Certbot domain not auto renewing


#1

One of my domains (and only one at the moment) is not updating through the cron script that I’ve written -

When I run this domain from the command line, I get:

Cleaning up challenges
Failed authorization procedure. tgmgroup.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://tgmgroup.net/.well-known/acme-challenge/8Ach_UliRll0vqcWUX70zkEf-y4UxmVf-wEkphsd-Zw: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:

IMPORTANT NOTES:

This domain is working and serving traffic as we would expect. We also redirect from www.tgmgroup.net to tgmgroup.net and that domain also has the failed authorization problem.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tgmgroup.net

I ran this command: certbot-auto certonly --no-self-upgrade --dry-run -d tgmgroup.net

It produced this output:
see above
My web server is (include version):
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 15 2016 15:34:04
The operating system my web server runs on is (include version):
Ubuntu 14.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

If I run the command, but change the authentication to
‘Place files in webroot directory’ and provide the webroot directory, then it works on the dry-run. Is there a way to build that into the script for cron, or will certbot remember that I used that method?


#3

You can check what it “remembers” in the conf file for each cert (normally located at /etc/letsencrypt/renewal/)

As for tgmgroup.net not being able to renew…
The only thing I found so far that might be of concern is:
The domain forwards http to https - and although LE will follow the forwarding, the challenge request handling might not be handled correctly within the https block. - can’t be sure without seeing your vhost configs thou.

For testing, please place a test.txt file in the challenge folder so we can see if it is accessible from the Internet via:
http://tgmgroup.net/.well-known/acme-challenge/test.txt
and
http://www.tgmgroup.net/.well-known/acme-challenge/test.txt


#4

Thanks for the reply - it seems that my dry-run has fixed it - the cert was renewed by the cron job last night. I’m guessing that my switching verification method has stuck.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.