I am having a terrible time trying to get my certificates renewed. When I run the test it creates the challenge file in my web root directory at .well-known/acme-challenge/{challenge-file}. When I run the renew I am able to go into that folder quickly and grab the new file name and am able to hit the address at www.creativebagwedding.com/.well-known/acme-challenge/{challenge-file} and it brings up the contents. I also looked into the apache access logs and found 3 requests for that file.
13.58.30.69 - - [14/Feb/2019:15:30:16 -0700] "GET /.well-known/acme-challenge/Ss5j-_eOLGW1Oi_P3FkqS08wek0rwYERH_FXP3Ug4-s HTTP/1.1" 200 338 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" -
34.213.106.112 - - [14/Feb/2019:15:30:17 -0700] "GET /.well-known/acme-challenge/Ss5j-_eOLGW1Oi_P3FkqS08wek0rwYERH_FXP3Ug4-s HTTP/1.1" 200 310 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" -
52.29.173.72 - - [14/Feb/2019:15:30:17 -0700] "GET /.well-known/acme-challenge/Ss5j-_eOLGW1Oi_P3FkqS08wek0rwYERH_FXP3Ug4-s HTTP/1.1" 200 310 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" -
All the requests are returning 200 however I still get the error that there is something in my firewall blocking my challenge. I did have to unblock those 3 ip's from the firewall. Could there be more ip's from letsencrypt that my firewall is blocking. We do have a fairly large list of ip's that we block because we block any ip's that hit are server too much.
Also I should mention that -webroot is really the only challenge that will work for us as we don't own all the domains that we need to get certificates for. Many of the domains are just pointed to our server.
My domain is:
www.creativebagwedding.com
I ran this command:
sudo certbot renew --dry-run --cert-name www.creativebagwedding.com
It produced this output:
Processing /etc/letsencrypt/renewal/www.creativebagwedding.com.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.creativebagwedding.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.creativebagwedding.com) from /etc/letsencrypt/renewal/www.creativebagwedding.com.conf produced an unexpected error: Failed authorization procedure. www.creativebagwedding.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.creativebagwedding.com/.well-known/acme-challenge/w1iNKHuXGKKP0GESgxouzhCq4kEDbAGk2x9k77SzTmE: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.creativebagwedding.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.creativebagwedding.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
Running post-hook command: apachectl -k restart
1 renew failure(s), 0 parse failure(s)IMPORTANT NOTES:
The following errors were reported by the server:
Domain: www.creativebagwedding.com
Type: connection
Detail: Fetching
http://www.creativebagwedding.com/.well-known/acme-challenge/w1iNKHuXGKKP0GESgxouzhCq4kEDbAGk2x9k77SzTmE:
Timeout during connect (likely firewall problem)To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version):
apache2
The operating system my web server runs on is (include version):
ubuntu 16.04
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 0.28.0