Certbot renew doesn't work :(

quroom · April 18, 2024, 7:31am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: devinspireworld.obible.kr

I ran this command:
docker compose -f docker-compose-staging.yml exec certbot certbot renew --dry-run --cert-name devinspireworld.obible.kr-0002 --authenticator webroot --webroot-path /var/www/certbot --debug-challenges -vvvvv

It produced this output:

The file was created even you can access for challenge file. I have no idea why it gets only error.
http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI

sudo docker compose -f docker-compose-staging.yml exec certbot certbot renew --dry-run --force-renewal --cert-name devinspireworld.obible.kr-0002 --authenticator webroot --webroot-path /var/www/certbot --debug-challenges -vvvvvvvv
Root logging level set at -50
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Notifying user: Processing /etc/letsencrypt/renewal/devinspireworld.obible.kr-0002.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/devinspireworld.obible.kr-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Var server=https://acme-staging-v02.api.letsencrypt.org/directory (set by user).
Var account=None (set by user).
Requested authenticator webroot and installer None
Var webroot_path=['/var/www/certbot'] (set by user).
Var webroot_map={'webroot_path'} (set by user).
Var webroot_path=['/var/www/certbot'] (set by user).
Auto-renewal forced with --force-renewal...
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fde500431a0>
Prep: True
Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fde500431a0> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/134509474', new_authzr_uri=None, terms_of_service=None), 323012e2444ca85b3dd5b1dead045663, Meta(creation_dt=datetime.datetime(2024, 1, 31, 5, 44, 11, tzinfo=<UTC>), creation_host='c6f152566f55', register_to_eff=None))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 821
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:11 GMT
Content-Type: application/json
Content-Length: 821
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "a0ar5p2cyFw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Notifying user: Simulating renewal of an existing certificate for devinspireworld.obible.kr
Simulating renewal of an existing certificate for devinspireworld.obible.kr
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:11 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3ne4CY28Abl4HFaW_PHW0tCnzKpm_A0nuPK284Zetwp-w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 456DJV3ne4CY28Abl4HFaW_PHW0tCnzKpm_A0nuPK284Zetwp-w
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "devinspireworld.obible.kr"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiNDU2REpWM25lNENZMjhBYmw0SEZhV19QSFcwdENuektwbV9BMG51UEsyODRaZXR3cC13IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "jcJOFJ53obHsuBXF6Zxtca8ijPjp75PYbFj9TLIL_WElIab43DWUHXr0698gknHgHZcNoouq4kbP4Gq-Jb4160vT2Zzqo7Ks0ZybOGUMKYNzXHJxxAlMf_TmPl6qPrn9P4TrVpfrvZZPNHGCNukhV8Juv_QWFBWkzWYwIC_2VI_ofHVc88NQLi148qplgbbm_DCIURxPF_6q4Asqh80vVfd-ZsK7S0IjNmBH0jXkzwxA8TeUmdNZ2GVbF9TcHhq