*** Certificate renewal failed ***

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: library.wccac.net

I ran this command: certbot renew

It produced this output:

Renewing an existing certificate for library.wccac.net

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: library.wccac.net
Type: connection
Detail: 52.10.248.255: Fetching http://library.wccac.net/.well-known/acme-challenge/NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate library.wccac.net with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/library.wccac.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

= = = = = = = = = = letsencrypt.log = = = = = = = = = = = =

2024-08-08 10:50:04,328:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2024-08-08 10:50:04,498:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-08-08 10:50:04,499:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3834/bin/certbot
2024-08-08 10:50:04,499:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2024-08-08 10:50:04,499:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-08-08 10:50:04,531:DEBUG:certbot._internal.log:Root logging level set at 30
2024-08-08 10:50:04,533:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/library.wccac.net.conf
2024-08-08 10:50:04,535:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-08-08 10:50:04,535:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-08-08 10:50:04,550:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2024-07-21 16:03:03 UTC.
2024-08-08 10:50:04,550:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2024-08-08 10:50:04,551:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2024-08-08 10:50:04,645:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.25
2024-08-08 10:50:04,917:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='apache', value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f8000ad4790>
Prep: True
2024-08-08 10:50:04,918:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='apache', value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f8000ad4790>
Prep: True
2024-08-08 10:50:04,918:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f8000ad4790> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f8000ad4790>
2024-08-08 10:50:04,918:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2024-08-08 10:50:04,992:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/106576062', new_authzr_uri=None, terms_of_service=None), be8d6bc984466f126820ae09bd0aa070, Meta(creation_dt=datetime.datetime(2020, 12, 16, 21, 46, 7, tzinfo=<UTC>), creation_host='ip-172-31-20-212.us-west-2.compute.internal', register_to_eff=None))>
2024-08-08 10:50:04,994:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-08-08 10:50:04,995:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-08-08 10:50:05,103:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746
2024-08-08 10:50:05,104:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:05 GMT
Content-Type: application/json
Content-Length: 746
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "jncBQ-odGEc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-08-08 10:50:05,105:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for library.wccac.net
2024-08-08 10:50:05,156:DEBUG:acme.client:Requesting fresh nonce
2024-08-08 10:50:05,156:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-08-08 10:50:05,191:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2024-08-08 10:50:05,192:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:05 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: BbYiUXJNKVi4XpY92XbcSPJnkWmYVstkJrsRbGTmM_jENHt9J8k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2024-08-08 10:50:05,192:DEBUG:acme.client:Storing nonce: BbYiUXJNKVi4XpY92XbcSPJnkWmYVstkJrsRbGTmM_jENHt9J8k
2024-08-08 10:50:05,192:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "library.wccac.net"\n    }\n  ]\n}'
2024-08-08 10:50:05,195:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTA2NTc2MDYyIiwgIm5vbmNlIjogIkJiWWlVWEpOS1ZpNFhwWTkyWGJjU1BKbmtXbVlWc3RrSnJzUmJHVG1NX2pFTkh0OUo4ayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "HTF-qJ1KWkWjjsHliDfkta_KSsl8EdrzWiRjmllG-7MlLXA_CoxfcYZakDVy_d_2OEb5VArYempkRinUdrpj1nlr_HdXDfKgMy-YrRxDioiJMI9_0pdgwB0B2yEYO1R3mol2T6neUelg1wg4RtW4lPaCPR4GFA-ASLL0YeRxztCu3DkfmN8Q_fqfGdsX0cZ_vy42_FmG-9e4-tLOGQwYrt6-48bo9_wvlB0kAJUEfkbXo-WlA3BkL4gnT5Y2bbUwkjVFvB3i2DBCTzplAi8KDNnht4KwXQESaSKu_1TufcH7Pe1pxKvf_bp-w5czo0QzV1Bx4a2nTYMr65vH66N58w",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImxpYnJhcnkud2NjYWMubmV0IgogICAgfQogIF0KfQ"
