Can't renew expiring certificate (was working before)


#1

My domains are: fliker09.tk www.fliker09.tk mail.fliker09.tk

I ran this command: letsencrypt-auto renew

It produced this output: https://pastebin.com/eq47hDw5

My web server is (include version): nginx/1.6.2

The operating system my web server runs on is (include version): Debian GNU/Linux 8.11 (jessie)

My hosting provider, if applicable, is: none, self-hosted at home

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Issue Description: I am using Let’s Encrypt with these 3 domains for 2-3 years, renewal was always just working. But now it fails, I spent yesterday hours to debug and came to conclusion that the problem lies in Let’s Encrypt infrastructure, for some unknown reason it can’t reach my domains anymore (which is super-weird). I checked firewall, I checked web-server, multiple times and it’s all good. My conclusion is based on the fact that I see NO requests coming to my nginx instance (I switched to webroot approach yesterday, till that moment it was working with standalone approach).

Configuration:

cert = /etc/letsencrypt/live/fliker09.tk/cert.pem
privkey = /etc/letsencrypt/live/fliker09.tk/privkey.pem
chain = /etc/letsencrypt/live/fliker09.tk/chain.pem
fullchain = /etc/letsencrypt/live/fliker09.tk/fullchain.pem
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/fliker09.tk

# Options and defaults used in the renewal process
[renewalparams]
# authenticator = standalone
account = <>
server = https://acme-v02.api.letsencrypt.org/directory
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
[[webroot_map]]
fliker09.tk = /var/www/HTML
mail.fliker09.tk = /var/www/HTML
www.fliker09.tk = /var/www/HTML

If something else is needed to debug the issue - just let me know!


#2

Your server appears to either not be listening on port 80, or the port is filtered (by a firewall).


#3

Of course I verified it!

nmap -p 80 fliker09.tk

Starting Nmap 7.01 ( https://nmap.org ) at 2018-12-29 13:04 EET
Nmap scan report for fliker09.tk (217.26.169.66)
Host is up (0.0019s latency).
rDNS record for 217.26.169.66: dsl66.araxinfo.com
PORT STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

I run this command from another server I have (it is connected to a different ISP).


#4

Not according to https://letsdebug.net/fliker09.tk/13743 , https://downforeveryoneorjustme.com/fliker09.tk or two other locations that I tested from.


#5

Oh… Connected to a remote machine in Vietnam and it turns out my ISP suddenly started blocking port 80 for Internet (Intranet is OK). Thank you for pointing me to these useful websites!
–preferred-challenges tls-sni did the trick for now, though I see it will get deprecated soon, which means I must get port 80 open :-\


#6

Hi @fliker09

or you use dns-01 - validation.

Or - very new - you use acme.sh which supports now tls-alpn, then only port 443 is required.


#7

Wow, acme.sh is impressive! Will switch to it when the time comes. As for dns-01 - Freenom DNS is not supported, so only manual update is possible using this method :-\


closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.