7CRlwdYKvmCSIm-kggAMpO-Yg_5NBVWJMug64JnBAvg1uh4CquWTxauIV7P_KEOOuY3-FULxUf1FGdRKYjkmOa89bE8EXcaPNu9P9mrJe0A7Yv5MrdfXLjByUnG36gArUgJmhR6LIUYnGTRKaf2Tonn6VeOn6aaD8lFAeIb1Yt0bWa_Pe4oNVjM24aB2xn7PylwyzP0Q3M4TYwBIa8ERshfIOtyLEglheflW1tOnNwiA2OG89KBHcu6FjvPFe3tdC-XNO-JIutat0zYZNWbZLypUEn135VliNEmO6wNTeW-0eDpTa-a6elCuqkVBrwqmLXfvTlzUZVUWVgivtKmH0pl6eDxml-z1RH8IFDfVlaAM6TgWrnMJpgECfMmXMJ96LM3-WZF5H9U3CfxGergFpxu6x1QJ3YtB9HvzNfmxOSX0",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImRldmluc3BpcmV3b3JsZC5vYmlibGUua3IiCiAgICB9CiAgXQp9"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 364
Received response:
HTTP 201
Server: nginx
Date: Thu, 18 Apr 2024 08:11:12 GMT
Content-Type: application/json
Content-Length: 364
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/134509474/15991957104
Replay-Nonce: 456DJV3n-6fRZlyPOlgeY5rKp739lmnIucEmS0N1vWjI3AcohPU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2024-04-25T08:11:12Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "devinspireworld.obible.kr"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/134509474/15991957104"
}
Storing nonce: 456DJV3n-6fRZlyPOlgeY5rKp739lmnIucEmS0N1vWjI3AcohPU
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiNDU2REpWM24tNmZSWmx5UE9sZ2VZNXJLcDczOWxtbkl1Y0VtUzBOMXZXakkzQWNvaFBVIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyMDUzMzk0NjA0In0",
  "signature": "VevgOrP1Jk4nDtXVc7gA0VMAIotGdXZG_g3XajpiQvMW0EDEo7IDKOSQSW4WHgasXIVLzzGqyJvJIk0oeB8ggha8nxG828lmkmfI4H47S68YinGPayYEc1MALeTpWrqkwgl2Czf3aohKZfgDXGArPqVE88nwXTRl3FzyTjzEJA2ckhUIObmqn8Ln1-WNeVe_KY68V81UqV9XjnRjxGafmlryGSvWvujM32O8jhEOMkWJ2L6WRVidAB2vub8utAe_yGiW6nYFDPU_ROajiFkfcUbiwK9ZiCvSRRAIYB1wuJhTgr5s5emh2BV1N2VeZ0Ec7JEnvQ4Qqhd6GJeM9IiZmIc94JDpn2E0QhJysXxbLDCmB7XXggzA0lf7dRhe0aYW9iH3VzaZYqxHSxD4RhfHL5pXdA3WIzxZIDero3q5n-gyXQ_xs0WWQ-D-bxFw0zRrBnXv9pyh0CcNq01_6jbteB6ZeZ7wmBX2pPHlNa0Hib6HVH62Hb1OX_FVALzUvJ_kJdv4lSBaT7ChBO3f0l794ytT1uJ8XMgXIniwwfQlwaVPdTQy3uXCjdNaKLl_YJKjgW_9JM_AN7BL7Zpk_pY8HLLgXeK0Iu1jWcYO7-jcM24PruaPfQhTVIM_fLSIu8OYzdTRihha88tpaANg3Gp4N4sxzPYnbfFP6lQGVJTYCjc",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12053394604 HTTP/1.1" 200 830
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:12 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: _O0fw7ZkLdmhYekOEa51R340cqRm96vLJESzA2eR5y7oXNdwvg4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "devinspireworld.obible.kr"
  },
  "status": "pending",
  "expires": "2024-04-25T08:11:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/uGiOpg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/A8E5Pg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    }
  ]
}
Storing nonce: _O0fw7ZkLdmhYekOEa51R340cqRm96vLJESzA2eR5y7oXNdwvg4
Performing the following challenges:
http-01 challenge for devinspireworld.obible.kr
Using the webroot path /var/www/certbot for all unmatched domains.
Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI
Notifying user: Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI
Expected value:
usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI.4w-75CTokjz0Ww4IlQEHNuEhwprsUw1rD0Q08-LZxGE

