Can't renew certificate, get a " Timeout during connect (likely firewall problem)" error


#1

Hi,

I tried to renew my certificate as some times before (without any problem). The first time I tried to do it, I accidentally killed the process during the run.
I retried some times after, and now I always get the same error : “Timeout during connect (likely firewall problem)”.

My domain is:
data.motocoach.fr

I ran this command:
sudo ./certbot-auto

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: data.motocoach.fr
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for data.motocoach.fr
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. data.motocoach.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://data.motocoach.fr/.well-known/acme-challenge/qnPKd2a36vDe3YwEBUkh4DxKGCOyIehtbEI7iGY0nc0: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: data.motocoach.fr
   Type:   connection
   Detail: Fetching
   http://data.motocoach.fr/.well-known/acme-challenge/qnPKd2a36vDe3YwEBUkh4DxKGCOyIehtbEI7iGY0nc0:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

Does anyone have an idea of what I can do ?


#2

Your server isn’t accepting connections on port 80 from anywhere (but it is accepting connections on port 443 … but for plaintext HTTP instead of HTTPS).

You using some kind of firewall? ufw?

sudo ss -tlnp | grep -E "(apache|httpd)"

ufw status

grep -R Listen /etc/apache2/{httpd.conf,conf}

#3

Hi,
Here is the result for the 1rst command :

sudo ss -tlnp | grep -E "(apache|httpd)"
LISTEN     0      128                      :::80                      :::*      users:(("apache2",10629,4),("apache2",8454,4),("apache2",8453,4),("apache2",8452,4),("apache2",8451,4),("apache2",8450,4),("apache2",2771,4))
LISTEN     0      128                      :::443                     :::*      users:(("apache2",10629,6),("apache2",8454,6),("apache2",8453,6),("apache2",8452,6),("apache2",8451,6),("apache2",8450,6),("apache2",2771,6))

now the 2nd :

sudo ufw status
Status: inactive

and the last :

sudo grep -R Listen /etc/apache2/{httpd.conf,*.conf}
grep: /etc/apache2/httpd.conf: No such file or directory
/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf:        Listen 443
/etc/apache2/ports.conf:        Listen 443

I must say I tried to modify some of my vhosts conf, such as redirect to https when try using http, default port for the virtualhost http from 443 to 80 and disable the le-sll site
.


#4

The output from those commands looks correct.

Yeah, I think you might have done the wrong thing here. It would explain your current issue.

You will want to restore it back to the way it was, which is:

For the HTTP (insecure) virtualhost to start with:

<VirtualHost *:80>
  ServerName data.motocoach.fr
  # then the rest of the config
</VirtualHost>

and for the HTTPS one (with the SSLCertificateFile directives etc):

<VirtualHost *:443>
  ServerName data.motocoach.fr
  # then the rest of the config
</VirtualHost>

#5

I just canceled my last modifications on the vhosts file I tried renew again, I still get the same error,
my letsencrypt.log :

...
2018-12-13 10:15:40,144:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f4342435c10>
Prep: True
2018-12-13 10:15:40,144:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f4342435c10> and installer <certbot_ap
ache.override_debian.DebianConfigurator object at 0x7f4342435c10>
2018-12-13 10:15:40,144:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-12-13 10:15:40,151:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=u'https://letsencrypt
.org/documents/LE-SA-v1.2-November-15-2017.pdf', only_return_existing=None, contact=(u'mailto:digital@april-moto.com',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backen
ds.openssl.rsa._RSAPublicKey object at 0x7f4344f03dd0>)>), external_account_binding=None), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/25063030', new_authzr_uri=u'https://ac
me-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), acb6b575b3909d8736a50b85a8d6e713, Meta(creation_h
ost=u'vps412697.ovh.net', creation_dt=datetime.datetime(2017, 11, 29, 16, 19, 41, tzinfo=<UTC>)))>
2018-12-13 10:15:40,152:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-12-13 10:15:40,155:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-12-13 10:15:40,425:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-12-13 10:15:40,427:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:14:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:14:56 GMT
Connection: keep-alive

