Certbot fails to renew old certificate

Greetings,

I have an Ubuntu server that's been running with certbot's auto-renewals (systemd unit) without problems for a long time. Then it was offline for a few months, and during that time span, my certificate expired. Now I put it online again, but both the automatic and the manual renewal process (using Apache as authenticator) keep failing. I know I could use a DNS challenge, but I would rather not because I would like certbot to automatically renew the certificate. Below are the details about what's happening, any help is appreciated as I don't know how to debug this.

My domain is: gtpware.eu (but I'm asking a certificate for the subdomain nas.gtpware.eu, which in turn points to foto.myddns.rocks for which I'm asking a certificate as well)

I ran this command: sudo certbot -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: nas.gtpware.eu
2: foto.myddns.rocks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for nas.gtpware.eu and foto.myddns.rocks
Performing the following challenges:
http-01 challenge for foto.myddns.rocks
http-01 challenge for nas.gtpware.eu
Waiting for verification...
Challenge failed for domain foto.myddns.rocks
Challenge failed for domain nas.gtpware.eu
http-01 challenge for foto.myddns.rocks
http-01 challenge for nas.gtpware.eu

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: foto.myddns.rocks
  Type:   connection
  Detail: 82.84.159.253: Fetching http://foto.myddns.rocks/.well-known/acme-challenge/nUJSoWP-6RwjPoidVuTVGPuShMHYwc_hMQTIAxT0-EQ: Error getting validation data

  Domain: nas.gtpware.eu
  Type:   connection
  Detail: 82.84.159.253: Fetching http://nas.gtpware.eu/.well-known/acme-challenge/iQQDwnfBSmfZWg1ktz9g6WtQ-x-Bcv3EFY4fPXgX7AE: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

Thank you for your help,

GTP

1 Like

I don't know why the ACME server fallsback to its "catch all error" "Error getting validation data", but from my point of view I cannot connect to your server using HTTP on port 80 (timeout). But HTTPS on port 443 is.

Is TCP port 80 open/allowed?

2 Likes

Agreed; I see the same with nmap.

$ nmap -Pn -p80,443 nas.gtpware.eu
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-18 11:06 PDT
Nmap scan report for nas.gtpware.eu (82.84.159.253)
Host is up (0.18s latency).
rDNS record for 82.84.159.253: ppp-82-84-159-253.cust-adsl.tiscali.it

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds
$ nmap -Pn -p80,443 foto.myddns.rocks
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-18 11:06 PDT
Nmap scan report for foto.myddns.rocks (82.84.159.253)
Host is up (0.18s latency).
rDNS record for 82.84.159.253: ppp-82-84-159-253.cust-adsl.tiscali.it

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
1 Like

I don't timeout but get curl's "no route to host". I think LE sees the same which is why it reports it as "error getting validation data".

Which error doesn't matter all that much. For HTTP Challenge port 80 must work for inbound requests and their Apache is not replying to HTTP requests to that port.

The most recent cert was issued Nov17 2023 so something has changed since then to block port 80. This isn't unique to Let's Encrypt. I cannot reach your domain's "home" page using HTTP either (HTTPS port 443 works fine).

The Let's Debug test site is helpful to debug changes you make to allow these to work again.

As for corrective actions the more likely things to check are ...

  • Check all your firewalls
  • Check any NAT or port forwarding
  • Make sure your ISP still allows inbound requests on port 80
3 Likes

Yes, that error is a default for various kinds of ICMP errors, which could be a sign of a misconfigured router or firewall—most often devices other than the server itself reporting that they're unable to reach the server for various reasons.

5 Likes

Thank you very much for pointing out that I need port 80 to be open, after opening it I was able to renew my certificate.

4 Likes