Cant renew certificate

honest.phiri · July 13, 2022, 7:03am

My domain is: nipaelearning.nipa.ac.zm

I ran this command: certbot renew --dry-run

It produced this output: The following errors were reported by the server:

Domain: nipaelearning.nipa.ac.zm
Type: connection
Detail: 41.X.X.X: Fetching
http://nipaelearning.nipa.ac.zm/.well-known/acme-challenge/h5CITBOqdX1xWuqwx5rLTg6Nm6zgNfomcJ9KJ5Nt6sc:
Timeout during connect (likely firewall problem)

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Osiris · July 13, 2022, 7:22am

Port 80 needs to be open for the http-01 challenge. I can't connect to your site using HTTP either. Please see Best Practice - Keep Port 80 Open - Let's Encrypt

Also note that it doesn't make much sense to redact an IP address with the entire hostname next to it: the hostname resolves to the same IP address, so is public knowledge.

honest.phiri · July 13, 2022, 7:37am

Port 80 is already open:
The result i get with the command: netstat -tulpn | grep --color :80
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 1974/httpd

firewall-cmd --zone=public --list-all: Result
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client, http https mysql ssh
ports: 5404/tcp 5405/tcp 2224/tcp 7788/tcp 80/tcp 443/tcp 7799/tcp 7789/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

I have checked other posts with the same issue and most of them are suggesting opening port 80 but it is already open.

rg305 · July 13, 2022, 2:19pm

That shows 127.0.0.1
How is that being reached by anyone on the Internet?

Osiris · July 13, 2022, 2:31pm

Still, I suspect a firewall (somewhere!) blocking port 80, because usually a non-bound port would result in an immediate "Connection closed" or something like that and not a timeout.

Timeouts are usually the result of a blocking firewall, dropping all packets, routing issues or incorrect IP address.

rg305 · July 13, 2022, 2:40pm

Something may have changed:

curl -Ii nipaelearning.nipa.ac.zm
HTTP/1.1 301 Moved Permanently
Date: Wed, 13 Jul 2022 14:43:28 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.33
Location: https://nipaelearning.nipa.ac.zm/
Content-Type: text/html; charset=iso-8859-1

Osiris · July 13, 2022, 3:03pm

That's a good thing

I don't see a renewal for now, not yet anyway.

honest.phiri · July 13, 2022, 3:09pm

Finally managed to renew. It was a firewall issue. only 443 were allowed and then I had to comment 'Listen 80' line in serverstatus.conf and uncomment the same line in httpd.conf. Silly mistake.

system · August 12, 2022, 3:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.