{
  "bcyRith3JkY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-12-13 10:15:42,524:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-12-12 15:01:18 UTC.
2018-12-13 10:15:42,524:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2018-12-13 10:15:42,524:INFO:certbot.main:Renewing an existing certificate
2018-12-13 10:15:42,580:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0022_key-certbot.pem
2018-12-13 10:15:42,583:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0022_csr-certbot.pem
2018-12-13 10:15:42,584:DEBUG:acme.client:Requesting fresh nonce
2018-12-13 10:15:42,584:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2018-12-13 10:15:42,767:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 204 0
2018-12-13 10:15:42,768:DEBUG:acme.client:Received response:
HTTP 204
Server: nginx
Replay-Nonce: knh5SPa1euwJHRDiTD1GpFEo9YNExL-LsdhCm3afLzk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:14:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:14:59 GMT
Connection: keep-alive


2018-12-13 10:15:42,768:DEBUG:acme.client:Storing nonce: knh5SPa1euwJHRDiTD1GpFEo9YNExL-LsdhCm3afLzk
2018-12-13 10:15:42,769:DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns",
      "value": "data.motocoach.fr"
    }
  ]
}
2018-12-13 10:15:42,772:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICJrbmg1U1BhMWV1d0pIUkRpVEQxR3BGRW85WU5FeEwtTHNkaENtM2FmTHprIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIiLCAia2lkI
jogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy8yNTA2MzAzMCIsICJhbGciOiAiUlMyNTYifQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJkYXRhLm1vdG9jb2FjaC5mciIKICAgIH0KICBdCn0",
  "signature": "c7u9gESRqTTQ6S_K25gWHs6BNj_nizESNWb-HMQIrRgvS4tFDbXzNlLQv90qK22Xa2M_YjkTt0SupORRaF_tZy4LLhuAPkR-MMmIMM7lSSGDe5JqNTU3bbf_CxECmNKPZuhvCxMOltyJTA3MJ98hMaNz53SCBZR_UwfRX
N_ckXc25_A0BjZ_2qjJMrpXBvDxfUkMp23AypJivxSzOgPA6yT70RSF5QPuaOZkhWCqCnbjcCGv80XxBTEC4Wiyq2HGV4hHud7nYWaKzwFIchh8zQ2visy_4MKLP6oi63JoecSMNJWs-liGb34rKMYiYAvyxz_NWtyHjYX8Nn4lZ22hDw"
}
2018-12-13 10:15:42,987:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 376
2018-12-13 10:15:42,988:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 376
Boulder-Requester: 25063030
Location: https://acme-v02.api.letsencrypt.org/acme/order/25063030/218805085
Replay-Nonce: 9YTrMIw6-UeZqYo70HJwUJmxQdWCZHGnbu7zbPYuIW0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:14:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:14:59 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2018-12-20T09:14:59.280303339Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "data.motocoach.fr"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/25063030/218805085"
}
2018-12-13 10:15:42,989:DEBUG:acme.client:Storing nonce: 9YTrMIw6-UeZqYo70HJwUJmxQdWCZHGnbu7zbPYuIW0
2018-12-13 10:15:42,989:DEBUG:acme.client:JWS payload:

