Certificate renewal error

Please help!

My domain is: mail.blackpoolportraits.co.uk

I ran this command: sudo certbot renew --webroot-path /var/www/html --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.blackpoolportraits.co.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.blackpoolportraits.co.uk
http-01 challenge for mail.phpsqldev.com
http-01 challenge for mail.preston-weddings.co.uk
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.blackpoolportraits.co.uk) from /etc/letsencrypt/renewal/mail.blackpoolportraits.co.uk.conf produced an unexpected error: Failed authorization procedure. mail.preston-weddings.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.preston-weddings.co.uk/.well-known/acme-challenge/O_LmHwJOdmWp8fhDetwkL9kObxzCvbPH9I41C4pYGq8: Timeout during connect (likely firewall problem), mail.blackpoolportraits.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.blackpoolportraits.co.uk/.well-known/acme-challenge/YMOe8SAAdi7x1Rg4O3vtusrkuNNyW9vD1Ri8c3imRTU: Timeout during connect (likely firewall problem), mail.phpsqldev.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.phpsqldev.com/.well-known/acme-challenge/v817U2QeABBRlOC897InL1btDXIxPltIy3XzxICXmy8: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.blackpoolportraits.co.uk/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.blackpoolportraits.co.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I can see the authentication files appear in /var/www/html/well-known/acme-challenge folder.

I have stopped iptables but this made no difference.

I would appreciate any help you can give me to resolve this problem.

Bernie

1 Like

Hi @scottie2212

two problems. First - different ip addresses - https://check-your-website.server-daten.de/?q=mail.preston-weddings.co.uk

Your old certificate has three domain names:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 mail.blackpoolportraits.co.uk, mail.phpsqldev.com, mail.preston-weddings.co.uk - 3 entries
Let’s Encrypt Authority X3 2019-11-21 2020-02-19 mail.blackpoolportraits.co.uk, mail.preston-weddings.co.uk - 2 entries

So if you use webroot, normally, all domains have the same ip. But preston has 79.77.238.68, the other two 195.99.118.15.

What’s the ip your client is running?

Second problem: A timeout. But that ip may be wrong.

So cleanup your dns entries -> all domains, one ip. If that is done, test your domains again to see, if there is an answer.

1 Like

Hi Juergen,

Not sure how it happened but A record was wrong. It’s now corrected but I’ll wait until tomorrow to try again.

Thanks for the very quick response, I’ll update tomorrow.

Bernie

2 Likes

Hi Juergen,

Thanks for your invaluable assistance. I have now successfully renewed the certificate.

The check-your-website.server-daten.de site was particularly helpful as it revealed that the timeout problem was caused by port 80 on the inbound router being closed - an oversight by the engineer who replaced the original router.

Bernie

2 Likes