Can't renew all my domains


I have a problem when I try to renew all my domains :

My domain is:

I ran this command: /opt/letsencrypt/letsencrypt-auto renew or /opt/letsencrypt/letsencrypt-auto --apache --renew-by-default -d

It produced this output: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

My web server is (include version): Apache/2.4.10 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 8

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

Thanks you !

Do you have any sort of firewall that could be limiting inbound connections from some parts of the Internet?

redirects permanently (301) to https.
returns: {“error”:true}
as also shown by all major browsers:

@schoen :

I have Fail2ban, but when I watch the ban list, I don’t have IP address :-/

After, I have the default Firewall ( I believe IPtable ) ^^

@rg305 :

Yes it’s normal ^^

You could try putting a test.txt file at:

1 Like

Hmm, why do you want me to do this?

To test if it can be reached form the Internet correctly.

1 Like

I have this path if you want ^^

It would be good to use the exact path that @rg305 suggested because /.well-known/acme-challenge/ has a special meaning to the certificate authority.

1 Like

Ho, ok sorry, I have created this path :

Edit : Just for information, I have this problem in all my domains :wink:

@cpu, could you perhaps try this and see if there’s something strange about the routing or a netblock-specific firewall?

Have you made any special coding for /.well-known or /.well-known/acme-challenge requests?

I will ask our operations team to look into this. It’s not something I can check myself unfortunately.

I have been able to access your website on ports 80/443 from different network vantage points. If you have programmatic access to install a DNS TXT record, could you try using the DNS-01 challenge?

If you use certbot standalone , what result do you get?

Out of curiosity, can you post your webserver vhost configuration please?

@rg305 No, but I do not think that’s the problem ^^

For information, the problem was not the 3 ~ 4 months ago, it is only recently that it is there :-/


1 - What is “DNS-01 challenge” ?
2 - Will not that break the configuration of my server ?
3 - The global server configuration or just for a specific domain ?

Here the log after trying to launch command ( I deleted some info that seemed to me private ) :

The DNS-01 challenge type involves creating a TXT record on your domain with the challenge response as its value.

No, this will not break your domain.

Depends on what you’re issuing certificates for. For example, if you issue for, you would need to create a TXT record for If you wanted to generate a certificate for, say,, you would need to create a TXT record for

Oops, sorry for the delay …

1 - Um, ok, I’m not sure I understand ( I’m not an expert in the field ^^)
2 - Ok ok
3 - Ha okay, but why do we have to do this now that it worked properly before ? :-/

Edit : What should I enter in the entrance ?

Edit 2 : I was thinking, maybe the problem comes from an Apache module or a configuration, what do you think ?

I know that during the installation of the server, I had installed one / modules, but I do not remember which ( And I also changed some things about the operation of the server ) :-/

Here my list of Pache2 modules loaded :

Ok, new update, I tried this command :

  • /opt/letsencrypt/letsencrypt-auto renew --force-renewal

This domains successful renew :

  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)
  /etc/letsencrypt/live/ (success)

And other random domain did not work :-/

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)
  /etc/letsencrypt/live/ (failure)
  /etc/letsencrypt/live/ (failure)
  /etc/letsencrypt/live/ (failure)
  /etc/letsencrypt/live/ (failure)
  /etc/letsencrypt/live/ (failure)

Other information, all domains listed changed from VPS 3 ~ 4 months ago :wink:

Here it is, if it helps ^^


Ok, so I really do not understand this problem …

I just reassured this morning, and there, all the certificates have been renewed !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.