2018-12-13 10:15:42,993:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg:
{
  "protected": "eyJub25jZSI6ICI5WVRyTUl3Ni1VZVpxWW83MEhKd1VKbXhRZFdDWkhHbmJ1N3piUFl1SVcwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei9mY2gwalV3QnYyO
HZPTG5YU1d4SzBkWXBuXzU1NlV0V1VjYzczNGt6Y21nIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMjUwNjMwMzAiLCAiYWxnIjogIlJTMjU2In0",
  "payload": "",
  "signature": "K9Ml23eAhBh4ta2eKhQPGrhGuju2eDpMvkh9d0X82D5M3nyUh1jlFvn0hbxHlntUkaULURiU5BuEwPrkdoNMbe8mPuk0TLGsWO3YH6fW7-Hf3Jk-frW1bsB73_BcSLVkuZJIxuTOmlnjN_aDJoGFVJ9clKu5Y2VNikAAv
hqMq0t7adeXthmBNDh6oCH8W38EVYsBJMKLk-ls4zppgzrlK2SnMh5v1QnhBMQgXbLGPElHjZcnshtlXSt_5OhmORE-1tamysbiBdcJeJZPr3VsWwg1dHTl7P_RaF8pVCducfjlnhwAJbgm_8EDdLPVmVte8YIC9n0hrw1lxr_n0xSmsg"
}
2018-12-13 10:15:43,183:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg HTTP/1.1" 200 1165
2018-12-13 10:15:43,184:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1165
Boulder-Requester: 25063030
Replay-Nonce: 3g4E3OtHhuWUER54S0tYmRUYFdtB2ryS2e_MO6gwA3Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:14:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:14:59 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "data.motocoach.fr"
  },
  "status": "pending",
  "expires": "2018-12-20T09:14:59Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538491",
      "token": "R0FlhZsWp5nM7kA3EDYT4kZWWS_KrY1T4nbQ1QbBzMY"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538492",
      "token": "_2Fc_vEZsfXG85z6oDTga0YfefovbepaTWTxyAYrTzQ"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538493",
      "token": "KzZfGjYhSOCuNEty7USVcO6Ol3nqL706Q3aAGuWcDOs"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494",
      "token": "zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0"
    }
  ]
}
2018-12-13 10:15:43,184:DEBUG:acme.client:Storing nonce: 3g4E3OtHhuWUER54S0tYmRUYFdtB2ryS2e_MO6gwA3Y
2018-12-13 10:15:43,186:INFO:certbot.auth_handler:Performing the following challenges:
2018-12-13 10:15:43,186:INFO:certbot.auth_handler:http-01 challenge for data.motocoach.fr
2018-12-13 10:15:43,277:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: data.motocoach.fr in: /etc/apache2/sites-enabled/001-dq2amo.conf
2018-12-13 10:15:43,278:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2018-12-13 10:15:43,278:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

2018-12-13 10:15:43,294:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/001-dq2amo.conf
2018-12-13 10:15:46,448:INFO:certbot.auth_handler:Waiting for verification...
2018-12-13 10:15:46,448:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0.t5utZ2PFXoyX1rTaP1znLK8VljEmU0K2hhr_JeKDpoA",
  "type": "http-01",
  "resource": "challenge"
}
2018-12-13 10:15:46,450:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494:
{
  "protected": "eyJub25jZSI6ICIzZzRFM090SGh1V1VFUjU0UzB0WW1SVVlGZHRCMnJ5UzJlX01PNmd3QTNZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvZmNoMGpVd
0J2Mjh2T0xuWFNXeEswZFlwbl81NTZVdFdVY2M3MzRremNtZy8xMDI4MTUzODQ5NCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzI1MDYzMDMwIiwgImFsZyI6ICJSUzI1NiJ9",
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogInpYOTR6RGJDSnZyR1V6WjNNalYxYmJaZ1JOS3luZXVYS2djWXFYWmNnYzAudDV1dFoyUEZYb3lYMXJUYVAxem5MSzhWbGpFbVUwSzJoaHJfSmVLRHBvQSIsIAogICJ0eXBlIjo
gImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
  "signature": "amrFD_09B5X3p9B7tjLZbyQDQtIRnoEd0W7jQSherIDM1lbdGSNMrD77gae8yrMpiDL7SDMZvDSCptNK7Y9lSkIFFxlXwqNjYmy8h9ZaJU_HNltmxz3wn7vxRH5EidSSm6p7HbYVsVwCypBiJhar129bDp4AiXWG3n03c
SKixykiqIlJtuHKg1rEe99El2f0kmHE6YPvgEjq845bIiUsBbepb3DwMTshHteGXObJcknUQzKd1VqA6Cc1c5MTBannoOT_ERs3qf-mN59fOc9iSz0QQbUnoWnhUtffxwxF-dtNAhXT8_HRcTSMnE45g33mYV1wWp653EpYGMy1YI3Teg"
}
2018-12-13 10:15:46,639:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494 HTTP/1.1"
 200 224
2018-12-13 10:15:46,640:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 224
Boulder-Requester: 25063030
Link: <https://acme-v02.api.letsencrypt.org/acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494
Replay-Nonce: pXBybr6UcLxBXloN4AO55SyV9KOi3rCkiDqfNHgZBXY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:15:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:15:03 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494",
  "token": "zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0"
}
2018-12-13 10:15:46,640:DEBUG:acme.client:Storing nonce: pXBybr6UcLxBXloN4AO55SyV9KOi3rCkiDqfNHgZBXY
2018-12-13 10:15:49,644:DEBUG:acme.client:JWS payload:

