It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): whale.seas.upenn.edu
Requesting a certificate for whale.seas.upenn.edu
An unexpected error occurred:
too many failed authorizations (5) for "whale.seas.upenn.edu" in the last 1h0m0s, retry after 2025-03-18 17:17:18 UTC: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): apache2 2.4.58
The operating system my web server runs on is (include version): Ubuntu 24.04.2 LTS
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.3.0
To add a bit more information: The directory whale.seas.upenn.edu/.well-known/acme-challenge/ is visible on the internet as can be verified using either http or https (there is no forwarding).
While certbot was waiting for the challenge, I verified continuously that no fioles were created in the above directory.
I have direct physical access to the server.
For me, certbot stopped to work about a year ago after an OS upgrade or certbot update and I was never able to make it work. I used ZeroSSL for a while but now have ran out of free certificates.
I have found many related discussions on the internet by all seem to address very specialized cases that are not directly applicable to me.
Sorry, the previous output of certbot was posted in error. Here is the output with failed challenge:
whale[573]sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): whale.seas.upenn.edu
Requesting a certificate for whale.seas.upenn.edu
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
The main problem is very likely caused by a Palo Alto brand firewall between your server and the public internet. You may need to talk with your network team.
We used to see these very often but not so much lately.
There is an "Application" setting on that firewall for "ACME Protocol". They need to allow that.
I say that because this returns a 404 Not Found as expected
curl -i -m8 http://whale.seas.upenn.edu/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
But, using a user-agent like Let's Encrypt servers use I timeout. It is possible something else in your network is doing this but it is almost certainly a Palo Alto firewall.
curl -i -m8 http://whale.seas.upenn.edu/.well-known/acme-challenge/Test404 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (28) Operation timed out after 8001 milliseconds with 0 bytes received
As for that it is expected when using the --apache authenticator. It makes temp changes to your Apache VirtualHost and uses a different directory. You can view the Certbot log to see the exact changes.
You should not have to worry about this. Once your firewall is changed it should be fine.