Certbot run dry run failes

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:unifi.itvakta.no

I ran this command:root@unifi:~# certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/unifi.itvakta.no.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unifi.itvakta.no
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (unifi.itvakta.no) from /etc/letsencrypt/renewal/unifi.itvakta.no.conf produced an unexpected error: Failed authorization procedure. unifi.itvakta.no (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://unifi.itvakta.no/.well-known/acme-challenge/1wq1wgnxfY2fC_U0dGoB1fq0D1FMZGq-Xe6AnAn_oio [172.105.65.130]: "<!doctype html><html lang="en">HTTP Status 404 \u2013 Not Found<style type="text/css">body {font-family:Tahoma". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: unifi.itvakta.no
    Type: unauthorized
    Detail: Invalid response from
    http://unifi.itvakta.no/.well-known/acme-challenge/1wq1wgnxfY2fC_U0dGoB1fq0D1FMZGq-Xe6AnAn_oio
    [172.105.65.130]: "<!doctype html><html
    lang="en">HTTP Status 404 – Not Found<style
    type="text/css">body {font-family:Tahoma"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
debian 9
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.28.0

Additional info:
I run ubiquity unifi controller on this server.

Firewall rules:
unifiadmin@unifi:~$ sudo ufw status
Status: active

To Action From


2222 ALLOW 62.92.214.0/27
8443 ALLOW 62.92.214.0/27
9090 ALLOW 62.92.214.0/27
2222 ALLOW 77.16.56.160/27
8443 ALLOW 77.16.56.160/27
9090 ALLOW 77.16.56.160/27
2222 ALLOW 62.92.215.154
8443 ALLOW 62.92.215.154
9090 ALLOW 62.92.215.154
2222 ALLOW 62.92.214.50
8443 ALLOW 62.92.214.50
9090 ALLOW 62.92.214.50
2222 ALLOW 185.13.124.218
8443 ALLOW 185.13.124.218
9090 ALLOW 185.13.124.218
3478/udp ALLOW Anywhere
8080 ALLOW Anywhere
8880 ALLOW Anywhere
8843 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
9090 ALLOW Anywhere

unifiadmin@unifi:~$

I mamaged to get one step further.
I ran this command:
sudo iptables -I INPUT 5 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo netfilter-persistent save
sudo netfilter-persistent reload

When i then run certbot renew --dry-run again i get:
unifiadmin@unifi:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/unifi.itvakta.no.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unifi.itvakta.no
Cleaning up challenges
Attempting to renew cert (unifi.itvakta.no) from /etc/letsencrypt/renewal/unifi.itvakta.no.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

Not sure why uwf stopped port 80...

Well now there seems to be something else running on port 80.
Although I can't seem to connect to it.
Have you changed the permissions on the /etc/letsencrypt/ folder?
Please show what is running on port 80:
sudo netstat -pant | grep -i listen | grep 80

unifiadmin@unifi:~ sudo netstat -pant | grep -i listen | grep 80 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1130/nginx: master tcp6 0 0 :::8880 :::* LISTEN 3065/java tcp6 0 0 :::8080 :::* LISTEN 3065/java tcp6 0 0 :::80 :::* LISTEN 1130/nginx: master unifiadmin@unifi:~

tcp6 0 0 :::80 :::* LISTEN 1130/nginx: master

Looks like nginx is running and bound to port 80.
Certbot is trying to run in --standalone mode and needs to use port 80.

Any idea on how to proceed?

Something has changed since your last cert issuance.
Did you recently add nginx ?
Did you recently add IPv6 ?

not that i know of.
just now i installed the certbot nginx module
not sure if that is the correct approatch though...

If you were already able to get a cert, then you shouldn't have to add anything to certbot.
Do you even use nginx?
Can you uninstall it?
Or do you know how to configure it?

the reneal has failed for some time.
For this unifi server i have always used a script called unifi-update.sh which did all the updates for certs and unifi controller.
The script is writted by:
Website | https://GlennR.nl
https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-Ubuntu-16-04-18-04-/ccbc7530-dd61-40a7-82ec-22b17f027776
Now the certs are not beeing renewed by this script and i need to figure out why.

Who/what installed nginx? and when?
The script may be old and validating via ACMEv1 (just a guess).

I think i installed nginx when i installed unifi.
Not sure if this has been setup correctly

Please show the output of:
sudo nginx -T | grep -Ei 'server_name|listen|root|host'

unifiadmin@unifi:/etc/nginx/sites-available$ sudo nginx -T | grep -Ei 'server_name|listen|root|host'
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
# Virtual Host Configs

# auth_http localhost/auth.php;

listen localhost:110;

listen localhost:143;

    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;

unifiadmin@unifi:/etc/nginx/sites-available$

I don't think that is doing anything (other than just getting in the way).
Let's try stopping it for a moment and then check all your services and if all ok, then we can try certbot again.

try:
sudo systemctl stop nginx

unifiadmin@unifi:/etc/nginx/sites-available$ sudo systemctl stop nginx
unifiadmin@unifi:/etc/nginx/sites-available$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/unifi.itvakta.no.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unifi.itvakta.no
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (unifi.itvakta.no) from /etc/letsencrypt/renewal/unifi.itvakta.no.conf produced an unexpected error: Failed authorization procedure. unifi.itvakta.no (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://unifi.itvakta.no/.well-known/acme-challenge/BHHgJjiDibc7xCcWhNGlYdhwNJHbzyhkp4jUOlnfuRI: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: unifi.itvakta.no
    Type: connection
    Detail: Fetching
    http://unifi.itvakta.no/.well-known/acme-challenge/BHHgJjiDibc7xCcWhNGlYdhwNJHbzyhkp4jUOlnfuRI:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    unifiadmin@unifi:/etc/nginx/sites-available$

Please show output of:
curl -4 ifconfig.co
curl -6 ifconfig.co

unifiadmin@unifi:/etc/nginx/sites-available$ curl ifconfig.co
172.105.65.130
unifiadmin@unifi:/etc/nginx/sites-available$

unifiadmin@unifi:/etc/nginx/sites-available$ curl ifconfig.co
172.105.65.130
unifiadmin@unifi:/etc/nginx/sites-available$ curl -4 ifconfig.co
172.105.65.130
unifiadmin@unifi:/etc/nginx/sites-available$ curl -6 ifconfig.co
curl: (7) Couldn't connect to server
unifiadmin@unifi:/etc/nginx/sites-available$