}
2024-08-08 10:50:05,368:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 342
2024-08-08 10:50:05,369:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 08 Aug 2024 16:50:05 GMT
Content-Type: application/json
Content-Length: 342
Connection: keep-alive
Boulder-Requester: 106576062
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/106576062/294553134356
Replay-Nonce: BbYiUXJNPtdQRJv_ce_fOwarjMisOyJNX1mGFi1ihgFUIVfNKXc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2024-08-15T16:50:05Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "library.wccac.net"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/387729631756"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/106576062/294553134356"
}
2024-08-08 10:50:05,369:DEBUG:acme.client:Storing nonce: BbYiUXJNPtdQRJv_ce_fOwarjMisOyJNX1mGFi1ihgFUIVfNKXc
2024-08-08 10:50:05,369:DEBUG:acme.client:JWS payload:
b''
2024-08-08 10:50:05,371:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/387729631756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTA2NTc2MDYyIiwgIm5vbmNlIjogIkJiWWlVWEpOUHRkUVJKdl9jZV9mT3dhcmpNaXNPeUpOWDFtR0ZpMWloZ0ZVSVZmTktYYyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzg3NzI5NjMxNzU2In0",
  "signature": "KSf-wEvsdyIjIB07YPv0HuGJArBAveVnHzQQ2Rb46O6w0v7r9RpRBAUEYxx1o4toZDkmZVin5le3yKALrrGxZH360BwaUd4N5LF_WSGl5oZKXu1e3YTodsEu-cQccV_L8xd2eF3sRUEUqD5iW8qacKDMQ_lJZGdpMtRKLq42hIH1UsB0Mll1j4Q-DXkQOJpSdr-DkyITSHFosF2ptmwLZ7GBk28V2CWAbuxn7ayLgsziYumT9RQTm1FRIS10yGojh4mAqf95ZNuNNisdNd63zkWC5yP06Tqs68qrRJ9tkvMZ_erRFA-vomslxNr-L-NyL4xkP3vg0bFAQhkEUbcuvg",
  "payload": ""
}
2024-08-08 10:50:05,412:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/387729631756 HTTP/1.1" 200 801
2024-08-08 10:50:05,412:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:05 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 106576062
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: cgBcsAuL1k8zky07ht4Tj3K9kjfuErO0Dxz-WheAdpdIwmGtsT8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "library.wccac.net"
  },
  "status": "pending",
  "expires": "2024-08-15T16:50:05Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/gxNSzw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/2Jcaqw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    }
  ]
}
2024-08-08 10:50:05,412:DEBUG:acme.client:Storing nonce: cgBcsAuL1k8zky07ht4Tj3K9kjfuErO0Dxz-WheAdpdIwmGtsT8
2024-08-08 10:50:05,413:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-08-08 10:50:05,413:INFO:certbot._internal.auth_handler:http-01 challenge for library.wccac.net
2024-08-08 10:50:05,423:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: library.wccac.net in: /etc/apache2/sites-enabled/library.conf
2024-08-08 10:50:05,423:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: library.wccac.net in: /etc/apache2/sites-enabled/library-le-ssl.conf
2024-08-08 10:50:05,423:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: library.wccac.net in: /etc/apache2/sites-enabled/library-le-ssl.conf
2024-08-08 10:50:05,423:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/default-ssl.conf
2024-08-08 10:50:05,424:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2024-08-08 10:50:05,424:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2024-08-08 10:50:06,079:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/library.conf
2024-08-08 10:50:06,079:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/default-ssl.conf
2024-08-08 10:50:06,079:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/library-le-ssl.conf
2024-08-08 10:50:09,276:DEBUG:acme.client:JWS payload:
b'{}'
2024-08-08 10:50:09,278:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTA2NTc2MDYyIiwgIm5vbmNlIjogImNnQmNzQXVMMWs4emt5MDdodDRUajNLOWtqZnVFck8wRHh6LVdoZUFkcGRJd21HdHNUOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMzg3NzI5NjMxNzU2L3ZfRXV3ZyJ9",
