I think this is a moderately obscure issue with the interaction between certbot renew and --debug-challenges (which probably should generate an error message to explain what's going on instead of just ignoring the effect of --debug-challenges).
Instead, try
certbot certonly -d webmail.passys.nl
(and add an extra -d and the name for any other domain that is already part of the same certificate, as shown by certbot certificates).
Wait, what? --debug-challenges doesn't work with renew? 
Oh, sorry, I meant that you could add --debug-challenges to the end of that and then the --debug-challenges functionality would work. 
Probably not, for the same reason that --manual doesn't work with renew (mandatory non-console-interactivity of the authenticator plugin when used in that context).
Right
I got something here now:
http://webmail.passys.nl/.well-known/acme-challenge/EzKpTD_DM5f8RPYkQz0FnfK0HC1XJZ1UY4gl_RH92GM
That's the .NET answer trying to connect your server. Used from a small offline tool, same as "check-your-website".
There are different types of errors:
So it's not a simple timeout, it's an active "Go away".
Hi Jürgen,
agreed, that is a very clear "go away" even.
I did find your server IP in my fail2ban list. so I guess that is why it was blocked. the .226 was not in there.
.227 is now unblocked:
Right, I found it, and I have a cert-renewal!
first off: thanks a lot to all of you @JuergenAuer , @Osiris , without you, I would have never gotten here.
The issue was this: I have shorewall and fail2ban on the server.
However, I copied quite a lot of the config of the previous/old server.
Apparently there is an incompatability between fail2ban on the old server and that on the new: I could get the bans loaded into shorewall/iptables, but apparently they would never come out.
It seems I had a rule on port 80 bots in the past that was a bit too tight.
This caused the block on the letsencrypt servers to come into existence.
However, due to the old config on the new server, also stopping both shorewall and fail2ban had no effect whatsoever!
I eventually found out when an update of fail2ban failed, and it would not start afterwards anymore. Then I looked with:
iptables -L -n|grep rejectand found all blocked IP's listed. Also when the firewall was off!
thank you very much for your support!
Hendrik-Jan
This is also thanks to you @schoen, but I could only mention 2 people in 1 post...
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.