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI
Expected value:
usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI.4w-75CTokjz0Ww4IlQEHNuEhwprsUw1rD0Q08-LZxGE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
JWS payload:
b'{}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiX08wZnc3WmtMZG1oWWVrT0VhNTFSMzQwY3FSbTk2dkxKRVN6QTJlUjV5N29YTmR3dmc0IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzEyMDUzMzk0NjA0L1V3QU96dyJ9",
  "signature": "LOl93nkEkqdLUSSAwCv87WEAgUs1hd8iwGsx9Y4nipnPwmE07mtIFI9dCO8rxpEmBjc1DsazazkP1A6gsj5_3p111yF1TZyLzUcRpYQ6ymq8Nx5paNVbzSS0FZAWTTqubbQHn2kogYFdAfzZfwXsn1XgUcCNWJ_HEqj9Y0vOKXA8-SxHI7Lbi2jnGuH7xrZ8leP0jhF0K7LeWwqAC0bRDhEoxiLpK9gR7j7np8kHuMRqAqq7aiyiM9C7Km-PZ0sOL0CDuZnE09--_eitdxn8EiRiRteLBF2dOehx-X9ZpN1gRz77hAFsKe03oh8DvLGYtPgwTijlcxQPR214Nz3tqcl7HgVBnt_cJjqRHSYEtJqP2APzHAQCD4cGocdHzD4oE6NV30r4gVAXAdKznyq8MD6vz9ttUhumkO3Zsfp9s4kK0j6HttxyZLvpkUAJdi42beCEVlpG4o7g6GUwuJCapwFStryk6p9zbwI0BkL1Z-_KOvtfKfIt8k6_7FQNjmqXJs3wsrNtRTw4rA14m1SWc-TGr9n1VBQbbGpTLxHclSUIFrkV_clBdpcHgrM86ElwNc07-5ZzuRBdcYmD3tDJgO2KZ4NfhpVqg5xeXG15rLZSypWa80TJ_sibK4dQLxBtjCiBFRSECsovIszCsWaDTI1dOmTwgzNu_6bLBk-yyDE",
  "payload": "e30"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/12053394604/UwAOzw HTTP/1.1" 200 194
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:12 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw
Replay-Nonce: _O0fw7Zkk1gFnB4vPvJoCZIZTG-BNsme5rK5n5UDibK5PipnYfg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw",
  "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
}
Storing nonce: _O0fw7Zkk1gFnB4vPvJoCZIZTG-BNsme5rK5n5UDibK5PipnYfg
Waiting for verification...
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiX08wZnc3WmtrMWdGbkI0dlB2Sm9DWklaVEctQk5zbWU1cks1bjVVRGliSzVQaXBuWWZnIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyMDUzMzk0NjA0In0",
  "signature": "F9iiZFVt5wGmuir9J6mcWeNTmXt6A538vUwYvpYU3QmJHhfQTtTB__LIJB3fvx8jZkA8_l9zk5L0uhd7IYbzuYRWfAdZXt9RgUvDImFGRVuenFE2MBWPx8QwbOeSBJZbuY0FmzhhZuVyLWF7DzpIMsHQ6RKtVz2YOKyWt_wXuBL4KtRZmQDBca1g06Qj4zUdxCeC1-wknwswoVOBb251A1CmDX96CQ0MIRMcT53exGK0kM3boOz2t79L1JhxSsK_KpGgdM8V9ppQMy754MOJltvRgvhNi3qSnWVXMX7H3kCgtAKp_AvrI73iHkRV_d296zdQC4BN4MYosAa7YJZJcm7efKTCSRlh2Wc-trzW8uW_h4VCEoYnP2A0mpPpE53os7N8EGR1dFCUVx63OAbnIOvAGx9CtySc1XaFOtjrQEyPX35cYsFKuu2CcKJ918Uc_44ydOfhIXhMHCDiNlgYMk5c27DZDI5pfoirp8aCppe2tPiKLTbs7SKGtg79EiThKAMyou1K1RrPF1wgKK881a_xOHkkbbNZArTauAUyPjwOnEmrWv8kQ6jTW-g72nmL7_JV34ui0vYMpcaiDAU5pH0SQXDN743_GwP03f4uIDNmWFnyiAywStCzNTVT5L-HlWmW9ZfSmfRfHZx3t5QARABdulo2EO2WyQ9uQ8vFhvs",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12053394604 HTTP/1.1" 200 830
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:13 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3nZpQM7dDCGuioYyZFqdVmsFgRfkEJ3fAztMhYJtOw46g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "devinspireworld.obible.kr"
  },
  "status": "pending",
  "expires": "2024-04-25T08:11:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/uGiOpg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/A8E5Pg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    }
  ]
}
Storing nonce: 456DJV3nZpQM7dDCGuioYyZFqdVmsFgRfkEJ3fAztMhYJtOw46g
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiNDU2REpWM25acFFNN2REQ0d1aW9ZeVpGcWRWbXNGZ1Jma0VKM2ZBenRNaFlKdE93NDZnIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyMDUzMzk0NjA0In0",
