Cannot renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

tickets.peterhofmuseum.ru

I ran this command:

certbot renew

It produced this output:

Fetching http://tickets.peterhofmuseum.ru/.well-known/acme-challenge/XGdkCHr-CTibHexZpeA2lyT19tdPu19zxoX1cFyVctI: Timeout during connect (likely firewall problem)

My web server is (include version):

nginx 1.14

The operating system my web server runs on is (include version):

Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.23.0

Hello!

I get time out error while renewing certificate.
I use webroot validation and I can manually download files from .well-known/acme-challenge directory from anywhere.
While attempting to renew cert I can see 1 succeccful connection to my server:
54.93.175.185 - - [23/Jun/2022:11:15:52 +0300] "GET /.well-known/acme-challenge/Eph_8QjgwGMsBnCi6Q8sxqtgujRoZKKYoOSHUDsfVkU HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I will appreciate any help. Thank you.

You should see 4 connections. Here is a sample from an attempt I tried on a personal server just now:

34.222.116.28 - - [23/Jun/2022:20:34:51 +1000] "GET /.well-known/acme-challenge/ccxkwW23MVmUW5NU1bVpv6zQeF4--FNmqN8VxgahcKs HTTP/1.1" 404 118 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
18.118.100.51 - - [23/Jun/2022:20:34:51 +1000] "GET /.well-known/acme-challenge/ccxkwW23MVmUW5NU1bVpv6zQeF4--FNmqN8VxgahcKs HTTP/1.1" 404 118 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
66.133.109.36 - - [23/Jun/2022:20:34:52 +1000] "GET /.well-known/acme-challenge/ccxkwW23MVmUW5NU1bVpv6zQeF4--FNmqN8VxgahcKs HTTP/1.1" 404 118 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
54.93.126.79 - - [23/Jun/2022:20:34:52 +1000] "GET /.well-known/acme-challenge/ccxkwW23MVmUW5NU1bVpv6zQeF4--FNmqN8VxgahcKs HTTP/1.1" 404 118 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

Perhaps you can try dropping any firewall-based blocking rules temporarily to see whether it helps.

4 Likes

Thanks for reply.
I will try, but I'm quite sure that it shouldn't be firewall problem (as far as I get one connection from LE and I can access this directory manualy from internet).
My web server is behind firewall which translates needed ports.

1 Like

Well, I can't connect to your server from where I am on the Internet, and most of Let's Encrypt's servers clearly can't either. So there must be something blocking connections in front of your system. Perhaps a region-based firewall, or routing from parts of the Internet that isn't working right. It may be something upstream from your Internet provider, perhaps even a company intentionally choosing (or required by their government) to block traffic to Russia.

$ curl -v http://tickets.peterhofmuseum.ru/.well-known/acme-challenge/XGdkCHr-CTibHexZpeA2lyT19tdPu19zxoX1cFyVctI:
*   Trying 82.140.115.156:80...
* connect to 82.140.115.156 port 80 failed: Connection timed out
* Failed to connect to tickets.peterhofmuseum.ru port 80 after 130318 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to tickets.peterhofmuseum.ru port 80 after 130318 ms: Connection timed out

In order to validate that you actually own the name as seen by everyone on the Internet, Let's Encrypt needs to be able to connect to your system from multiple places, to confirm that nobody is trying to reroute their packets to get them to issue a certificate incorrectly. So the first step is to make sure that your system is accessible from everywhere on the Internet.

If your system isn't going to be publicly accessible, then the only way to get a certificate is to use the DNS-01 challenge. Though, that requires being able to automate updating your DNS records (or manually doing it every couple months, which is pretty error-prone), and still requires the DNS server itself to be publicly accessible worldwide. (I don't think it's actually related to the problem you're having, but it looks like your DNS servers have some weird issues where the glue records and authoritative answer flags aren't being set correctly.)

6 Likes

Thank you very much.
I launched your command from different places in Russia and immediately got 404 answer.
Unfortunately I can't test connection from another countries, but now I see the problem.
I will try DNS challenge.

2 Likes

I succeeded with DNS challenge.
Thanks again for support and great service you provide.

3 Likes