2018-12-13 10:15:49,648:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg:
{
  "protected": "eyJub25jZSI6ICJwWEJ5YnI2VWNMeEJYbG9ONEFPNTVTeVY5S09pM3JDa2lEcWZOSGdaQlhZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei9mY2gwalV3QnYyO
HZPTG5YU1d4SzBkWXBuXzU1NlV0V1VjYzczNGt6Y21nIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMjUwNjMwMzAiLCAiYWxnIjogIlJTMjU2In0",
  "payload": "",
  "signature": "dtfiZnEPTOSqyK_D5AiTgl92fC-rwl6_-SzO_FSK0vCp2VMQ3rwe3rMXYHn8zKwNmuCAPrIGp9DkhaRkb-BtWJXDoI9u_QaZW6qJJ4e1Yl4_XuF0H8_BZcH3BtIZ1wdc7spARkWUMfhDXBOJxBu9PlXAo1Yck9qvmBWXf
atGyI_iEHbTlhloo1PmNgFlQ8nSa9kJUngZ1RIauKpOa8KM7O9z4y1u3ORQk3n-pYMVRyEynaVBy9KBeK-pysgrpvZALZBf0Qls5ZPJNTnenTow0G56GsgFNo-m0CA9dZ8SmKwNtfERgpXF6ikBDGWlpWZ3hNqJAgbStFlOlTUnofcB6A"
}
2018-12-13 10:15:49,845:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg HTTP/1.1" 200 1165
2018-12-13 10:15:49,848:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1165
Boulder-Requester: 25063030
Replay-Nonce: 1C0bUwvgbNrWb4r0RTGc53O0vQL1DgQY45YhU_poZx0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:15:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:15:06 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "data.motocoach.fr"
  },
  "status": "pending",
  "expires": "2018-12-20T09:14:59Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538491",
      "token": "R0FlhZsWp5nM7kA3EDYT4kZWWS_KrY1T4nbQ1QbBzMY"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538492",
      "token": "_2Fc_vEZsfXG85z6oDTga0YfefovbepaTWTxyAYrTzQ"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538493",
      "token": "KzZfGjYhSOCuNEty7USVcO6Ol3nqL706Q3aAGuWcDOs"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494",
      "token": "zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0"
    }
  ]
}
2018-12-13 10:15:49,849:DEBUG:acme.client:Storing nonce: 1C0bUwvgbNrWb4r0RTGc53O0vQL1DgQY45YhU_poZx0
2018-12-13 10:15:52,853:DEBUG:acme.client:JWS payload:

2018-12-13 10:15:52,857:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg:
{
  "protected": "eyJub25jZSI6ICIxQzBiVXd2Z2JOcldiNHIwUlRHYzUzTzB2UUwxRGdRWTQ1WWhVX3BvWngwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei9mY2gwalV3QnYyO
HZPTG5YU1d4SzBkWXBuXzU1NlV0V1VjYzczNGt6Y21nIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMjUwNjMwMzAiLCAiYWxnIjogIlJTMjU2In0",
  "payload": "",
  "signature": "ZNnjTWxxplRz2yOYbycXdZsf5SDkq6n8OoSqP_tSTVR9rafDhenh1g_v-_Q07lcHiXzSyqbeXNxEDBNyzQAs7csdd0lXOZKazlyglGQ8MjKYPfJDvuOc8BiC45cm6bEVHcWFuPeSsN-af8TPg9mXqLuJ0cvE2yJhEEgKZ
O7cOAX6iqWGNOFscWKlnd8JkhhJCgjaXscPjJxHtVoeJVHCOyrFAR-4JXIcISYBhujvu5FsSB0mpBp5NXev6nqniHp92gY0Tco0H8spPsMOOM9pTKfTi8SmdMJZgOgkq2XrlN5xnrtARj67WlI4VcOxCcwAtGIIufJkirhHd15jYWj6Cw"
}
2018-12-13 10:15:53,042:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg HTTP/1.1" 200 1165
2018-12-13 10:15:53,043:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1165
Boulder-Requester: 25063030
Replay-Nonce: Oped2zTRn1LJAjDWQVbRMcv1RmbyJEmjICzqJVMoCKE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:15:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:15:09 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "data.motocoach.fr"
  },
  "status": "pending",
  "expires": "2018-12-20T09:14:59Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538491",
      "token": "R0FlhZsWp5nM7kA3EDYT4kZWWS_KrY1T4nbQ1QbBzMY"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538492",
      "token": "_2Fc_vEZsfXG85z6oDTga0YfefovbepaTWTxyAYrTzQ"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538493",
      "token": "KzZfGjYhSOCuNEty7USVcO6Ol3nqL706Q3aAGuWcDOs"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494",
      "token": "zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0"
    }
  ]
}
2018-12-13 10:15:53,044:DEBUG:acme.client:Storing nonce: Oped2zTRn1LJAjDWQVbRMcv1RmbyJEmjICzqJVMoCKE
2018-12-13 10:15:56,048:DEBUG:acme.client:JWS payload:

