Certbot failed to authenticate domain, renew

My domain is: rosds.ddns.net

I ran this command: certbot --apache

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: rosds.ddns.net
Type: connection
Detail: 109.173.125.183: Fetching http://rosds.ddns.net/.well-known/acme-challenge/6Ic-RySt-nZ4vKjgtAm-TUuPtgVCKsXzBHCYmt4uBNw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is: self-hosted server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

But the site is available under the domain name. But for IP - no.

Your firewall doesn't like robots. Tell your firewall robots are ok.

ufw is disabled.

router is tp-link AX1500 Wi-Fi 6 Router, SPI firewall is off now, but now it said too many failed authorizations recently:

seems need to wait...

Please use the staging environment for testing.

Did you portmap ports 80 and 443 to the server?

Your website is live, I can see it.

But, I can only see it with a "human" browser. If I try with something more programmatic, I get a timeout just like Let's Encrypt. Some kind of software is doing that, either on your part, or your ISP.

Ok, you did turn it off.

❯ curl -IL http://rosds.ddns.net/.well-known/acme-challenge/6Ic-RySt-nZ4vKjgtAm-TUuPtgVCKsXzBHCYmt4uBNw
HTTP/1.1 301 Moved Permanently
Date: Wed, 06 Sep 2023 13:16:03 GMT
Server: Apache
Location: https://rosds.ddns.net/.well-known/acme-challenge/6Ic-RySt-nZ4vKjgtAm-TUuPtgVCKsXzBHCYmt4uBNw
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 404 Not Found
Date: Wed, 06 Sep 2023 13:16:04 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: d23dc1a29125d8a133ceb8812b573280=3fb8gkpbrpbt7s4p3f1a1oltqd; path=/; secure; HttpOnly
x-frame-options: ALLOW-FROM https://nc.rosds.ru/
referrer-policy: strict-origin-when-cross-origin
cross-origin-opener-policy: same-origin
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Wed, 06 Sep 2023 13:16:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8

No, only 443 was forwarded. Added 80. How soon can I try to renew the certificate again?

The error message should tell you. I think one hour, but find out in the documentation.

yes, i read it, sorry

well, I'll wait

now Let's Debug say this:

IssueFromLetsEncrypt

WARNING

A test authorization for rosds.ddns.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

There may be internal issues on the staging service: Error retrieving account "https://acme-staging-v02.api.letsencrypt.org/acme/acct/5751349"

It doesn't anymore

You should test it using the staging environment. If that succeeds, you need to wait until the rate limit has been lifted, which you can find in the error message.

successfully renew! thanks to all!

Please post the solution or choose a post that contains the solution.

solution is:
turn off SPI firewall on router while renew;
route port 80 on router to server;

That doesn't sound necessary.

Now that does.