Cant renew cert http-01 challenge error

hi all,

im trying to renew my cert via certbot but i get this error, i dont know why as i have done a port forward to my server (443) and i can connect to my apache welcome page externally ie not in my company ie https://blah.com

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: hftp.hackenbacker.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hftp.hackenbacker.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. hftp.hackenbacker.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to v erify the domain :: Fetching http://hftp.hackenbacker.com/.well-known/acme-challenge/OqduhAT2VW2BdnJ3f0_lrdiOq0l_UHoIfZDub0HzoWA: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: hftp.hackenbacker.com
  Type: connection
  Detail: Fetching
  http://hftp.hackenbacker.com/.well-known/acme-challenge/OqduhAT2VW2BdnJ3f0_lrdiOq0l_UHoIfZDub0HzoWA:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

this error seems to me its trying to renew my cert via 80?

cheers,
rob

Hi @robertkwild

you have two different ip addresses (non-www and www):

But your non-www doesn't answer (checked with https://check-your-website.server-daten.de/?q=hftp.hackenbacker.com ):

Letsencrypt checks a file in /.well-known/acme-challenge, but the 217.* - ip address doesn't answer.

So first step: Check your configuration so http + non-www answers.

The www version answers correct with a http status 404 - not found.

mmm… thats wierd as when you go on the website it does answer as i get the apache welcome page -

https://hftp.hackenbacker.com

the www doesnt answer atall

https://www.hftp.hackenbacker.com

we host the non www one but not the www one, an external company manages the www one for us

do you think i should change the public DNS a name for 217.138.11.250 to ftp.hackenbacker.co, will that work as that ip points to our firewall/router

That's the https version, not the http version. If you want to use http-01 validation, an open port 80 is required. That port may redirect to https.

yes, i want to validate or renew the https one (hftp.hackenbacker.com) the non-www via port 443 and NOT port 80 as i havnt got that open on my firewall/router, the only nat i have open or done is the port 443 with the address 217.138.11.250

so how do i get certbot to renew the https one please

so the only option is to port forward port 80 and then the renew process will work?

That's not possible if you want to use http-01 - validation. First request - port 80.

Is this a home server? Letsencrypt connects your domain via port 80, that must be possible. Then you can send a http redirect to port 443.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.