.)

wojtacki.selfhost.eu is a dynamic DNS and I have a crontab on Raspberry to get update.
This is the command:
/letsencrypt/letsencrypt-auto -d wojtacki.selfhost.eu --redirect -m MYEMAIL --agree-tos --renew-by-default

No idea where I can check the wrong IP adress, it worked many years.

Login in the dynamic DNS panel. For some reason it has stopped updating.

That command is not good for a crontab. You will get ratelimited. Just use certbot renew twice a day.

My DNS provider has an old IP-Adress, thats right. But I can't set the new one.
I think, this must come from Raspberry, but it doesn't work

grafik1064×748 32.4 KB

It can probably come from wherever you want. Try setting it up from scratch and maybe check any logs you can find.

I checked the logs by dns provider: nothing find.
Let's Debug also doesn't work.
What do you mean with Scratch?

I mean set up your dynamic DNS client from the beginning: generate a new token and configure the updater on the Pi.