Cert renewal with dry-run succeeds, but fails on actual renewal


#1

My cert renewal succeeds wth the --dry-run option

[…]
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
[…]

However when I run the renewal script command: sudo ./letsencrypt-auto renew

…it fails, producing this output:
Attempting to renew cert from /etc/letsencrypt/renewal/<my-domain.com>.conf produced an unexpected error: Failed authorization procedure. […] :acme:error:connection :: The server could not connect to the client to verify the domain :: […]

An apparent timeout error…

I have verified that the LetsEncrypt IP (66.133.109.36) is whitelisted for TCP (port 80)/HTTP requests to my server, which is not publicly web accessible. Do I need to whitelist some additional IP(s)…?

My web server is: Apache 2.4; I believe it is properly configured; the operating system my web server runs on is RedHat Linux 7. And I am able to run the script as root. Any help would be greatly appreciated!


#2

Yes, the staging server and the production server may contact you from different IP addresses. What’s more, whitelisting verification server IP addresses is not a use case supported by Let’s Encrypt.

Let’s Encrypt is actively pursuing making validation IP addresses more unpredictable:

If you don’t want to allow connections to your server from arbitrary addresses during the validation process, you should use the DNS-01 challenge method and prove your control of the domain name by creating a specified DNS record.


closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.