Can't renew expiring certificate (was working before)


My domains are:

I ran this command: letsencrypt-auto renew

It produced this output:

My web server is (include version): nginx/1.6.2

The operating system my web server runs on is (include version): Debian GNU/Linux 8.11 (jessie)

My hosting provider, if applicable, is: none, self-hosted at home

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Issue Description: I am using Let’s Encrypt with these 3 domains for 2-3 years, renewal was always just working. But now it fails, I spent yesterday hours to debug and came to conclusion that the problem lies in Let’s Encrypt infrastructure, for some unknown reason it can’t reach my domains anymore (which is super-weird). I checked firewall, I checked web-server, multiple times and it’s all good. My conclusion is based on the fact that I see NO requests coming to my nginx instance (I switched to webroot approach yesterday, till that moment it was working with standalone approach).


cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/

# Options and defaults used in the renewal process
# authenticator = standalone
account = <>
server =
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
[[webroot_map]] = /var/www/HTML = /var/www/HTML = /var/www/HTML

If something else is needed to debug the issue - just let me know!


Your server appears to either not be listening on port 80, or the port is filtered (by a firewall).


Of course I verified it!

nmap -p 80

Starting Nmap 7.01 ( ) at 2018-12-29 13:04 EET
Nmap scan report for (
Host is up (0.0019s latency).
rDNS record for
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

I run this command from another server I have (it is connected to a different ISP).


Not according to , or two other locations that I tested from.


Oh… Connected to a remote machine in Vietnam and it turns out my ISP suddenly started blocking port 80 for Internet (Intranet is OK). Thank you for pointing me to these useful websites!
–preferred-challenges tls-sni did the trick for now, though I see it will get deprecated soon, which means I must get port 80 open :-\


Hi @fliker09

or you use dns-01 - validation.

Or - very new - you use which supports now tls-alpn, then only port 443 is required.


Wow, is impressive! Will switch to it when the time comes. As for dns-01 - Freenom DNS is not supported, so only manual update is possible using this method :-\