Certbot always fails


#1

Hello,
The certbot renew command always worked for me in the past for 2 machines running CENTOS. When I try to renew my certs now, I always get the same error on both machines. I usualy forwarded port 443 (for verification) to one machine, renewed the cert and later I changed port 443 to direct to the other machine so I could renew that certificate. Now this doesn’t seem to work anymore … Since my old certificate has not expired yet, everything still works but not for long if I can’t renew the certificate. When I try accessing the webpage from the public site on port 443, the webserver is displayed, so my port 443 is open to this machine… Any ideas?

Regards,
Jonas

certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mydomain.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Failed authorization procedure. mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.com/.well-known/acme-challenge/jVmEY5Js3LOdyAa5kr9D4DXrJc_Sg3uEVn7_cChwuz0: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mydomain.com
    Type: connection
    Detail: Fetching
    http://mydomain.com/.well-known/acme-challenge/jVmEY5Js3LOdyAa5kr9D4DXrJc_Sg3uEVn7_cChwuz0:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#2

Hi Jonas,

There was a change that took effect last month that requires the use of port 80 instead of port 443 for validation. You should have received an e-mail notification from Let’s Encrypt following your most recent renewal about this issue; I’m sorry if that didn’t come to the right place or if you didn’t notice it. The current validation options are described at

The Certbot-specific implications of this are described in

as well as a number of other places on this forum.

The basic summary related to your situation is that you’ll probably now need to forward port 80 in addition to port 443 for the validation to continue working.


#3

Thanks, that solved the problem. Port 80 was obviously closed…
Regards,
Jonas