Certbot Updates - Not Able to Renew Cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo certbot certonly --apache -d lab.addmoreroutes.com --dry-run

It produced this output:
sudo certbot certonly --apache -d lab.addmoreroutes.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for lab.addmoreroutes.com
Performing the following challenges:
http-01 challenge for lab.addmoreroutes.com
Waiting for verification...
Challenge failed for domain lab.addmoreroutes.com
http-01 challenge for lab.addmoreroutes.com
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: lab.addmoreroutes.com
    Type: connection
    Detail: Fetching
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    My web server is (include version):

The operating system my web server runs on is (include version):

Linux Ubuntu 18.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):


I'm using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


Hi @ak31

there is no answer, your port 80 is blocked.

Looks like a firewall / failban / htaccess / something else, that blocks.

An open port 80 / http is required to use http validation.

1 Like

root@eve-ng:~# sudo apachectl -S
VirtualHost configuration:
*:443 lab.addmoreroutes.com (/etc/apache2/sites-enabled/eveng-ssl.conf:2)
*:80 is a NameVirtualHost
default server lab.addmoreroutes.com (/etc/apache2/sites-enabled/eveng.conf:1)
port 80 namevhost lab.addmoreroutes.com (/etc/apache2/sites-enabled/eveng.conf:1)
alias www.lab.addmoreroutes.com
port 80 namevhost eve-ng.example.com (/etc/apache2/sites-enabled/unetlab.conf:24)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
User: name="www-data" id=33
Group: name="www-data" id=33


Its been a while since I have played around this. What is the next step ?


Is there actually anything listening on port 80?

sudo netstat -nap | grep :80

Because Apache also needs a Listen 80 to actually listen on port 80, not just a VirtualHost for it.


You have to find that instance and remove it. It's your system.

There is a blocking answer

D:\temp>download http://lab.addmoreroutes.com/.well-known/acme-challenge/w4VXQj2ioaRr-HdmbNZjFhaRIdGM5_xxiV4_puu2dks -h
Error (1): Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.
Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte

2907,30 milliseconds

not only a timeout after 10 seconds.

root@eve-ng:~# sudo netstat -nap | grep :80
tcp 0 0* LISTEN 6092/apache2
tcp 0 0 ESTABLISHED 21206/apache2
tcp 0 0 ESTABLISHED 21204/apache2
tcp 0 0 ESTABLISHED 6171/apache2
tcp 0 0 TIME_WAIT -
tcp 0 0 ESTABLISHED 21209/apache2
tcp 0 0 TIME_WAIT -
tcp 0 0 ESTABLISHED 6174/apache2
tcp 0 0 ESTABLISHED 6093/apache2
tcp 0 0 TIME_WAIT -
tcp 0 0 ESTABLISHED 14477/apache2
tcp 1 0 CLOSE_WAIT 6172/apache2
tcp 0 0 TIME_WAIT -
tcp 0 0 ESTABLISHED 6092/apache2
tcp 0 0 ESTABLISHED 21210/apache2
tcp6 0 0 :::* LISTEN 5526/java
tcp6 0 0 :::* LISTEN 5526/java
tcp6 0 0 :::8088 :::* LISTEN 4966/janus
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 TIME_WAIT -
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 TIME_WAIT -
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 ESTABLISHED 5526/java
tcp6 0 0 TIME_WAIT -


Yes, I know. By default, without a firewall, a Linux system will reply with "connection refused" if nothing is listening. Only a firewall dropping packets will result in a timeout.

Usually one would enable such a firewall, dropping every packet except a few ports. This would result in timeouts. However, if the firewall is open for a certain port and there isn't a daemon listening on that port, one would get a connection refused again. Due to the open port in the firewall.

You seem to have Apache listening on port 80. In that case, either a firewall is returning connection refused-answers or you've portmapped external port 80 to the wrong port or host inside your network, if applicable.


thanks I will take another look at this today.


certbot-auto is no longer a thing. What new commands should I be running. I saved some troubleshooting commands but cant seem to find them. Help lol


You can find the current recommendations for installing certbot on https://certbot.eff.org/


Thanks for the link. How can i change some of the virtual hosts parameters ?

1 Like

I don't understand what you mean, could you please elaborate?