2018-12-13 10:15:56,052:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg:
{
  "protected": "eyJub25jZSI6ICJPcGVkMnpUUm4xTEpBakRXUVZiUk1jdjFSbWJ5SkVtaklDenFKVk1vQ0tFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei9mY2gwalV3QnYyO
HZPTG5YU1d4SzBkWXBuXzU1NlV0V1VjYzczNGt6Y21nIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMjUwNjMwMzAiLCAiYWxnIjogIlJTMjU2In0",
  "payload": "",
  "signature": "m8NGXlrkx1BgdCC9HjX1lmWwZr2c1Xwx91udYgiB_ZAvujDsVWmADatbeNFpybPioZkmetGPIhln9qVc4NP5P0ZMG4vV3bxCZ8Zt2eGYSTnpNotZqdlg8LsMz9w5dgEfKUgqyOYICrLKz1J9t9iT-2ATeDIAiHl_MPmE4
mIUyO5mkrLS6hbdVyM9EU3zY7U5wUGggNgNgnR42SDX_PFGcr47y22lvZYBZ0m0YwwFQb20Lao023odXUNJaJqoiL9--WhrDNpYtJJDr-wE29Dusy2iGjUTVxqdP9lVZ2mohRcEdUsQNpNE8IM7Bqky1sYsLoliO0qocZjb4OwLCNwvBw"
}
2018-12-13 10:15:56,250:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg HTTP/1.1" 200 1165
2018-12-13 10:15:56,252:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1165
Boulder-Requester: 25063030
Replay-Nonce: 7y7PlsocKMlgYK8GkhBOek958Ad97F77hGVOkf1TtMQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:15:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:15:12 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "data.motocoach.fr"
  },
  "status": "pending",
  "expires": "2018-12-20T09:14:59Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538491",
      "token": "R0FlhZsWp5nM7kA3EDYT4kZWWS_KrY1T4nbQ1QbBzMY"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538492",
      "token": "_2Fc_vEZsfXG85z6oDTga0YfefovbepaTWTxyAYrTzQ"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538493",
      "token": "KzZfGjYhSOCuNEty7USVcO6Ol3nqL706Q3aAGuWcDOs"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494",
      "token": "zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0"
    }
  ]
}
2018-12-13 10:15:56,252:DEBUG:acme.client:Storing nonce: 7y7PlsocKMlgYK8GkhBOek958Ad97F77hGVOkf1TtMQ
2018-12-13 10:15:59,257:DEBUG:acme.client:JWS payload:

