Certbot Updates - Not Able to Renew Cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
lab.addmoreroutes.com

I ran this command:

sudo certbot certonly --apache -d lab.addmoreroutes.com --dry-run

It produced this output:
sudo certbot certonly --apache -d lab.addmoreroutes.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for lab.addmoreroutes.com
Performing the following challenges:
http-01 challenge for lab.addmoreroutes.com
Waiting for verification...
Challenge failed for domain lab.addmoreroutes.com
http-01 challenge for lab.addmoreroutes.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: lab.addmoreroutes.com
  Type: connection
  Detail: Fetching
  http://lab.addmoreroutes.com/.well-known/acme-challenge/w4VXQj2ioaRr-HdmbNZjFhaRIdGM5_xxiV4_puu2dks:
  Connection refused

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
  My web server is (include version):

The operating system my web server runs on is (include version):

Linux Ubuntu 18.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.14.0

Hi @ak31

there is no answer, your port 80 is blocked.

Looks like a firewall / failban / htaccess / something else, that blocks.

An open port 80 / http is required to use http validation.

root@eve-ng:~# sudo apachectl -S
VirtualHost configuration:
*:443 lab.addmoreroutes.com (/etc/apache2/sites-enabled/eveng-ssl.conf:2)
*:80 is a NameVirtualHost
default server lab.addmoreroutes.com (/etc/apache2/sites-enabled/eveng.conf:1)
port 80 namevhost lab.addmoreroutes.com (/etc/apache2/sites-enabled/eveng.conf:1)
alias www.lab.addmoreroutes.com
port 80 namevhost eve-ng.example.com (/etc/apache2/sites-enabled/unetlab.conf:24)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Its been a while since I have played around this. What is the next step ?

Is there actually anything listening on port 80?

sudo netstat -nap | grep :80

Because Apache also needs a Listen 80 to actually listen on port 80, not just a VirtualHost for it.

You have to find that instance and remove it. It's your system.

There is a blocking answer

D:\temp>download http://lab.addmoreroutes.com/.well-known/acme-challenge/w4VXQj2ioaRr-HdmbNZjFhaRIdGM5_xxiV4_puu2dks -h
Error (1): Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.
ConnectFailure
3
Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 142.197.243.190:80

2907,30 milliseconds

not only a timeout after 10 seconds.

root@eve-ng:~# sudo netstat -nap | grep :80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6092/apache2
tcp 0 0 127.0.0.1:56586 127.0.0.1:8080 ESTABLISHED 21206/apache2
tcp 0 0 127.0.0.1:56780 127.0.0.1:8080 ESTABLISHED 21204/apache2
tcp 0 0 127.0.0.1:54742 127.0.0.1:8080 ESTABLISHED 6171/apache2
tcp 0 0 127.0.0.1:53686 127.0.0.1:8080 TIME_WAIT -
tcp 0 0 127.0.0.1:55264 127.0.0.1:8080 ESTABLISHED 21209/apache2
tcp 0 0 127.0.0.1:54506 127.0.0.1:8080 TIME_WAIT -
tcp 0 0 127.0.0.1:56194 127.0.0.1:8080 ESTABLISHED 6174/apache2
tcp 0 0 127.0.0.1:56694 127.0.0.1:8080 ESTABLISHED 6093/apache2
tcp 0 0 127.0.0.1:54272 127.0.0.1:8080 TIME_WAIT -
tcp 0 0 127.0.0.1:55172 127.0.0.1:8080 ESTABLISHED 14477/apache2
tcp 1 0 127.0.0.1:50862 127.0.0.1:8080 CLOSE_WAIT 6172/apache2
tcp 0 0 127.0.0.1:54108 127.0.0.1:8080 TIME_WAIT -
tcp 0 0 127.0.0.1:55776 127.0.0.1:8080 ESTABLISHED 6092/apache2
tcp 0 0 127.0.0.1:56670 127.0.0.1:8080 ESTABLISHED 21210/apache2
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 5526/java
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 5526/java
tcp6 0 0 :::8088 :::* LISTEN 4966/janus
tcp6 0 0 127.0.0.1:8080 127.0.0.1:55776 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:56670 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:54272 TIME_WAIT -
tcp6 0 0 127.0.0.1:8080 127.0.0.1:55264 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:54404 TIME_WAIT -
tcp6 0 0 127.0.0.1:8080 127.0.0.1:56586 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:56194 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:56780 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:56694 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:55172 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:54742 ESTABLISHED 5526/java
tcp6 0 0 127.0.0.1:8080 127.0.0.1:54506 TIME_WAIT -

Yes, I know. By default, without a firewall, a Linux system will reply with "connection refused" if nothing is listening. Only a firewall dropping packets will result in a timeout.

Usually one would enable such a firewall, dropping every packet except a few ports. This would result in timeouts. However, if the firewall is open for a certain port and there isn't a daemon listening on that port, one would get a connection refused again. Due to the open port in the firewall.

You seem to have Apache listening on port 80. In that case, either a firewall is returning connection refused-answers or you've portmapped external port 80 to the wrong port or host inside your network, if applicable.

thanks I will take another look at this today.

certbot-auto is no longer a thing. What new commands should I be running. I saved some troubleshooting commands but cant seem to find them. Help lol

You can find the current recommendations for installing certbot on https://certbot.eff.org/

Thanks for the link. How can i change some of the virtual hosts parameters ?

