Certbot renewal fails

Evguenie · May 8, 2023, 9:39am

I need help because I can't renew my certificates (it's my first renewal). They will expire in 18 days and I don't know what's wrong. Thanks for your help.

My domain is: lefrancaisparlejeu.fr

I ran this command: sudo certbot renew -v

It produced this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lefrancaisparlejeu.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for lefrancaisparlejeu.fr
Performing the following challenges:
http-01 challenge for lefrancaisparlejeu.fr
Waiting for verification...
Challenge failed for domain lefrancaisparlejeu.fr
http-01 challenge for lefrancaisparlejeu.fr

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
** Domain: lefrancaisparlejeu.fr**
** Type: connection**
** Detail: 82.65.211.128: Fetching http://lefrancaisparlejeu.fr/.well-known/acme-challenge/Ww_Pk_G5wwqmFoo6HOyCjmz7PCkiBsATcD9iHLteXpM: Error getting validation data**

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate lefrancaisparlejeu.fr with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
** /etc/letsencrypt/live/lefrancaisparlejeu.fr/fullchain.pem (failure)**

My web server is (include version):apache2

The operating system my web server runs on is (include version): Linux Mint 21.1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

_az · May 8, 2023, 10:55am

I can't load your website. Do you have port 80 open?

See also:

Bruce5051 · May 8, 2023, 3:34pm

Their IPv4 Address has Port 80 filtered

$ nmap -Pn -p80,443 lefrancaisparlejeu.fr
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-08 15:33 UTC
Nmap scan report for lefrancaisparlejeu.fr (82.65.211.128)
Host is up.
rDNS record for 82.65.211.128: 82-65-211-128.subs.proxad.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.73 seconds

Bruce5051 · May 8, 2023, 3:39pm

Let's Debug yields https://letsdebug.net/lefrancaisparlejeu.fr/1472640 which is in agreement with the nmap -Pn -p80,443 results; there maybe additional issues as well.

ANotWorking
Error
lefrancaisparlejeu.fr has an A (IPv4) record (82.65.211.128) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://lefrancaisparlejeu.fr/.well-known/acme-challenge/letsdebug-test": dial tcp 82.65.211.128:80: connect: no route to host

Trace:
@0ms: Making a request to http://lefrancaisparlejeu.fr/.well-known/acme-challenge/letsdebug-test (using initial IP 82.65.211.128)
@0ms: Dialing 82.65.211.128
@1486ms: Experienced error: dial tcp 82.65.211.128:80: connect: no route to host

IssueFromLetsEncrypt
Error
A test authorization for lefrancaisparlejeu.fr to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
82.65.211.128: Fetching http://lefrancaisparlejeu.fr/.well-known/acme-challenge/MxmTYKLs9m9QnAmBmjRTEa6XZ4O-imk7NZNyJl8DuWs: Error getting validation data

Best Practice - Keep Port 80 Open
The HTTP-01 challenge of the Challenge Types - Let's Encrypt requires access to Port 80 to validate the domain.

Evguenie · May 10, 2023, 11:31am

Hello _az, hello Bruce,
Thank you for your answers. Actually, first of all, port 80 wasn't open (my mistake : for tests, I redirected port 80 on another PC and I forgot I did that ).
Renewal finally worked with this command : sudo certbot certonly --force-renew -d lefrancaisparlejeu.fr

By contrast, the command "sudo certbot renew –dry-run" still fails (same error as before), I don't undestrand why .