Certificate renewal error

Please help!

My domain is: mail.blackpoolportraits.co.uk

I ran this command: sudo certbot renew --webroot-path /var/www/html --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mail.blackpoolportraits.co.uk.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.blackpoolportraits.co.uk
http-01 challenge for mail.phpsqldev.com
http-01 challenge for mail.preston-weddings.co.uk
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.blackpoolportraits.co.uk) from /etc/letsencrypt/renewal/mail.blackpoolportraits.co.uk.conf produced an unexpected error: Failed authorization procedure. mail.preston-weddings.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.preston-weddings.co.uk/.well-known/acme-challenge/O_LmHwJOdmWp8fhDetwkL9kObxzCvbPH9I41C4pYGq8: Timeout during connect (likely firewall problem), mail.blackpoolportraits.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.blackpoolportraits.co.uk/.well-known/acme-challenge/YMOe8SAAdi7x1Rg4O3vtusrkuNNyW9vD1Ri8c3imRTU: Timeout during connect (likely firewall problem), mail.phpsqldev.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.phpsqldev.com/.well-known/acme-challenge/v817U2QeABBRlOC897InL1btDXIxPltIy3XzxICXmy8: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.blackpoolportraits.co.uk/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.blackpoolportraits.co.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: mail.preston-weddings.co.uk
  Type: connection
  Detail: Fetching
  http://mail.preston-weddings.co.uk/.well-known/acme-challenge/O_LmHwJOdmWp8fhDetwkL9kObxzCvbPH9I41C4pYGq8:
  Timeout during connect (likely firewall problem)

  Domain: mail.blackpoolportraits.co.uk
  Type: connection
  Detail: Fetching
  http://mail.blackpoolportraits.co.uk/.well-known/acme-challenge/YMOe8SAAdi7x1Rg4O3vtusrkuNNyW9vD1Ri8c3imRTU:
  Timeout during connect (likely firewall problem)

  Domain: mail.phpsqldev.com
  Type: connection
  Detail: Fetching
  http://mail.phpsqldev.com/.well-known/acme-challenge/v817U2QeABBRlOC897InL1btDXIxPltIy3XzxICXmy8:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I can see the authentication files appear in /var/www/html/well-known/acme-challenge folder.

I have stopped iptables but this made no difference.

I would appreciate any help you can give me to resolve this problem.

Bernie

Hi @scottie2212

two problems. First - different ip addresses - https://check-your-website.server-daten.de/?q=mail.preston-weddings.co.uk

Your old certificate has three domain names:

So if you use webroot, normally, all domains have the same ip. But preston has 79.77.238.68, the other two 195.99.118.15.

What's the ip your client is running?

Second problem: A timeout. But that ip may be wrong.

So cleanup your dns entries -> all domains, one ip. If that is done, test your domains again to see, if there is an answer.

Hi Juergen,

Not sure how it happened but A record was wrong. It’s now corrected but I’ll wait until tomorrow to try again.

Thanks for the very quick response, I’ll update tomorrow.

Bernie

Hi Juergen,

Thanks for your invaluable assistance. I have now successfully renewed the certificate.

The check-your-website.server-daten.de site was particularly helpful as it revealed that the timeout problem was caused by port 80 on the inbound router being closed - an oversight by the engineer who replaced the original router.

Bernie