Cannot renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: haphuongle.com

I ran this command: sudo letsencrypt certonly -a manual --rsa-key-size 4096 --email "my email" -d haphuongle.comy

It produced this output:
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. haphuongle.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://haphuongle.com/.well-known/acme-challenge/MP-4GcSlYdYqjtrlRqg1_WNHG9g_1yxHj8lGpROgtT8: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: haphuongle.com
    Type: connection
    Detail: Fetching
    http://haphuongle.com/.well-known/acme-challenge/MP-4GcSlYdYqjtrlRqg1_WNHG9g_1yxHj8lGpROgtT8:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version):
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"

My hosting provider, if applicable, is: Linux version 5.4.51-v7l+

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I'm super new to web development and stuff so please be patient if I ask too much. Thank you

2 Likes

The problem is that it's not possible to connect to your domain on port 80.

Some of the causes for this problem are:

  1. Your ISP (Verizon) blocking port 80 for your internet connection, in which case you should ask them about it.
  2. You not having forwarded port 80 on your modem/router to your Raspberry Pi.
  3. You not having opened port 80 on your Raspberry Pi's firewall.
5 Likes

I forwarded port 80 to my raspberry pi and allow it on firewall using sudo ufw allow 80 but have this error:
Failed authorization procedure. haphuongle.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://haphuongle.com/.well-known/acme-challenge/KNaey8BZ_NgB7CBWs2Ju95WBOkoOBFFsnVvax-29e4A [100.36.181.217]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n
"

IMPORTANT NOTES:

Progress :clap:!

What authenticator are you using? Still -a manual?

Have you tried --nginx instead?

1 Like

When I use —nginx instead of -a manual, it shows:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The requested nginx plugin does not appear to be installed.

But I think nginx has been installed already

For your Raspbian installation, I believe you can install the nginx plugin using:

sudo apt install python-certbot-nginx

and then the previous command should work.

1 Like

It says congratulations but when I go to my website, the certificate is not updated yet. Am I supposed to wait a few hours or days for the update?

Try run the command without certonly.

certonly means "obtain the certificate but don't install it, I'll do that myself".

By omitting it, Certbot will also install your certificate and reload your webserver for you. It will also do so automatically in future.

2 Likes

It works. Thank you so so much! I have a question tho. If I use certonly in the command, what should I do next to reload the cert to my website?

By using certonly, the main thing that is missing is the reload of your nginx server, which needs to be performed after every renewal:

sudo service nginx reload
1 Like

Thank you so much for your help! Really appreciate!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.