I don't understand what you mean, could you please elaborate?

post your /etc/apache2/apache2.conf file

also your etc/apache2/sites-available/ whatever you are using

this is the first place to start fixing web server woes

Welcome Back to the Let's Encrypt Community

@HardcoreGames has the right concept for cleaning up your apache vhost configuration.

What are the contents of these files?

/etc/apache2/sites-enabled/eveng.conf
/etc/apache2/sites-enabled/eveng-ssl.conf
/etc/apache2/sites-enabled/unetlab.conf

What are the outputs of these commands?

sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put three backticks above and below each content and output, like this:

```
content/output
```

On the other hand, regarding connection to lab.addmoreroutes.com...

You can use the following tools to test the response of your webserver:

https://www.yougetsignal.com/tools/open-ports/

https://www.redirect-checker.org/

Will post the apache2 config shortly. I did notice the "sites-available" file is blank...

root@eve-ng:~# sudo ls -lRa /etc/apache2/sites-available
/etc/apache2/sites-available:
total 44
drwxr-xr-x 2 root root 4096 Mar 24 20:50 .
drwxr-xr-x 8 root root 4096 Apr 25 20:00 ..
-rw-r--r-- 1 root root 1332 Jun 11 2018 000-default.conf
-rw-r--r-- 1 root root 6338 Jun 11 2018 default-ssl.conf
-rw-r--r-- 1 root root 466 Apr 11 2020 eveng.conf
-rw-r--r-- 1 root root 2107 Mar 24 20:50 eveng-ssl.conf
-rw-r--r-- 1 root root 1827 Nov 6 2019 eveng-ssl.conf.save
-rw-r--r-- 1 root root 323 Feb 8 18:02 netdata.conf
-rw-r--r-- 1 root root 589 Mar 24 20:50 unetlab.conf
-rw-r--r-- 1 root root 571 Apr 13 2020 unetlab-le-ssl.conf
root@eve-ng:~# sudo ls -lRa /etc/apache2/sites-enabled
/etc/apache2/sites-enabled:
total 16
drwxr-xr-x 2 root root 4096 Apr 25 20:08 .
drwxr-xr-x 8 root root 4096 Apr 25 20:00 ..
-rw-r--r-- 1 root root 456 Jul 2 2020 eveng.conf
-rw-r--r-- 1 root root 2180 Apr 13 2020 eveng-ssl.conf
lrwxrwxrwx 1 root root 31 Mar 4 08:38 netdata.conf -> ../sites-available/netdata.conf
lrwxrwxrwx 1 root root 31 Apr 21 2020 unetlab.conf -> ../sites-available/unetlab.conf

eveng.conf below from Sites-Enabled

> <VirtualHost *:80>
>         ServerName lab.addmoreroutes.com
>         ServerAlias www.lab.addmoreroutes.com
>         ServerAdmin $$$$$$$$$$$$$$
>         DocumentRoot /opt/unetlab/html/
>         <Directory /opt/unetlab/html/>
>                 AllowOverride All
>                 Options -Indexes +FollowSymLinks +MultiViews
>                 Require all granted
> 
>         </Directory>
> 
> Redirect permanent / https://lab.addmoreroutes.com/
> </VirtualHost>

Here is the unetlab.conf from Sites-Enabled

# Logging disabled by default # LogLevel mod_rewrite.c:trace2

<Directory /opt/unetlab/html/>
Options FollowSymLinks
AllowOverride All
Require all granted

<Directory /opt/unetlab/data/Exports/>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted

<Directory /opt/unetlab/data/Logs/>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted

<VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.) https://%{SERVER_NAME}/$1 [R,L]

eveng-ssl.conf Listed below from Sites-Enabled

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin ###########################
        ServerName lab.addmoreroutes.com
        ServerAlias www.lab.addmoreroutes.com
        DocumentRoot /opt/unetlab/html/
        ErrorLog /opt/unetlab/data/Logs/ssl-error.log
        CustomLog /opt/unetlab/data/Logs/ssl-access.log combined
        Alias /Exports /opt/unetlab/data/Exports
        Alias /Logs /opt/unetlab/data/Logs
        SSLEngine on
        SSLProxyEngine on
         SSLCertificateFile /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem
        SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
        # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
        # require OpenSSL 1.1.0, which as of this writing was in pre-release.
        SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECD$
        SSLHonorCipherOrder on
        SSLCompression      off
        SSLSessionTickets   off
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        <Location /html5/>
                Order allow,deny
                Allow from all
                ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
                ProxyPassReverse http://127.0.0.1:8080/guacamole/
        </Location>

        <Location /html5/websocket-tunnel>
                Order allow,deny
                Allow from all
                ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
                ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
        </Location>
         ProxyPass /janus-ws ws://127.0.0.1:8188/
		 ProxyPassReverse /janus-ws ws://127.0.0.1:8188/
         ProxyPass /chat-ws ws://127.0.0.1:9090/
         ProxyPassReverse /chat-ws ws://127.0.0.1:9090/
    </VirtualHost>
  </IfModule>