1 Like

post your /etc/apache2/apache2.conf file

also your etc/apache2/sites-available/ whatever you are using

this is the first place to start fixing web server woes


Welcome Back to the Let's Encrypt Community :slightly_smiling_face:

@HardcoreGames has the right concept for cleaning up your apache vhost configuration.

What are the contents of these files?


What are the outputs of these commands?

sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put three backticks above and below each content and output, like this:


On the other hand, regarding connection to lab.addmoreroutes.com...

You can use the following tools to test the response of your webserver:




Will post the apache2 config shortly. I did notice the "sites-available" file is blank...

1 Like

root@eve-ng:~# sudo ls -lRa /etc/apache2/sites-available
total 44
drwxr-xr-x 2 root root 4096 Mar 24 20:50 .
drwxr-xr-x 8 root root 4096 Apr 25 20:00 ..
-rw-r--r-- 1 root root 1332 Jun 11 2018 000-default.conf
-rw-r--r-- 1 root root 6338 Jun 11 2018 default-ssl.conf
-rw-r--r-- 1 root root 466 Apr 11 2020 eveng.conf
-rw-r--r-- 1 root root 2107 Mar 24 20:50 eveng-ssl.conf
-rw-r--r-- 1 root root 1827 Nov 6 2019 eveng-ssl.conf.save
-rw-r--r-- 1 root root 323 Feb 8 18:02 netdata.conf
-rw-r--r-- 1 root root 589 Mar 24 20:50 unetlab.conf
-rw-r--r-- 1 root root 571 Apr 13 2020 unetlab-le-ssl.conf
root@eve-ng:~# sudo ls -lRa /etc/apache2/sites-enabled
total 16
drwxr-xr-x 2 root root 4096 Apr 25 20:08 .
drwxr-xr-x 8 root root 4096 Apr 25 20:00 ..
-rw-r--r-- 1 root root 456 Jul 2 2020 eveng.conf
-rw-r--r-- 1 root root 2180 Apr 13 2020 eveng-ssl.conf
lrwxrwxrwx 1 root root 31 Mar 4 08:38 netdata.conf -> ../sites-available/netdata.conf
lrwxrwxrwx 1 root root 31 Apr 21 2020 unetlab.conf -> ../sites-available/unetlab.conf


eveng.conf below from Sites-Enabled

> <VirtualHost *:80>
>         ServerName lab.addmoreroutes.com
>         ServerAlias www.lab.addmoreroutes.com
>         ServerAdmin $$$$$$$$$$$$$$
>         DocumentRoot /opt/unetlab/html/
>         <Directory /opt/unetlab/html/>
>                 AllowOverride All
>                 Options -Indexes +FollowSymLinks +MultiViews
>                 Require all granted
>         </Directory>
> Redirect permanent / https://lab.addmoreroutes.com/
> </VirtualHost>


Here is the unetlab.conf from Sites-Enabled

# Logging disabled by default # LogLevel mod_rewrite.c:trace2

<Directory /opt/unetlab/html/>
Options FollowSymLinks
AllowOverride All
Require all granted

<Directory /opt/unetlab/data/Exports/>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted

<Directory /opt/unetlab/data/Logs/>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted

<VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.
) https://%{SERVER_NAME}/$1 [R,L]


eveng-ssl.conf Listed below from Sites-Enabled

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin ###########################
        ServerName lab.addmoreroutes.com
        ServerAlias www.lab.addmoreroutes.com
        DocumentRoot /opt/unetlab/html/
        ErrorLog /opt/unetlab/data/Logs/ssl-error.log
        CustomLog /opt/unetlab/data/Logs/ssl-access.log combined
        Alias /Exports /opt/unetlab/data/Exports
        Alias /Logs /opt/unetlab/data/Logs
        SSLEngine on
        SSLProxyEngine on
         SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
        SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
        # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
        # require OpenSSL 1.1.0, which as of this writing was in pre-release.
        SSLHonorCipherOrder on
        SSLCompression      off
        SSLSessionTickets   off
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        <Location /html5/>
                Order allow,deny
                Allow from all
                ProxyPass flushpackets=on

        <Location /html5/websocket-tunnel>
                Order allow,deny
                Allow from all
                ProxyPass ws://
                ProxyPassReverse ws://
         ProxyPass /janus-ws ws://
		 ProxyPassReverse /janus-ws ws://
         ProxyPass /chat-ws ws://
         ProxyPassReverse /chat-ws ws://