2018-12-13 10:15:59,260:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg:
{
  "protected": "eyJub25jZSI6ICI3eTdQbHNvY0tNbGdZSzhHa2hCT2VrOTU4QWQ5N0Y3N2hHVk9rZjFUdE1RIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei9mY2gwalV3QnYyO
HZPTG5YU1d4SzBkWXBuXzU1NlV0V1VjYzczNGt6Y21nIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMjUwNjMwMzAiLCAiYWxnIjogIlJTMjU2In0",
  "payload": "",
  "signature": "E05EpqpsQXtlSDP8QlpgaFpJMGwtZKfzAAXMqAFFJ8vEIYPRsqb2KSgOwA323vlv5qiNR4AqomPx7TGPlMD932XlyvW5oZ44-IK6d_F2MLnOJ-2fRRabUN5XdKQCzIR0_Hdithw3mr2MLJnsI2L2Oi6cASNgwVWkWi0fa
Avai5HrVWYTx9yFA8rH1XHM0v1iKa2BEo9kQEvmuDNyFLsZNxYnSv3Blagi24HRQc-rnfaL01BIX-09JO6GB9TiOdZxGQfe_XtIPhRaHWq5X-6D-9CcyD8j2teBrRPdFZXc4m8zwowyMZkKLcjx8o8yhujlKhhM0yMMKeKfbu88bpgfJQ"
}
2018-12-13 10:15:59,442:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg HTTP/1.1" 200 1803
2018-12-13 10:15:59,443:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1803
Boulder-Requester: 25063030
Replay-Nonce: 89PCAgEoKjFigphYmmbVlPeeqsbyPHLab6Fvkvwn-f0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 13 Dec 2018 09:15:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 13 Dec 2018 09:15:15 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "data.motocoach.fr"
  },
  "status": "invalid",
  "expires": "2018-12-20T09:14:59Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538491",
      "token": "R0FlhZsWp5nM7kA3EDYT4kZWWS_KrY1T4nbQ1QbBzMY"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538492",
      "token": "_2Fc_vEZsfXG85z6oDTga0YfefovbepaTWTxyAYrTzQ"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538493",
      "token": "KzZfGjYhSOCuNEty7USVcO6Ol3nqL706Q3aAGuWcDOs"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://data.motocoach.fr/.well-known/acme-challenge/zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/fch0jUwBv28vOLnXSWxK0dYpn_556UtWUcc734kzcmg/10281538494",
      "token": "zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0",
      "validationRecord": [
        {
          "url": "http://data.motocoach.fr/.well-known/acme-challenge/zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0",
          "hostname": "data.motocoach.fr",
          "port": "80",
          "addressesResolved": [
            "137.74.194.229"
          ],
          "addressUsed": "137.74.194.229"
        }
      ]
    }
  ]
}
2018-12-13 10:15:59,444:DEBUG:acme.client:Storing nonce: 89PCAgEoKjFigphYmmbVlPeeqsbyPHLab6Fvkvwn-f0
2018-12-13 10:15:59,446:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: data.motocoach.fr
Type:   connection
Detail: Fetching http://data.motocoach.fr/.well-known/acme-challenge/zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please
check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, y
ou should also verify that you are serving files from the webroot path you provided.
2018-12-13 10:15:59,447:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. data.motocoach.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the doma
in :: Fetching http://data.motocoach.fr/.well-known/acme-challenge/zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0: Timeout during connect (likely firewall problem)

2018-12-13 10:15:59,447:DEBUG:certbot.error_handler:Calling registered functions
2018-12-13 10:15:59,447:INFO:certbot.auth_handler:Cleaning up challenges
2018-12-13 10:15:59,737:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1352, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1096, in run
    certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 118, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 307, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. data.motocoach.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the doma
in :: Fetching http://data.motocoach.fr/.well-known/acme-challenge/zX94zDbCJvrGUzZ3MjV1bbZgRNKyneuXKgcYqXZcgc0: Timeout during connect (likely firewall problem)

#6

I do not think you properly reverted your changes. Your server still does not accept connections on port 80.

What’s this show:

apachectl -t -D DUMP_VHOSTS

Edit: actually, I still think this is a firewall problem. Are you sure you’re not using OVH’s firewall or something like that?

iptables -L -n | grep -E ":(443|80)"

#7

You were right, I forgot the OVH firewall ! Desactivating it during the certification process solved the problem !
But I wonder why I had not the problem the last times I renewed…

However, Thanks for your help ! :smiley:


#8

The last renewals may have been over https - which is still allowed for renewals.
But http authentication is now the choice for new certs - which this now looked like a new one.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.