Cannot Renew Cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cider123.duckdns.org

I ran this command: certbot renew

It produced this output:

peter@cider123:~$ sudo certbot renew
[sudo] password for peter:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cider123.duckdns.org.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cider123.duckdns.org
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification...
Challenge failed for domain cider123.duckdns.org
http-01 challenge for cider123.duckdns.org
Cleaning up challenges
Attempting to renew cert (cider123.duckdns.org) from /etc/letsencrypt/renewal/cider123.duckdns.org.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cider123.duckdns.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cider123.duckdns.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: cider123.duckdns.org
  Type: connection
  Detail: 78.33.99.154: Fetching

http://cider123.duckdns.org/.well-known/acme-challenge/JBEIC1arWWPRXMcYV3vPPZwFhBjjYxVPmcCqoCcGe8U:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
peter@cider123:~$

My web server is (include version): nginx

peter@cider123:~$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-04-29 13:07:54 UTC; 4h 57min ago
Docs: man:nginx(8)
Main PID: 1124 (nginx)
Tasks: 5 (limit: 9309)
Memory: 11.8M
CGroup: /system.slice/nginx.service
├─1124 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─1125 nginx: worker process
├─1126 nginx: worker process
├─1127 nginx: worker process
└─1128 nginx: worker process

Apr 29 13:07:43 cider123.duckdns.org systemd[1]: Starting A high performance web server and a reverse proxy server...
Apr 29 13:07:54 cider123.duckdns.org systemd[1]: Started A high performance web server and a reverse proxy server.
peter@cider123:~$

The operating system my web server runs on is (include version):

Ubuntu 20.04 LTS

My hosting provider, if applicable, is:
N/A running on PC occasionally for private Jitsi meetings

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Not sure but OS was updated two days ago.
I get no errors when trying to open Jitsi webpage, the browser remains frozen,
I installed letsencrypt via Jitsi install about 18 months ago and was working fine.
Changed my ISP 3 months ago and changed IP on Duckdns but did not change any letsencrypt config and am not sure if the problem started with ISP change or large update about one week ago.
I would be grateful if you can help as the cert is about to expire (I think).

Thank

I forgot to mention the firewall is OK for all required ports and the ISP confirmed they had none blocked

Thanks

The IP address 78.33.99.154, is that really the IP address of your own connection? Because when I check the IP address with whois, I'm seeing:

inetnum: 78.33.99.0 - 78.33.99.255
netname: ENTANET-ADSL
descr: ADSL endpoints NAT conections only

Bold added by me. And that bold part sounds like you might be behind carrier grade NAT?

Also, I can't connect to that IP address neither, not on port 21, 22, 25, 80, 443, 110 or 143 (common ports).

Hi,
I just checked on my router and on the network page it does show 78.33.99.154 but I do not have it running at the moment.
If you want me to put it on for a couple of hours tomorrow I can do it (UK British Summer Time).

I think the name is the company used by my ISP Aquiss com.
.

There's nothing listening on the 1000 most common TCP ports:

% nmap 78.33.99.154
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-02 01:05 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.09 seconds
% nmap 78.33.99.154 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-02 01:06 CEST
Nmap scan report for 78-33-99-154.static.aquiss.com (78.33.99.154)
Host is up.
All 1000 scanned ports on 78-33-99-154.static.aquiss.com (78.33.99.154) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 201.65 seconds

Is this something that won't generally be left running?
Do you expect the same IP every time it is started?

Yes it is generally not running and I have a static IP address.

I have only used nmap for basic use a few times but will do some reading and do some tests!

I am not sure the time zones of others but will put it on in the next few minutes and leave it for a few hours if anyone else would like to check it.
Thanks

I don't see any open ports
Do you have any logs that show anything reaching you?

As you say something has now changed, I cannot ping any port but I could do it a couple of days ago!
I may have now done something silly and need to check.
I just checked to see if the webserver was running and it was:
peter@cider123:~$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-05-02 08:11:35 UTC; 1h 10min ago
Docs: man:nginx(8)
Main PID: 1135 (nginx)
Tasks: 5 (limit: 9309)
Memory: 11.5M
CGroup: /system.slice/nginx.service
├─1135 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─1136 nginx: worker process
├─1137 nginx: worker process
├─1138 nginx: worker process
└─1139 nginx: worker process

May 02 08:11:22 cider123.duckdns.org systemd[1]: Starting A high performance web server and a reverse proxy server...
May 02 08:11:35 cider123.duckdns.org systemd[1]: Started A high performance web server and a reverse proxy server.

I can ssh into it but have always had problems in showing logs!
Could you tell me which ones I should be searching and I have a go, but ATM nothing is working so I think it is something very basic now.
I will be a bit busy for the next 2 hours so apologies if I don't get back immediately.
Peter H

root@ip-xxx-xx-xxx-x:/home/bitnami# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/support.ayscom.com.conf

Renewing an existing certificate for support.ayscom.com
Failed to renew certificate support.ayscom.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/support.ayscom.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

@rey439 Please open a new thread instead of posting in someone others. When you start a new thread, you're presented by a mandatory questionnaire. Please answer all the questions to the best of your knowledge.

I have not had miuch time to investigate further but I am still not sure how Ubuntu Server, Jitsi server and Letsencrypt work together and would appreciate some help as I was referred from the Jitsi forum but (to me) it looks like it's a jisti problem.

I installed Ubuntu 20.04 LTS and then installed the Jitsi server. Does this mean the server is now Jitsi and I should only be looking at Jitsi if I cannot see the webpage?

I read advice on the Jitsi forum that a complete re-install of both Ubuntu and Jitsi is recommended for problems like mine.

If I do a re-intsall of just Ubuntu could then update the certificate via letsencrypt before
installing Jitsi or is the certificate somehow tied into the Jitsi server!?
Thanks
Pete HI

Yes, certificates can be obtained in several ways and even well before anything is ready to use them.

OK thanks I will have another look later this week and will do that if I cannot find anything simple (for me)!

Apologies it was the firewall!
I was just about to re-install everything, found some scripts to check logs easily and found services were OK, but then realized I had never had Jitsi working since I changed ISP BUT forgot I had to change my router as my old service was full fibre (VirginMedia) and the new one is VDSL!
I configured Port Forwarding and ssh'd the server and did a "certbot renew" and it renewed then opened a remote browser and can now get the Jitsi page.
I only had the problem because I had to change the router which I had not touched for years and forgot how it was set up!
Yet again the clue was in the failure message suggesting it was likely to be the wrong external IP address of the firewall.
Thanks

Peter H

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.