Certbot failed to authenticate some domains

Help
1

My domain is: www.brosz.works

I ran this command: certbot --nginx -d www.brosz.works -d emby.brosz.works

It produced this output:

Renewing an existing certificate for www.brosz.works and emby.brosz.works

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: emby.brosz.works
Type: connection
Detail: During secondary validation: 71.211.92.240: Fetching http://emby.brosz.works/.well-known/acme-challenge/jzDmj6IWEpztIeTyTFOIIhMoHgE1uzPu0Rnzx_nxVfU: Timeout during connect (likely firewall problem)

Domain: www.brosz.works
Type: connection
Detail: During secondary validation: 71.211.92.240: Fetching http://www.brosz.works/.well-known/acme-challenge/7jzH_vrf-GxURjHCen3b4Pcq4ovdsFjVqJK8Vp-10ZA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.

My web server is (include version): Nginx 1.18

The operating system my web server runs on is (include version): Ubuntu 22.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Originally on the Ubuntu version (1.21?) Removed that version and installed snap version to test if that fixed th issue and I get the same errors on 2.10

I havnt found anything super useful in the logs. I can reach the challenge file from the internet so I am stumped. I tried disabling my Geoblocking and my snort rules to see if it made a difference and it seems the CA still cant reach my stuff. This has worked for a few years so not quite sure what broke. My certs still have a few weeks left but I cant seem to figure out why the CAs cant reach me.

1 Like
3

Hi @FuzzyWonderer, and welcome to the LE community forum :slight_smile:

That first line implies that the primary validation worked.
The second line implies that you may have some Geofencing/Geolocation blocking in place.

Have a look at:

6 Likes
4

Docker won't fix secondary validation issues.

6 Likes
5

In troubleshooting I did disable my geofencing policies, which is just a allow list on my firewall. I changed the firewall to allow all IPs on 80 and 443. Did not seem to make a difference. I am looking to see if I have geoip blocking setup elsewhere.

It does not seem like the DNS setup with namecheap will work.

3 Likes
6

Further investigating with a VPN/External machine to test if I was actually disabling the geoblocking revealed that pfsense and the add-on pfBlockerNG were not behaving as expected. I have failed to figure out a way to disable my geoblocking and will need to do some further research.

In the meantime while I can shut off blocking I was able to use your guide to add Sweden and Singapore. Which allowed the cert to renew.

I will need to spend more time figuring out how to actually kill the geoblocking.

5 Likes
7

Slightly off topic (on a resolved thread) , but it was mentioned ... so

pfSense example:
Firewall/pfBlockerNG/IP/GeoIP/Asia

China = CN << blocks the entire country, be sure and use sparingly
China = CN_rep << reputation will get you where you want to be.

Hope this helps.

3 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.