Can't renew certificates

bazio101 · June 4, 2024, 6:56pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

bazioware.ddns.net (apache server for nextcloud, drupal etc),
lege.ddns.net (prosody xmpp server)
sendme.ddns.net (serve files for xmpp)

I ran this command: letsencrypt renew

It produced this output:
Same for all 3 domains (here for the first one)

2024-06-04 09:14:46,481:DEBUG:acme.client:Storing nonce: Df5PeVqQJb4Yq0pvD3iHaDYdpWOXuJkfpxA6-T8Q4wHT42GhcTI
2024-06-04 09:14:46,486:INFO:certbot._internal.auth_handler:Challenge failed for domain bazioware.ddns.net
2024-06-04 09:14:46,487:INFO:certbot._internal.auth_handler:http-01 challenge for bazioware.ddns.net
2024-06-04 09:14:46,490:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: bazioware.ddns.net
  Type:   connection
  Detail: 188.117.250.161: Fetching http://bazioware.ddns.net/.well-known/acme-challenge/OW9OyC8G84G1YpSASKceipB6hJHO_C8v-eUhTzoEj8o: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2024-06-04 09:14:46,511:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-06-04 09:14:46,517:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-06-04 09:14:46,519:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-06-04 09:14:50,002:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 395, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-06-04 09:14:50,021:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): Apache 2.4.59

The operating system my web server runs on is (include version): Slackware 15 Linux

My hosting provider, if applicable, is: Home server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

More info
Certificates renewal works fine for the last 4-5 years using cron job. It happened only 2 or 3 times to manually renew them using command line.
Last month I get the above message for all three of them.
Is this a problem as described here:
"Unexpected renewal failures since April 2024? Please read this!"
or has to do with my server?
Is it a python3 problem (version 3.9.19) in combination with certbot?
I didn't change anything to any config file.
I get Domain Names from no-ip.com and I can't use the solution of "TXT records" for DNS-01 Challenge (free package).
Stop services, stop firewall, reboot, didn't help. Nothing special with "overloading server".
This is not a professional server, it's just my hobby.
Thanks in advance!

petercooperjr · June 4, 2024, 7:09pm

Yes, your server is only accessible from some locations, not all, at least according to the online tool I tried:

In order to use the HTTP-01 challenge, Let's Encrypt requires that it can connect to your server from multiple locations around the world. If it's not a firewall on your system, perhaps it's one further upstream of you used by your router or Internet provider.

A FAQ with some more information on checking from multiple locations is also available:

bazio101 · June 4, 2024, 7:26pm

Thanks for your response!
I'll check router settings again and contact my internet provider.
I've already used acme.sh with no luck and I suppose dehydrated will produce the same errors.
Is there any tutorial to manually (or somehow) get certs? Or any other ideas?

petercooperjr · June 4, 2024, 7:30pm

It sounds like your client end is fine, you should just use whichever one you're most comfortable with. But Let's Encrypt can't connect to your server from at least some of its locations, so it can't validate that you in fact control the domain name.

You may be able to work around it for now by using another CA (like pass --server https://acme.zerossl.com/v2/DV90 to certbot to try out ZeroSSL or --server https://api.buypass.com/acme/directory to try BuyPass Go. But eventually all CAs will be checking from multiple locations, and you probably want to understand where your site is and isn't currently accessible from.

bazio101 · June 4, 2024, 8:11pm

Finally, zerossl did the trick!!!
I have to thank you once more.

petercooperjr · June 6, 2024, 4:49pm

I'm glad that worked for you, but as I said be sure to be aware that it may just be a temporary workaround, as all CAs will eventually be checking from multiple locations.

system · July 6, 2024, 4:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with the renew Certificat Help	5	1299	November 22, 2019
Can't renew my certificates Help	19	3053	July 14, 2021
Can not renew let's encrypt cert Help	14	1263	June 18, 2019
Not able to renew SSL certificates Help	3	405	June 8, 2023
Can not renew certificate Help	6	908	August 20, 2018

Can't renew certificates

Related topics