Cert renewal with dry-run succeeds, but fails on actual renewal

My cert renewal succeeds wth the --dry-run option

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

However when I run the renewal script command: sudo ./letsencrypt-auto renew

…it fails, producing this output:
Attempting to renew cert from /etc/letsencrypt/renewal/<my-domain.com>.conf produced an unexpected error: Failed authorization procedure. […] :acme:error:connection :: The server could not connect to the client to verify the domain :: […]

An apparent timeout error…

I have verified that the LetsEncrypt IP ( is whitelisted for TCP (port 80)/HTTP requests to my server, which is not publicly web accessible. Do I need to whitelist some additional IP(s)…?

My web server is: Apache 2.4; I believe it is properly configured; the operating system my web server runs on is RedHat Linux 7. And I am able to run the script as root. Any help would be greatly appreciated!

Yes, the staging server and the production server may contact you from different IP addresses. What's more, whitelisting verification server IP addresses is not a use case supported by Let's Encrypt.

Let's Encrypt is actively pursuing making validation IP addresses more unpredictable:

If you don't want to allow connections to your server from arbitrary addresses during the validation process, you should use the DNS-01 challenge method and prove your control of the domain name by creating a specified DNS record.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.