Can't renew a cert with certbot: Timeout during connect (likely firewall problem)

My domain is: app.senyxwh.com

I ran this command: certbot-auto renew --standalone

It produced this output:
$ certbot-auto renew --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/app.senyxwh.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for app.senyxwh.com
Waiting for verification…
Challenge failed for domain app.senyxwh.com
http-01 challenge for app.senyxwh.com
Cleaning up challenges
Attempting to renew cert (app.senyxwh.com) from /etc/letsencrypt/renewal/app.senyxwh.com.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/app.senyxwh.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/app.senyxwh.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: app.senyxwh.com
    Type: connection
    Detail: Fetching
    http://app.senyxwh.com/.well-known/acme-challenge/9NRlgCyMzP5fHXTO9KaXYZrC1aNtQJzTsn6W2Cr0GYs:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1112-aws x86_64)

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 1.7.0

In order to renew the certificate, I need to stop the apache 2. Otherwise, I get this error.

Attempting to renew cert (app.senyxwh.com) from /etc/letsencrypt/renewal/app.senyxwh.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.

I’ve checked post that has a similar situation as me on the forum, but I couldn`t figure out the solution. Could anyone help me to fix this?

2 Likes

Hi @dhdhxk

that’s only correct if you use --standalone.

Use --apache or --webroot to use your running webserver.

Check

5 Likes

Hi, @JuergenAuer. Thank you for your answer.

I`m using Lightsail and it use bitnami Apache2. I tried this.

$ certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(‘Cannot find Apache executable apache2ctl’,)

and it does not find the apache2.

1 Like

Please. If you use Bitnami, there are own rules and own scripts to create a certificate.

Check the Bitnami documentation to find a solution. Then it’s expected that the standard Certbot will not work.

3 Likes

Thank you! JuergenAuer.

I’ve realized I use the Certbot wrong way. I`ll research it! Thank you.

2 Likes