I have been renewing my certificate with letsencrypt for some time without a problem on my ubuntu 10.04 server on a consumer internet connection using dynamic dns. I have renewed the certificate 4 or 5 times with no problem. All of a sudden it is failing with the following message.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
This all works because I can get to my web site when I am away from home.
If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
This is running on a consumer internet connection where port 80 is blocked. I have been using for decades. try https://stevesullam.com or if you insist use https://22.214.171.124. It works from the tor browser for me.
thank you for this last reply which was informative. It sounds like letsecrypt just made this change because thie method I was using had worked as recently as August.
Is any chance you would be able to direct me to a link for people who are trying to solve my problem? Thanks!
Unfortunately, the list of ACME clients which support tls-alpn-01 is rather limited at the moment (in particular, certbot does not yet support it), and configuring the web server to respond to a tls-alpn-01 challenge may require server software changes or upgrades.
I found the solution that was really simple and just worked. It was just a matter of updating and to discontinue using the certbot-auto script.
apt install python-certbot-apache
This worked on ubuntu 10.04 32bit for whomever else is running it on that.
I just ran it with the --dry-run option since it is already up to date and it ran with the tls-sni-01 option which is supposed to stop working?
The tls-sni-01 challenge was deprecated since January, but only recently Certbot started preferring the http-01 challenge for renewals instead of tls-sni-01. By installing from the repo for 10.04 rather than certbot-auto, you probably got an old version that hadn’t made that change yet (note that Ubuntu 10.04 has reached its end of life and no longer receives updates). You could alternatively have forced certbot-auto to use tls-sni-01 using the --preferred-challenges option. But either way, that’s only a temporary solution - you will still need to switch to one of the other challenges before 13 February 2019, as the CA will stop supporting tls-sni-01 entirely at that point. You should really also consider updating to a supported version of Ubuntu.
If you can’t open port 80, you have two options: switch to a client that supports tls-alpn-01 as @sigprof suggested, or use DNS validation.
TBH, this is a test home server and I virtualized it and tried upgrading it twice and everything broke and i don’t have the time and energy to work out all the problems in order to upgrade it. in addition to that it is running on a 32bit system which Ubuntu will be discontinuing support for in future distributions.
i tested it using the manual option with DNS validation and that also seemed to work.
I am kind of liking this forum. My ability to edit the last post must have expired, because I meant to edit it rather than reply to it like this.I meant to say that I tested out updating cert manually using DNS validation and that worked too for now. I suppose that won’t work after February. I wonder what other options I will have besides upgrading the server to update the cert.