Cannot renew cert, http-01 challenge is failing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: A bunch of them. sudo certbot renew, sudo certbot --apache renew, sudo certbot renew --force-renewal, sudo certbot renew --cert-name --preferred-challenges dns (this last one fails cause a plugin is missing)

It produced this output: Some challenges failed . . . (might be a firewall issue)

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

The CentOS web server is a VM. My network team swears up and down there is nothing wrong with the f/w. Apache config file is configured to forward from http to https. is a CNAME pointed at the web server's A record in DNS. Also setup Certbot with 'Snap', but Snap doesn't know what Certbot means.

1 Like

Your port 80 is closed and an HTTP challenge must start there. I can reach your server on port 443 (HTTPS) but not port 80 (HTTP). Here is what Let's Encrypt has to say about port 80. If you cannot use HTTP challenge you could use DNS instead although it is often more difficult.

As an aside, using --force-renewal does not ignore problems and often causes problems with Rate Limits. You should avoid using. A certbot renew --dry-run is a good testing mechanism once you have a cert issued.


Thank you for the speedy response. As you said, our Port 80 was closed. Furthermore, the f/w rule for HTTP was mis-configured -- pointed at the wrong TCP port. Fixed the HTTP rule on our firewall, and now our web server is available on port 80, and Certbot works correctly. Thank you very much for your assistance!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.