Can't Renew Certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.kdatest.com

I ran this command: certbot certonly --webroot

It produced this output:
022-06-10 07:42:25,306:DEBUG:acme.client:Storing nonce: 0002g6ddwtCtDrKIICdld8BAukYo424VQpAapUIwXFzAxcc
2022-06-10 07:42:25,306:WARNING:certbot._internal.auth_handler:Challenge failed for domain kdatest.com
2022-06-10 07:42:25,306:INFO:certbot._internal.auth_handler:http-01 challenge for kdatest.com
2022-06-10 07:42:25,306:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: kdatest.com
Type: connection
Detail: 162.114.8.73: Fetching http://kdatest.com/.well-known/acme-challenge/aXHJh7govlJsS7zA5nUHOw8l2PjhYQ4EhZaW2QmU9wI: Timeout after connect (your server may be slow or overloaded)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2014

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.5.0

I have attempted multiple times to verify my domain, i am using the HTTP challenge to perform my validation and I can confirm from a PC inside my network and outside my network can download the file necessary for the challenge. Whenever I use certbot I get an error about timeout after connect, and receive the status is pending. Any help would definitely be appreciated.

Welcome to the community @taldorblackfire

It looks like you have a firewall that is blocking requests with the Let's Encrypt user-agent string. Examples:

curl -I www.kdatest.com/.well-known/acme-challenge/ForumTest
(404 is expected since ForumTest does not exist on your server)
HTTP/1.1 404 Not Found
Content-Length: 1245
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sun, 12 Jun 2022 15:16:31 GMT

curl -I -m10 www.kdatest.com/.well-known/acme-challenge/ForumTest -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
(requests from the Let's Encrypt server have a user-agent like in -A)
curl: (28) Operation timed out after 10000 milliseconds with 0 bytes received

You can test this using the Let's Debug test site which mimics the actual Let's Encrypt servers. Let's Debug also times out.

7 Likes

thanks for the quick reply! i appreciate the info. so, how do i make an exception to the firewall for this user-agent string?

1 Like

I don't know. You need to identify the firewall and review its settings. Are you really self-hosted (like at your home)? Or are you behind some other network gear? In that case you should discuss with those network admins. For example, this problem recently happened to someone at a university (see here).

5 Likes

Well, it is self-hosted in that we use Microsoft IIS but the server could be behind an additional firewall. I will have to do some investigation and report back. I appreciate your help.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.