Can't renew certificate

Pancho · November 14, 2023, 1:36pm

Hi everyone.

This is the first time that i'm having issues with let's encrypt.

I've used this to tutorial to install moodle and certbot.

That went down great and I was actually able to retrieve the first certificate correctly.

Now I can't.

I ran this command: certbot certonly -v -d lms.kairosmining.com

It produced this output: root@SSVMLMS01:~# certbot certonly -v -d lms.kairosmining.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin (nginx)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer nginx
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for lms.kairosmining.com
Performing the following challenges:
http-01 challenge for lms.kairosmining.com
Waiting for verification...
Challenge failed for domain lms.kairosmining.com
http-01 challenge for lms.kairosmining.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: lms.kairosmining.com
Type: connection
Detail: 200.75.4.214: Fetching http://lms.kairosmining.com/.well-known/acme-challenge/HNW7SfwOEyo-7oInnhMN_mjt9Fg8Faiuhg016a_jlIo: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is: selfhosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.4

Any help would be great.

Thanks.

rg305 · November 14, 2023, 2:40pm

Hi @Pancho, and welcome to the LE community forum

Your website isn't working:

curl -Ii http://lms.kairosmining.com/
curl: (56) Recv failure: Connection reset by peer

Lms.kairosmining.com - Is Lms Down Right Now? (isitdownrightnow.com)

Bruce5051 · November 15, 2023, 3:26am

Ports 80 & 443 are being filtered, do you have a firewall?

$ nmap -Pn -p80,443 lms.kairosmining.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-15 03:19 UTC
Nmap scan report for lms.kairosmining.com (200.75.4.214)
Host is up.
rDNS record for 200.75.4.214: static.200.75.4.214.gtdinternet.com

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.99 seconds

Using the online tool Let's Debug yields these results https://letsdebug.net/lms.kairosmining.com/1676021
See the second ERROR below @3153ms: Experienced error: dial tcp 200.75.4.214:80: connect: no route to host

ANotWorking
ERROR
lms.kairosmining.com has an A (IPv4) record (200.75.4.214) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://lms.kairosmining.com/.well-known/acme-challenge/letsdebug-test": dial tcp 200.75.4.214:80: connect: no route to host

Trace:
@0ms: Making a request to http://lms.kairosmining.com/.well-known/acme-challenge/letsdebug-test (using initial IP 200.75.4.214)
@0ms: Dialing 200.75.4.214
@3153ms: Experienced error: dial tcp 200.75.4.214:80: connect: no route to host

IssueFromLetsEncrypt
ERROR
A test authorization for lms.kairosmining.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
200.75.4.214: Fetching http://lms.kairosmining.com/.well-known/acme-challenge/3WDJR0F85sdpw9IUNVbL_RJCFzrOpRQOLN-Yevs3cAk: Error getting validation data

Pancho · November 15, 2023, 3:20pm

Hi everyone.

You were absolutely right!.

There were missing some NAT rules on the firewall.

Now I can refresh the certificate with no problem.

Thanks again!