Certbot renewal + Apache2 : TimedOut but server reachable with browser

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

val.teacup.fr

I ran this command:

./certbot-auto renew --webroot --webroot-path /var/www/html --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/val.teacup.fr.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for val.teacup.fr
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain val.teacup.fr
http-01 challenge for val.teacup.fr
Cleaning up challenges
Attempting to renew cert (val.teacup.fr) from /etc/letsencrypt/renewal/val.teacup.fr.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/val.teacup.fr/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/val.teacup.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):

The operating system my web server runs on is (include version):

Debian 8 and Apache/2.4.10

My hosting provider, if applicable, is:

Own local server

I can login to a root shell on my machine (yes or no, or I don't know):

YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.33.1

Important:

I can reach the challenge file with my browser while it is issued and 80 and 443 ports are open.
I can open the file http://val.teacup.fr/.well-known/acme-challenge/SQ4TrjhDCgK1abQuXvGX9baUFiNd7qf6iqsWLQj5vOg with firefox while it is created..

I really don't know what to try now :confused:

2

I can’t.

I can connect to https://val.teacup.fr/, but http://val.teacup.fr/ times out.

Can you double check your firewalls?

That website’s IP address seems to belong to Orange Business Services, not OVH.

3

Sorry. The domain is OVH, the server is local.

I do not understand how you can’t access the server.

From my home:

curl -IkL -m20 http://val.teacup.fr/.well-known/acme-challenge/
HTTP/1.1 200 OK
Date: Mon, 15 Apr 2019 08:32:47 GMT
Server: Apache/2.4.10 (Debian)
Content-Type: text/html;charset=UTF-8

4

Can you access it from outside your home?

From other places using the same ISP?

From other ISPs?

From other countries?

Sometimes ISPs block inbound access to port 80.

Or it could just be a local firewall or port forwarding issue.

5

oh ! You are right, I can’t access it from another server.
I’ll check with the sysadmin who said the firewall is ok.
Thanks for you help. I will update this thread when I get more informations.

6

Port 80 is closed for everyone but my IP…
Is there anyway to challenge on the 443 port or with another method ?

7

Hi @iizno

check the challenge options:

But a website should have an open port 80. You can add a redirect http -> https, Letsencrypt follows these redirects.

8

I asked the sysadmin to open the 80 port.
I need to wait now.

Thanks for your quick help !

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.