I tried to fix this issue on my own and read a lot of topics but nothing seems to work for me.
Here is the command i trigger to update the certificate + the output:
sudo certbot --installer apache --agree-tos --debug-challenges --email a valid address -v --webroot -w /var/lib/letsencrypt/ -d skargeth.at
Performing the following challenges:
http-01 challenge for skargeth.at
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Creating root challenges validation dir at /var/lib/letsencrypt/.well-known/acme-challenge
Attempting to save validation to /var/lib/letsencrypt/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE
Waiting for verification...
Skipped user interaction because Certbot doesn't appear to be running in a terminal. You should probably include --non-interactive or --force-interactive on the command line.
Not pausing for user confirmation
JWS payload:
b'{\n "resource": "challenge",\n "keyAuthorization": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE.XUin-qerlRsOXMDLRYX5TYOyBKZoQ5yDq15IYuOMI_M",\n "type": "http-01"\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy83ODMxOTU3IiwgIm5vbmNlIjogIk12eGpfT01NVk03ME96S0RZVVJiUG9fMWJGeEE2d1gtZ2dQY2lSRW5nRjAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS8zWkJIZGhzcmIxYTgzNmR5X0lDM2dnNmdPLVFuZ3FXNl9LSGk1NDVBX0VFLzk1NzMxMDcwMjIifQ",
"signature": "OxiSd73iNLJH4VqnfPxFVqJ5QYUg07fDRcmy1qr0A5-fK4JKvcHlACmYbbpHaLgoHOG5AYkGsTuREFuX5eOsioDY_d3PoCw1HBS-7JXb3wPTelXEguE_vXbGCKErM7hWTmK-NFpLNVkhrP75jIbnIl-fNvLx6H4JmWBw_qdPsvh2avobG2J2lqgDWBKIYY9akUyp7JfoQ5949LYeusP8xAENcpRbiHyMMUXiFNXe4jN5Nozn9Rx1dakdSodXGRcOq1LCgBkK4DIIeAQhmWVsh4qYIjb-NsMnqahrC4mE7pYiHs_cLDPn7aHeluvU_BHSrT2ISLdyif44L5aAfQ0ETQ",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIjRzcW5IaEM3cmFlSXVlSjdLWnhRd3BtSHRZU2dIa2l6SE9ZY3VZSWRoTEUuWFVpbi1xZXJsUnNPWE1ETFJZWDVUWU95Qktab1E1eURxMTVJWXVPTUlfTSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022 HTTP/1.1" 200 223
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 7831957
Link: https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022
Replay-Nonce: hcr0-EwL6PozdTK2gcDyg7bM0JOABZuSpURhRppGF2o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 13:54:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 13:54:15 GMT
Connection: keep-alive{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022", "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE" } Storing nonce: hcr0-EwL6PozdTK2gcDyg7bM0JOABZuSpURhRppGF2o Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE. https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1155 Received response: HTTP 200 Server: nginx Content-Type: application/json Content-Length: 1155 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Fri, 23 Nov 2018 13:54:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 23 Nov 2018 13:54:18 GMT Connection: keep-alive { "identifier": { "type": "dns", "value": "skargeth.at" }, "status": "pending", "expires": "2018-11-30T13:53:35Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021", "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo" }, { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022", "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023", "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024", "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU" } ] } Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE. https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1155 Received response: HTTP 200 Server: nginx Content-Type: application/json Content-Length: 1155 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Fri, 23 Nov 2018 13:54:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 23 Nov 2018 13:54:22 GMT Connection: keep-alive { "identifier": { "type": "dns", "value": "skargeth.at" }, "status": "pending", "expires": "2018-11-30T13:53:35Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021", "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo" }, { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022", "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023", "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024", "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU" } ] } Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE. https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1155 Received response: HTTP 200 Server: nginx Content-Type: application/json Content-Length: 1155 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Fri, 23 Nov 2018 13:54:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 23 Nov 2018 13:54:25 GMT Connection: keep-alive { "identifier": { "type": "dns", "value": "skargeth.at" }, "status": "pending", "expires": "2018-11-30T13:53:35Z", "challenges": [ { "type": "tls-sni-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021", "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo" }, { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022", "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023", "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024", "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU" } ] } Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE. https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1771 Received response: HTTP 200 Server: nginx Content-Type: application/json Content-Length: 1771 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Fri, 23 Nov 2018 13:54:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 23 Nov 2018 13:54:28 GMT Connection: keep-alive { "identifier": { "type": "dns", "value": "skargeth.at" }, "status": "invalid", "expires": "2018-11-30T13:53:35Z", "challenges": [ { "type": "tls-sni-01", "status": "invalid", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021", "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo" }, { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem)", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022", "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE", "validationRecord": [ { "url": "http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE", "hostname": "skargeth.at", "port": "80", "addressesResolved": [ "91.224.71.24" ], "addressUsed": "91.224.71.24" } ] }, { "type": "dns-01", "status": "invalid", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023", "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank" }, { "type": "tls-alpn-01", "status": "invalid", "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024", "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU" } ] } Reporting to user: The following errors were reported by the server: Domain: skargeth.at Type: connection Detail: Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. Encountered exception: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) certbot.errors.FailedChallenges: Failed authorization procedure. skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem) Calling registered functions Cleaning up challenges Removing /var/lib/letsencrypt/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE All challenges cleaned up Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')() File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main return config.func(config, plugins) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1124, in run certname, lineage) File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python3/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) certbot.errors.FailedChallenges: Failed authorization procedure. skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem)
And here is my apache config:
<VirtualHost *:80>
ServerAdmin martin@skargeth.at
ServerName skargeth.atDocumentRoot /var/www/html
It is assumed that the log directory is in /var/log/httpd.
For Debian distributions you might want to change this to
/var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b" common_forwarded
ErrorLog /var/log/apache2/skargeth.at_error.log
CustomLog /var/log/apache2/skargeth.at_forwarded.log common_forwarded
CustomLog /var/log/apache2/skargeth.at_access.log combined env=!dontlog
CustomLog /var/log/apache2/skargeth.at.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =skargeth.at
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
And my apache ssl config (created by certbot):
ServerAdmin martin@skargeth.at ServerName skargeth.atDocumentRoot /var/www/html
It is assumed that the log directory is in /var/log/httpd.
For Debian distributions you might want to change this to
/var/log/apache2.
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b" common_forwarded
ErrorLog /var/log/apache2/skargeth.at_error.log
CustomLog /var/log/apache2/skargeth.at_forwarded.log common_forwarded
CustomLog /var/log/apache2/skargeth.at_access.log combined env=!dontlog
CustomLog /var/log/apache2/skargeth.at.log combined
SSLCertificateFile /etc/letsencrypt/live/skargeth.at/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/skargeth.at/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
If I pause the process and try to access the file in the .well-known/... folder I can reach it just fine. Can't figure out whats going wrong here.