Hello all,
I have used a Lets Encrypt while for a long time, but suddenly my certificate expired, however I did configure auto renewal and i know 99% sure that it worked before.
Now i wanted to renew my certificate, but when I try I cant get past this stage:
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
There seems to be a problem setting up a connection, what can be the problem?
Thank you for your help
How are you trying to renew your certificate? Using what client? acme-staging.api.letsencrypt.org is the staging (or sanbox) envoirment, intended for developers to test their code, it’s not for production. To renew a real certificate, your client should’ve used acme-v01.api.letsencrypt.org. I’m guessing it means that your client still developing the renewal option, and you cannot use it now. You might want to use other client.
If you trying to develop a client and trying to build a renewal function, then I can’t help you 
I am using Certbot. I am running CentOS 7.
I tried certbot renew --dry-run
As well as certbot --apache
Nothing seems to work. I hope you can help 
edit: the --dry-run command is for testing only, that explains why it used that url, my bad. However, when trying the --apache command, noting actually happens when I press enter. It seems to stay there forever doing nothing.
edit2: Running the command certbot renew shows me that it now tries to connect to acme-v01.api.letsencrypt.org
But nothing happens from there… it seems like it cannot establish a connection somehow…
can you use the --verbose option, and then paste the log in pastebin.com or somewhere it can be read ?
Here is the output by using certbot renew --verbose
I deleted domain names for security reasons.
As you can see the whole process stops at Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Thank you for your help
Does it time out ? or what happens after the
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org line ?
As a note - all domain names are publicly listed as soon as certificates are obtained, so there is no "security" benefit of removing the domain name.
It doesnt time out it seems. I have let it run overnight and its still in the same spot.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org is the last line…
Can you ping acme-v01.api.letsencrypt.org? What’s the output for traceroute acme-v01.api.letsencrypt.org?
Here is the output for ping and traceroute, looks normal to me?
Yep, that looks fine. From your previous run with --verbose (or a new one, if those logs are gone), can you check if the logs in /var/log/letsencrypt contain anything else other than the “Starting new HTTPS connection …” message?
Does curl -v https://acme-v01.api.letsencrypt.org/directory succeed?
curl seems to succeed:
[root@srvwb-mid-001 ~]# curl -v https://acme-v01.api.letsencrypt.org/directory
The log files dont go any further than the Starting new HTTPS connection message, hmm this does not get easier!
EDIT: I got a little further, it seemed that the Cisco firewall was blocking the connexction… I am going to open the firewall and try to renew the cert after. I will post the outcome…
My certificate is succesfully renewed. At the end it was just a Cisco firewall problem on my side, thank you all for your help!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.