Certbot Renewal Error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: chat.smotor.com

I ran this command: certbot renew

It produced this output:

My web server is (include version): nginx-1.18.0

The operating system my web server runs on is (include version): CentOS Linux release 7.8.2003

My hosting provider, if applicable, is: YES

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot-1.7.0-1.el7.noarch

When re-authenticating the certificate, the following error occurs.

The external DNS firewall is open.

Error Messages

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/chat.smotor.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for chat.smotor.com
Waiting for verification...
Challenge failed for domain chat.smotor.com
http-01 challenge for chat.smotor.com
Cleaning up challenges
Attempting to renew cert (chat.smotor.com) from /etc/letsencrypt/renewal/chat.smotor.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/chat.smotor.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/chat.smotor.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: chat.smotor.com
   Type:   connection
   Detail: 210.105.204.134: Fetching
   http://chat.smotor.com/.well-known/acme-challenge/gbczwkssz96iRFJyShYCLkQGMnNCRM5Img8IEU_EUZk:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

#   server 127.0.0.1:8065;
#   keepalive 32;
#}

#proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

#server {
#   listen 80 default_server;
#   server_name tok.smotor.com;
#   return 301 https://$server_name$request_uri;
#}

server {

    if ($host = chat.smotor.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

   listen 80 default_server;
   server_name  chat.smotor.com;
    return 404; # managed by Certbot

}

server {
   #listen 80 default_server;
   #return 301 https://$server_name$request_uri;
   #listen 443 ssl http2;
   server_name  chat.smotor.com;
   
   #ssl_certificate /etc/letsencrypt/live/tok.smotor.com/fullchain.pem;
   #ssl_certificate_key /etc/letsencrypt/live/tok.smotor.com/privkey.pem;
   #include /etc/letsencrypt/options-ssl-nginx.conf;
   #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
   #ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:50m;

   add_header Strict-Transport-Security max-age=15768000;

   ssl_stapling on;
   ssl_stapling_verify on;

   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/chat.smotor.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/chat.smotor.com/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

   location / {
       allow all; 
       root /test;
       index index.html;
   }
2

Hello @sanghoon.pyo, welcome to the Let's Encrypt community. :slightly_smiling_face:

There are no accessible Ports on the domain name's IP Address.

Using this online tool https://letsdebug.net/ here is the Permanent link the results, please review them.

$ curl -I http://chat.smotor.com/.well-known/acme-challenge/wgDm13OFH9oyU67-oyQ65RQU9avlejy5BVqzntVeHA8
curl: (28) Failed to connect to chat.smotor.com port 80 after 75510 ms: Operation timed out

$ nmap chat.smotor.com
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-06 20:09 PST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.76 seconds

$ nmap -Pn chat.smotor.com
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-06 20:10 PST
Nmap scan report for chat.smotor.com (210.105.204.134)
Host is up.
All 1000 scanned ports on chat.smotor.com (210.105.204.134) are filtered

Nmap done: 1 IP address (1 host up) scanned in 203.43 seconds
2 Likes
3

And using this online tool https://check-host.net/

1 Like
4
2 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.