  "signature": "XfUERkq4Wnq13vylVKwFe95czeD_GWLdDbpjFreKnFObZfyJ-LJ21necY147tKX4K4usD1hNbJ4hbRxh_FKeQ0kZm8YxmIFg-EIA4BQ1O6DPeLOHX81rpWB-JiTPdypJwujEyXad2mp_zHysL0RiEbfl2Rk-TXK3iekqY1zTobqvKRSoh6rvVfJMFmvB2OL3v7G7l4qhVJPto274ePQhIwNz4R19dp8F-BE1hiv4zikR1fgQacQL9F_cbNQVVlrIAIA6hbBqRmqGl2d3pGLQ4s3SlZ8SyfvPPoMb9tShmlJ6WbL_15Kbu1A6Y0OEQiyGbYnptynz_OcY0dGjMOi4BFPj0joRzXLWBKsllmXT6aG6lN_V7LuOQtlGP_nKDRBejzQ9bqb7ezWHbK06zgHGg6u2el5M7kf5K3SVwcTj81NqIaf5eJ0jy0Fnw2TrArNAfgiXOM9n6RQZhyo8UJFn3VO8XtZ1c6ciBi9ZvtZVtJmOMONWl32KDzoNiVViR3g9GxMAfN4aB0btboIdJYf4NMZaHT4MZIkVABlfT01BLbtV1h0LtXQQfd5BQ7NAOXHLW7NehRZDh4A8aeY4vFT9ticSIs1tkjFG9e4pAnhvWh6ogPH9kile4yEtnYQf_kqbonixH8PFO-aa8swdeOg7CZ08P3zsoiAXerP6miLHLwk",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12053394604 HTTP/1.1" 200 830
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:16 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3nJi3NJEfRasc_0mGb6IglYIQYVxuEF_7hpkVHRz9esto
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "devinspireworld.obible.kr"
  },
  "status": "pending",
  "expires": "2024-04-25T08:11:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/uGiOpg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/A8E5Pg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    }
  ]
}
Storing nonce: 456DJV3nJi3NJEfRasc_0mGb6IglYIQYVxuEF_7hpkVHRz9esto
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiNDU2REpWM25KaTNOSkVmUmFzY18wbUdiNklnbFlJUVlWeHVFRl83aHBrVkhSejllc3RvIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyMDUzMzk0NjA0In0",
  "signature": "NP6c9uXSJ4H1m0WbDhLVqfSy2oeWOw6bI_m3886GMIjvis0zWKeRXXq2bDsEeKzghtMkEYBdP7FgdWn0N85FiGenMCYTl3oirgSfxm0rsI9VKZJ6N1SyktbRHcKRcuL7oOwini-4qrHM3_M-P_hSWER-bOl_g-MuTeRBMo5UNJnlaOTAOJOuRqVwi3HCJB1eU_yz-LtBVzbuHcvdxSGjRp1rAy9B0tJfW7HIYneT85dXHhRKxA8ovo2WmxSK4OIPfLswR-lTRSPoWSUARVYtZhKN4E7FWByYrV_GnfJ_p8tyOrK5fPyLoIs8vBZjKCxRhBKRJobDXHFzZ1Rdiey8kxBBhExqtGnojlZHV9KaCyeuzU2s69Gp8LMLr4SVq7JPB5RnjEL3y3ifmm4JFAKsfqrb1Cc16s6Z_axQRLE4idXHumJz4zcLuqFl-QdI74lHYPNeF3onabugaIobmElygyqL9ZLovCSMOZDJkoAKEhRpdsUKJ2Sep8RXAivqx5KClb1UWyV5zWNGZrRJWokUEt1xdPl5ObeBP5DIIty5_KXPx-f1UHyZF24Kt2dZVLH0OnlnmkYmFUp6kF3swXpftGO1CsZ5HnWYSlaNvL6wrtYTYdIdAKXe6T_TXm5zFQW-GR5-VkHwnJvNwSTRO244paT7WoQRJOC4Tx29WMGvvAI",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12053394604 HTTP/1.1" 200 830
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:20 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: _O0fw7ZklzeGMEMtVF3AWwBaeoef7k3lWfaN85YvFm45zYBCkes
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "devinspireworld.obible.kr"
  },
  "status": "pending",
  "expires": "2024-04-25T08:11:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/uGiOpg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/A8E5Pg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    }
  ]
}
Storing nonce: _O0fw7ZklzeGMEMtVF3AWwBaeoef7k3lWfaN85YvFm45zYBCkes
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiX08wZnc3WmtsemVHTUVNdFZGM0FXd0JhZW9lZjdrM2xXZmFOODVZdkZtNDV6WUJDa2VzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyMDUzMzk0NjA0In0",
  "signature": "Vha590cIzrMgTp8SmXouujFPiGjdGP3hAbciqskVHvukk4ND0lXes1Uc-Fx0HOVdWrKtObQUO0XBXDBtXrmfEGzzYFBFVPzXDFyRM3Sa5hJ-BPWNmN-fkvUFJqhkEG04XXys0KCK_2aTvvK13drKyYZ-p9TYTTSNHhoHCHe2qcW59gm4pHNowoAXBkZMC91gDrQ2Ux5QziAKTbLqCkfcxlnHdBp5kVUudpOPRgK5gokY6PJtNqUJeY7Fw5HMNfhNp6BRnQsZhPFDSQ7lGk4JPcvGBDbeuelBxRQcrQrvWxHkpl1kYkRc5VJJwPfictTYmP-ZYt8Ep3pLKG1pRmeRuABnTOtctHcGzaqFRGPT3mjkirenHDHztlIO6Ae-htQ0k_qnc8JN2bp22Vyk2QBg-fyR4Ru8XKyQDUjJZ7tz0otfS-5HGj55yJPyfo-58ZEeugSMvf1XhnFX7qkPGhqb7W8RQ581HN76V9Sra1yP3yzf8MZV4XxA54ta5K8wYPn80w9jhRIIAzSh8U_UrzJnLeJ37QDPxJ59FLLa6uKBrLa8D2pt9SstKwP1E51nzLytqFXQQRltOnS_yWERafsWr6_qKcSRGHqNUEdF82TEejVcIPQ3kDPC72hLhg23Pmn6J-M3TArleorplb1pBk70InTAyy6YRz7lxTjWUiReTl0",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12053394604 HTTP/1.1" 200 830
