Can't renew cert

Hi, As title suggests, I can't renew my cert. It was renewing automatically, now doesn't work manually. I have an openproject instance running on apache2, the domain is from This site is up and reachable. I can also browse the web from the server it's running on. I've looked at several other seemingly related questions, but either the answers are not a solution or I don't understand well enough. shows DNS-problem with authoritative nameserver, so this is probably the problem, but after much googling I don't know how to fix this error. Did something change with the rules of certbot? Why did it work fine until now?

How can I best diagnose / fix?

My domain is:

I ran this command: # certbot renew, # certbot run -a webroot -i apache -w path/to/webroot -d

It produced this output: Challenge failed for domain
http-01 challenge

connection refused

Timeout during connect

My web server is (include version): apache2.4.41

The operating system my web server runs on is (include version):Ubuntu Server 20.04

My hosting provider, if applicable, is: noip

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40.0

These two things are entirely different. Please copy/paste the entire output of certbot.

That said, I too find that your port 80 isn't open. Please read:

Hi, Thanks.

I did close port 80 in the spring – I didn't realize it should be open – but I opened it this morning while troubleshooting before the post. It's open now as far as I can tell.

Please copy/paste the entire output of certbot.

Sorry was working direct on the server with no GUI. Here is the whole output from another try:

robertborges@robertborges:~$ certbot renew
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
robertborges@robertborges:~$ fvck
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

 - The following errors were reported by the server:

   Type:   connection
   Detail: Fetching
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

For some reason there isn't any application running on port 80. Did you somehow configure Apache to only listen on port 443? Maybe the output of sudo apache -S may tell us more.


sudo apache2 -S

[Tue Aug 17 23:04:10.174659 2021] [core:warn] [pid 1214911] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot

I have troubleshot this before but understood that, because I start with systemctl, it's not an issue I need to worry about, but maybe it is...
Apache starts fine with systemctl and is running. sudo systemctl status apache2

● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-08-17 12:45:26 CEST; 10h ago
    Process: 1199928 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
   Main PID: 1199947 (/usr/sbin/apach)
      Tasks: 81 (limit: 57789)
     Memory: 96.2M
     CGroup: /system.slice/apache2.service
             β”œβ”€1199947 /usr/sbin/apache2 -k start
             β”œβ”€1212050 /usr/sbin/apache2 -k start
             β”œβ”€1212051 /usr/sbin/apache2 -k start
             β”œβ”€1212052 /usr/sbin/apache2 -k start
             β”œβ”€1212053 /usr/sbin/apache2 -k start
             β”œβ”€1212054 /usr/sbin/apache2 -k start
             β”œβ”€1212055 /usr/sbin/apache2 -k start
             β”œβ”€1212076 /usr/sbin/apache2 -k start
             └─1212077 /usr/sbin/apache2 -k start

Aug 17 12:45:25 systemd[1]: Starting The Apache HTTP Server...
Aug 17 12:45:25 apachectl[1199940]: [Tue Aug 17 12:45:25.871231 2021] [so:warn] [pid 1199940] AH01574: module dav_module is already loaded, skipping
Aug 17 12:45:26 systemd[1]: Started The Apache HTTP Server.

Port 80 seems to be open. Since explicitly opening it, I get a https redirect when I go to the domain (before it was a not found error in the browser).

All relevant apache config files show that I'm listening on port 80.

nmap shows 80 is closed – I'll check the routers tomorrow :confused:

Did you get this problem resolved?

Did you get this problem resolved?

yes, ran as root. I included that so you could see the command I actually ran. I have a bash alias alias fvck='sudo $(history -p !!)'
80 isn't open for some reason – I have to check the routers in the morning.

So, I relaxed the firewall a little on one of the routers, which allowed traffic on port 80. But subsequent nmap runs from outside the network revealed that 443 was closed, then 80 also closed. My site (obv) became unreachable. I'm not sure what the hcll was going on, but I rebooted all routers and the server and after that nmap from outside returns open 443 and open 80, site is reachable, and certbot renew was successful. :man_shrugging:

I guess there's some wisdom to the cliche tech-support question "Did you switch it off and back on again?"

Thanks for the troubleshooting advice, nevertheless!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.