My domain is: advenday.com
When I deploy a new version of my server, it gets a tarball containing the /etc/letsencrypt folder of the previous server and then runs:
certbot run --nginx \
--reinstall \
--non-interactive \
--agree-tos \
--email gary.verhaegen@gmail.com \
--redirect \
-d advenday.com
I don't run this very often. I believe the last time I ran this was in early July. Note that I am getting the original /etc/letsencrypt from the previous server, i.e. just after the previous server ran the above command, so in this case it is completely expected that the certificate is expired and certbot needs to get a new one. What is not expected is for that renewal to fail.
It produced this output:
[2024-10-08 16:08:24] Saving debug log to /var/log/letsencrypt/letsencrypt.log
[2024-10-08 16:08:24] Renewing an existing certificate for advenday.com
[2024-10-08 16:08:24] An unexpected error occurred:
[2024-10-08 16:08:24] requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
[2024-10-08 16:08:24] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
# nginx -version
nginx version: nginx/1.24.0 (Ubuntu)
#
The operating system my web server runs on is (include version):
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble
#
My hosting provider, if applicable, is: AWS (EC2 instance in us-east-1 region).
I can login to a root shell on my machine (yes or no, or I don't know): Yes.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
# certbot --version
certbot 2.9.0
#
Normally I'd keep trying as this looks like a transient network error, but it's now failed three times and I'm getting worried about rate limits as, looking at crt.sh, two of the three failed attempts have registered as a certificate issuance on the Let's Encrypt side. The first and third failures were as above; the second one had a slightly different error message, but also looked transient to me:
2024-10-08 15:49:20] Saving debug log to /var/log/letsencrypt/letsencrypt.log
[2024-10-08 15:49:20] Renewing an existing certificate for advenday.com
[2024-10-08 15:49:20]
[2024-10-08 15:49:20] Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
[2024-10-08 15:49:20] Domain: advenday.com
[2024-10-08 15:49:20] Type: connection
[2024-10-08 15:49:20] Detail: 34.203.37.141: Fetching http://advenday.com/.well-known/acme-challenge/4MQPKPMtsTHD64jg1zbXk3Yt_inLEac-byG5DLSG19g: Timeout during connect (likely firewall problem)
[2024-10-08 15:49:20]
[2024-10-08 15:49:20] Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
[2024-10-08 15:49:20]
[2024-10-08 15:49:20] Some challenges have failed.
[2024-10-08 15:49:20] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
From my machine, trying to hit http://advenday.com/.well-known/acme-challenge/4MQPKPMtsTHD64jg1zbXk3Yt_inLEac-byG5DLSG19g gives me a 502 but does manage to connect. I believe the 502 is expected at this point as certbot is no longer there to catch the request. The other server processes that should be on that server have also not started yet as they are supposed to start after the certificate is installed and the script stops on errors.
What is the recommended next step? Waiting and trying again in a few minutes is a viable option from a business constraints perspective (a little bit of downtime is acceptable in this case) but I'm very worried about rate limits as I don't currently hold a valid certificate and a full week of downtime would be problematic.