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:23 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3nb9Ep1BuaD3k5QJ1lLWNMJZWwllCa8y8rVrqDODOPQNA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "devinspireworld.obible.kr"
  },
  "status": "pending",
  "expires": "2024-04-25T08:11:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/uGiOpg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/A8E5Pg",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI"
    }
  ]
}
Storing nonce: 456DJV3nb9Ep1BuaD3k5QJ1lLWNMJZWwllCa8y8rVrqDODOPQNA
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12053394604:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzQ1MDk0NzQiLCAibm9uY2UiOiAiNDU2REpWM25iOUVwMUJ1YUQzazVRSjFsTFdOTUpaV3dsbENhOHk4clZycURPRE9QUU5BIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyMDUzMzk0NjA0In0",
  "signature": "X5cMVz7W9vNL6WHHdbET0GeLiHCk6dmDd4hF7zL-403do-AmgiMwqiY5M4uGs8JUydoInGccC_QF6E5aqZGSrqEcn9LrjlnqlI7b2Jd9VVc0Cki6UYxuTn-SRlWduelgv0sqRqU58itnCFoWho0lVr-zFK4gHzUi7HBrDx9xlJC6IeZw-we8iyWjvt2e9lI2tPfYdlNqdgoVOsrWXklr0aqFFpzjTVycGDGtrLjc3GvWHrNBkcBRQETBBaFLqjYpx7_pEGZGAKTO6YxBiy964eLlH8Gleo4Q0gb0GS2uUwFknWWbuYka68F0ZQor2XE5HIr11GtNdReCEyR7BZq7xe0He9UWiIl6gjQ57Ma1anrQKOk2tZFVB1Ph259b8Fkao9VCu3mWEQ7AB3VLqI5M13jaH3Mh6NRIpU0xaWToGt0y66wz913fO02burP11OLGS7uJpBkufAbkYmt5s1JUyjMCuuXVrhb74u6RJo1TcLc-UlKe131WGhAPRHnPtAy_z1vhOm1AFKYV3663DDDjSWbD3LY_Z3yvN7I6926vPfzH9dugaLT6wY0uuFcF-4U6ikMyDR7sZG0Eevew4aZP5K3PlCJVtIhbTe9bd5IgC8CO8oDjKyW8ZVBWh0ANLGoZFrBaS8hq64JgNP3mRz4ktQvZULwMmRH2S0Xrx11wVPQ",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12053394604 HTTP/1.1" 200 1217
Received response:
HTTP 200
Server: nginx
Date: Thu, 18 Apr 2024 08:11:26 GMT
Content-Type: application/json
Content-Length: 1217
Connection: keep-alive
Boulder-Requester: 134509474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: _O0fw7Zk0xSM0G_sXV28LgeEOB4gBSQiUEEw3e7_dgCqhUR3YQs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "devinspireworld.obible.kr"
  },
  "status": "invalid",
  "expires": "2024-04-25T08:11:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "124.62.248.72: Fetching http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12053394604/UwAOzw",
      "token": "usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI",
      "validationRecord": [
        {
          "url": "http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI",
          "hostname": "devinspireworld.obible.kr",
          "port": "80",
          "addressesResolved": [
            "124.62.248.72"
          ],
          "addressUsed": "124.62.248.72",
          "resolverAddrs": [
            "A:10.0.32.81:30689",
            "AAAA:10.0.32.87:30752"
          ]
        }
      ],
      "validated": "2024-04-18T08:11:12Z"
    }
  ]
}
Storing nonce: _O0fw7Zk0xSM0G_sXV28LgeEOB4gBSQiUEEw3e7_dgCqhUR3YQs
Challenge failed for domain devinspireworld.obible.kr
http-01 challenge for devinspireworld.obible.kr
Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: devinspireworld.obible.kr
  Type:   connection
  Detail: 124.62.248.72: Fetching http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.


Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: devinspireworld.obible.kr
  Type:   connection
  Detail: 124.62.248.72: Fetching http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Removing /var/www/certbot/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI
All challenges cleaned up
Failed to renew certificate devinspireworld.obible.kr-0002 with error: Some challenges have failed.
Traceback was:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 540, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1550, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/devinspireworld.obible.kr-0002/fullchain.pem (failure)
Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
ngunx 1.15 and dockerized

The operating system my web server runs on is (include version):
wsl2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Osiris · April 18, 2024, 9:08am

quroom:

        "detail": "124.62.248.72: Fetching http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI: Timeout during connect (likely firewall problem)",

While port 443 (HTTPS) is working, port 80 (HTTP) is not: I'm getting a "no route to host" when using TCP port 80, probably a response from a firewall. And the Let's Encrypt validation server gets a timeout.

Make sure your host is reachable on port 80. See also: Best Practice - Keep Port 80 Open - Let's Encrypt.

quroom · April 18, 2024, 9:11am

There is no problem with 80 port. you can see http://devinspireworld.obible.kr/.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI

This link response key
copy that link and paste your brower link and press enter.
You can check response.
nginx-1 | 172.17.144.1 - - [18/Apr/2024:09:15:51 +0000] "GET /.well-known/acme-challenge/usj8TTUR2mR-h7Vs8sAPcum1KlO84dKFWUkKWdjK-bI HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; rv:124.0) Gecko/20100101 Firefox/124.0" "-"
As you can see http is reachable.

Osiris · April 18, 2024, 9:17am

No, I cannot, at least not from my location.

Perhaps you have some geoblocking (for port 80 weirdly enough) in place?

