Certificate renew stopped working

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.sp2l.ampr.org
I ran this command:
certbot renew - -cert-name sp2l.ampr.org-0001 - - apache - - pre-hook “systemctl stop apache” - - post-hook “systemctl start apache”
It produced this output:

certbot.errors.FailedChallenges: Failed authorization procedure. sp2l.ampr.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://sp2l.ampr.org/.well-known/acme-challenge/em-XDHf_0tnE73WZNmmAJ9iC5h63f7cd9TuSLGMca6E: Timeout during connect (likely firewall problem), www.sp2l.ampr.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://www.sp2l.ampr.org/.well-known/acme-challenge/BUmf8tlK-NP3bF6JUKuToXdf0ECFdEPSDuU5-_Bd0Cs: Timeout during connect (likely firewall problem)

2020-03-19 12:13:28,297:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-03-19 12:13:28,300:ERROR:certbot.renewal: /etc/letsencrypt/live/sp2l.ampr.org-0001/fullchain.pem (failure)
2020-03-19 12:13:28,301:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1247, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 455, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Apache/2. 4. 25 (Debian)
The operating system my web server runs on is (include version):
Debian 9.12 64bit
My hosting provider, if applicable, is:
None
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0. 28. 0

Setup that I have worked flawlessly for a long time.
Not long ago I noticed above errors in letsencrypt.log file.
My certificate will expire on March 20th 2020.

I have no idea what happened that certificates reneval is not working any more.

Of course I have been updating regularly OS.

Help and friendly guidance will be very much appreciate.

Best regards.
Tomasz S.

Hi @sp2l

you have a blocking firewall, so the multi perspective validation doesn't work.

Read

and open your firewall. It's wrong to block ip addresses.

are you blocking some ip addresses?

Surely I block many IP addresses and subnets by means of iptables+fail2ban. In order to defend my server I can’t totally stop this combo.

But at the time I run certbot renew command I see incoming connection from IP addresses used by letsencrypt for validation.

Tomasz

get rid of the iptables blocks, fail2ban should be fine.

it recently changed how validation works, now it's done from multiple points of view and from anonymous ip addresses.

First of all thank you very much for suggestion.

I read belows document
“ACME v1/v2: Validating challenges from multiple network vantage points”
and all of the sudden everything is perfectly clear!!!

Not much time left so I better get this work done, Hi!

Best regards.
Tomasz S.

Greetings.

I like to express my warm thank you
for all who yesterday responded.
That was quick and working solution!

Keep doing good job.
Best regards.
Tomasz S.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.