All simulated renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/jeedom.kuchta.fr/fullchain.pem (failure)

Hello !

I am unable to renew my certificate.
I read a lot of things about the access to the challenge and about certbot cannot access it, so it cannot renew.

But I really dont understand what I have to do to solve this problem. I think it is about an alias... But where and how... ?

My domain is:
jeedom.kuchta.fr

I ran this command:
sudo certbot run -a webroot -i apache -w /var/www/html -d jeedom.kuchta.fr --debug-challenges

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for jeedom.kuchta.fr

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: jeedom.kuchta.fr
  Type:   connection
  Detail: 90.89.196.72: Fetching http://jeedom.kuchta.fr/.well-known/acme-challenge/srXDq9SOh1D8CPDYPWKtbvL8Z3mJvvU2XsAeVV2TdRQ: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Server version: Apache/2.4.38 (Debian)
Server built:   2021-12-21T16:50:43

The operating system my web server runs on is (include version):

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
  Operating System: Debian GNU/Linux 10 (buster)
            Kernel: Linux 5.10.103-v8+
      Architecture: arm64

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.27.0

Thank you very much :!!!

Fabrice

You are using http validation but your firewall is blocking tcp port 80 (http) or Apache is not listening for http (port 80). Let's Encrypt can't check your domain if you block/disable TCP port 80.

Hey !

I thank you for this answer.
I have to check this, you're right.
I did not change anything on the router since years, but something must have crash on it and blocking HTTP.
I'll see that as soon as possible.
Thank you again, I really did not even think of this... !!

Fabrice

No problem, for info this is the result I get from Australia if trying to use curl:

curl http://jeedom.kuchta.fr
curl: (28) Failed to connect to jeedom.kuchta.fr port 80: Connection timed out

You're completly right, I did it as soon as I saw your previous message...
Sometimes, the simple way is the best way...

But I have a doubt anyway in fact.
From the system I try to certbot, I can access it :
curl http://jeedom.kuchta.fr/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://jeedom.kuchta.fr/">here</a>.</p>
</body></html>

or :
curl -I http://jeedom.kuchta.fr/

HTTP/1.1 302 Found
Date: Mon, 23 May 2022 09:25:09 GMT
Server: Apache/2.4.38 (Debian) OpenSSL/1.1.1n
Location: https://jeedom.kuchta.fr/
Content-Type: text/html; charset=iso-8859-1

The HTTP access is it necessary from external source ?

It is blocked from all external sources only.

Yes, Let's Encrypt are external to your organisation and can only see your public website. You can access this site because you are behind your own firewall. If you try the same from your phone using mobile data (not wifi) you will find that you also cannot connect.

If you do need to block port 80 at the firewall then you would have to change to use either DNS validation or tls-alpn-01, which is more complicated.

You obviously changed something.
HTTP authentication requires HTTP access.

Yes, thanx ! I'll modify my router to accept external HTTP access (but I do not remember I changed it... I'll see this night, I'm not at home and cannot access the router from an external way)
Can you please explain how to do a DNS validation with certbot ? Or a webpage which explain it please ?

I really dont know. I changed the router (in fact, operator did it) but all the configuration have been recuperated. Obviously, they certainly changed something. I'll see it this night (not at home and cannot access router from an external way).
Thank you

FYI, trying this webpage with a TXT DNS :

This webpage worked perfectly to set Challenge via DNS and it is very nice to get a certificate and set the auto-renew

(worked nice on basic debian too)

There are a few issues with that community how-to:

• The Certbot PPA has been DEPRECATED;
• Using the acme-dns.io instance is discouraged, as you are effectively authorizing the acme-dns server to act on your behalf in providing the answer to the challenging CA, making the instance able to request (and get issued) a TLS certificate for the domain that has CNAME pointing to it. (Source: GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) You're encouraged to run your own instance of acme-dns for safety reasons.

okay, thank you !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.