Certificate renewal dry-run failure - Ubuntu/Apache

Hello,

I received an email notification that my certificate will expire soon. I expected it to auto renew. I attempted to do a dry run renew before a live run and it fails.

I have confirmed my IP and DNS is ok to the best of my knowledge. I have allowed port 80/tcp and http access on the FW (UFW) and also tried disabling the FW completely, yet I receive the same error (FW enabled now).

I notice when I hit my site it always goes to the HTTPS version. I have the HTTPS Everywhere add-on installed in my browser, but even when disabling this I am directed to the HTTPS version.

I’m unsure of the check around webroot?

Any help/advice would be appreciated. I’ve provided the requested information below too.

My domain is: https://nxc.zapto.org/

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/nxc.zapto.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nxc.zapto.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (nxc.zapto.org) from /etc/letsencrypt/renewal/nxc.zapto.org.conf produced an unexpected error: Failed authorization procedure. nxc.zapto.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nxc.zapto.org/.well-known/acme-challenge/: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nxc.zapto.org/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nxc.zapto.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nxc.zapto.org
    Type: connection
    Detail: Fetching
    http://nxc.zapto.org/.well-known/acme-challenge/:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2 Likes

Hi @tengo

there

is your job. A working port 80 is required, not a timeout.

PS: Now the check is ready - https://check-your-website.server-daten.de/?q=nxc.zapto.org#url-checks

Domainname Http-Status redirect Sec. G
http://nxc.zapto.org/ 94.173.250.55 -14 10.027 T
Timeout - The operation has timed out
https://nxc.zapto.org/ 94.173.250.55 -14 10.020 T
Timeout - The operation has timed out
http://nxc.zapto.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 94.173.250.55 -14 9.993 T
Timeout - The operation has timed out

Only timeouts, so you can’t renew your certificate via http validation.

2 Likes

Hi Juergen,

Thanks for replying. However, I don’t understand your response. Are you saying I need to open port 80? If so, I have. I even went as far disabling the firewall on the server during testing.

The link you provided is saying there are time outs to my website, yet I can connect to the site without an issue?

Could you help me understand your response, please?

Thanks.

1 Like

Hi Juergen,

thanks to the website you provided I was able to work out the issue.

Although the FW on the Server had its ports open there was a hardware firewall else where that had port 80 blocked.

Thanks again for replying.

3 Likes

Yes, that’s sometimes a problem. Additional blocking instances.

Happy to read you have found that firewall :+1:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.