According to Website Availability Test - Check Website Uptime | Uptimia it's entirely down from all the world though..

quroom · April 18, 2024, 9:24am

Oh.. I see now I understand what the problem is.
Maybe in my local pc isp service block other countries without my country as you said I guess.
I need to test it is really if it is I need to set this up in hosting server like ec2

And I have one more question.
Can I only use another server for only acme-challenge by nginx-proxy?

quroom · April 18, 2024, 11:38pm

You are exactly right, I changed my dns ip to aws lightsail(like ec2) server it works properly. then.. I need to set up workaround way for acme-challenge. It might be reverse-proxy to lightsail server from my local pc for only acme-challange.


upstream obible.kr {
    server 43.202.89.151:80;
}
server {
...
    location ~ /\.well-known/acme-challenge/ {
        allow all;
        proxy_pass http://obible.kr;
    }
}

I was trying to pass acme-challenge like this. But it doesn't work..
It doesn't create acme-challange file in that server.
How can I pass acme-challange with another server??
Is it possible?

rg305 · April 19, 2024, 12:56am

Where exactly do you run the ACME client?
Where will the validation file be placed?

quroom · April 19, 2024, 1:03am

Where exactly do you run the ACME client?
devinspireworld.obible.kr - 124.62.248.72 (previous)

Where will the validation file be placed?
devinspireworld.obible.kr - 124.62.248.72 (previous)

But 124.62.248.72 somehow deny except ip based on our country as mentioned above(GEOblocking)
So I am trying to use another web server(obible.kr) for acme-challange.
Then it should be possible,
either creating acme-chllange file to another web server
or renew ssl certificates in another server and send that files to 124.62.248.72(devinspireowrld.obible.kr)

Does it make sense? or May I ask you any workaround?

rg305 · April 19, 2024, 1:17am

Now, yes; Your plan is clear to me and it "makes sense".
But, sadly, in practice that plan should fail.
Why?
Because it's a catch-22: You can't do an HTTP redirection around an HTTP geoblocking problem.
[you will never get the geoblocked HTTP request - if you could, then why would you need to redirect it elsewhere?]

If you can't change the geoblocking...
Then your only other choice is to use DNS-01 authentication.

quroom · April 19, 2024, 2:36am

You are right..
thumbling down the rabbit hole like Alice
Is there way to do auto renewing certificates with DNS-01 authentication?

rg305 · April 19, 2024, 2:51am

Yes, there are several ways of doing automated renewals using DNS-01 authentication.
The simplest/most direct method requires:

your DSP to support API updates of your DNS zone
an ACME client that supports your DSP

Less direct methods include:

using a CNAME to redirect the DNS requests to another system that can be used to automate the DNS renewals challenge request
using a CNAME to redirect the DNS requests to a dedicated/temporary DNS server to answer the DNS renewal challenge requests

One common method is to use CloudFlare to host your DNS zone. [not their CDN service]
Many ACME clients have CF plugins and can easily be used for automatic renewals.

Another less direct method would be use place your site behind a CDN.
That way, all client requests are handled by the CDN service.
Your firewall would only need to allow the CDN IPs access to your web service.

STEP #1: Determine if your DSP [DNS Service Provider] supports API updates of your DNS zone.

quroom · April 19, 2024, 3:41am

Thanks for answering!
I will try it when I face anothe problem.
Now I sovled problem acme-challenges issue in my local pc with nginx by workaround.

Change your dns to ec2 server(I am using lightsail, but it's basically same) not local server.
Make sure dns changed, and then make letsencryppt certificate that server
Make proxy_pass from ec2 server to your local server in nginx config.
Make script code to copy all ceritifcate file to your local pc
the code might be like this.

server {
    listen 80;
    server_name [yourdomain];

    location / {
        return 301 https://[yourdomain]$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name [yourdomain];

    location / {
        proxy_pass http://[your local pc ip]:3000;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /api/auth {
        proxy_pass http://[your local pc ip]:3000;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header 'Access-Control-Allow-Origin' $allow_origin;
    }

    location /api {
        proxy_pass http://[your local pc ip]:8000;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /admin {
        proxy_pass http://[your local pc ip]:8000;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
    }


    ssl_certificate /etc/letsencrypt/live/devinspireworld.obible.kr-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/devinspireworld.obible.kr-0001/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

This it my setting it works very well. I was done test for renew --dry-run in ec2 server.
Everything is ok.
But the only one thing is you need web host like ec2 for acme-challange.
ec2 server is just proxy server to solve acme challenge issue for my local pc
I hope someone gets helps from my comments.

By the way I say thanks a lot for kind comment one more time to @rg305