  "signature": "azm5CooGoY3PX1IggT6c3c8yw7Rdll0vU765HSQxALeln02tFW2le_VazPFkmKBwwRbabBaE7dGyunGEd7HWMznBYe5Ufy_ImuQ9cRHn8ovyfz_Kiycs_83mhpo71OyC28uxK0-32I0_0R1YTPkHQdwsVPzSd_OGvCduTpNyhCkkMrmlibGI0wez1lfNYcHBVEswSbA7gPnpOkKLGM-HHAu3K8VN7Ccnn-gvrn7lKw-Y2OAVo8wTA__MxR2fOJECDh_wvIFxAsM1y4laMWYY3cexouN3zpl94hXLA1e-6A6VWqVH0WQH1_g_kbcUu8jxfKEt5w1Pv7ncFzLvmAfKog",
  "payload": "e30"
}
2024-08-08 10:50:09,279:DEBUG:urllib3.connectionpool:Resetting dropped connection: acme-v02.api.letsencrypt.org
2024-08-08 10:50:09,522:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/387729631756/v_Euwg HTTP/1.1" 200 187
2024-08-08 10:50:09,522:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:09 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 106576062
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/387729631756>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg
Replay-Nonce: hgpogSPu0gZxsNPjlMhWei4gru6sSnZyhmSJ_kzuBJdP7WBZu2E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg",
  "status": "pending",
  "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
}
2024-08-08 10:50:09,523:DEBUG:acme.client:Storing nonce: hgpogSPu0gZxsNPjlMhWei4gru6sSnZyhmSJ_kzuBJdP7WBZu2E
2024-08-08 10:50:09,523:INFO:certbot._internal.auth_handler:Waiting for verification...
2024-08-08 10:50:10,524:DEBUG:acme.client:JWS payload:
b''
2024-08-08 10:50:10,526:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/387729631756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTA2NTc2MDYyIiwgIm5vbmNlIjogImhncG9nU1B1MGdaeHNOUGpsTWhXZWk0Z3J1NnNTblp5aG1TSl9renVCSmRQN1dCWnUyRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzg3NzI5NjMxNzU2In0",
  "signature": "TijkZLpsa96140_t7q7lWbprmGv2RpXeH-jub_wlLTSZ2i52Cqsana-Fs0OjDTgb7Jqrntsz22BgiVoNcYLXsuSxH-qfXjcUNolHY4InfNcepc3RwvRN_whsFQVb-tanAzktSrkwuk7stK1Lo5KesHBZgaPxsh382T87v7qz0QJLimhhQQxs0tBb1g1mLig1SYmL6pkeOsGu8iEEsE4iANjzBUT146wbkMQydgyOoAqw90jbRdKHjeUA4QVOUEK-hDTydSg-Nnc_Bos89VKQFICmT7SIKPdvSdjRR-2vto3tvnROT__YSe8_JAidIDN5pjHRft-qRZWIR2S4sD20KQ",
  "payload": ""
}
2024-08-08 10:50:10,660:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/387729631756 HTTP/1.1" 200 801
2024-08-08 10:50:10,660:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:10 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 106576062
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: bXG0Ugg-X62iAIEr7VBHsFFm5WrTV8GtS6wNJ3_6G47Y0W3sIow
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "library.wccac.net"
  },
  "status": "pending",
  "expires": "2024-08-15T16:50:05Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/gxNSzw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/2Jcaqw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    }
  ]
}
2024-08-08 10:50:10,660:DEBUG:acme.client:Storing nonce: bXG0Ugg-X62iAIEr7VBHsFFm5WrTV8GtS6wNJ3_6G47Y0W3sIow
2024-08-08 10:50:13,664:DEBUG:acme.client:JWS payload:
b''
2024-08-08 10:50:13,666:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/387729631756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTA2NTc2MDYyIiwgIm5vbmNlIjogImJYRzBVZ2ctWDYyaUFJRXI3VkJIc0ZGbTVXclRWOEd0UzZ3TkozXzZHNDdZMFczc0lvdyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzg3NzI5NjMxNzU2In0",
  "signature": "NpQtVGBIFJ2VQi1v-l8ok6erWNs6Pi8zaG2SXTXXrk0I3xM7vUUoSGdoPMsAECu8cg8zI_M7iwt57vWX_LKc4Ysx_wQhVf-ECHTgXThGccukC8XkH1PbeaVi1gm1Hqj8B6gL9BC0JP7u927j91HTg0zlhc18qI-wgFeISBPOlJ1BsgbOigLGsjrhbmtePuaH4w-LXag7o4_firpYeikPCNHO4FI-GrBbMbJCzsmQ6kJ_TKDeqqty0VWgKSL_k5fQNgdvYmDKUQtaWCtMUl-BMB-Z4u7-UHQqNZ9oIx-VknejkkkUKvmPlPFhr-1mNgeabDS_8ZyqeEpJ2Vved7Qldg",
  "payload": ""
}
2024-08-08 10:50:13,730:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/387729631756 HTTP/1.1" 200 801
2024-08-08 10:50:13,731:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:13 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 106576062
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: hgpogSPuMkkInw3haI8G74zZEQ-b4sguvZng2U-6J5H4KdQN2js
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "library.wccac.net"
  },
  "status": "pending",
  "expires": "2024-08-15T16:50:05Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/gxNSzw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/2Jcaqw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    }
  ]
}
2024-08-08 10:50:13,731:DEBUG:acme.client:Storing nonce: hgpogSPuMkkInw3haI8G74zZEQ-b4sguvZng2U-6J5H4KdQN2js
2024-08-08 10:50:16,735:DEBUG:acme.client:JWS payload:
b''
2024-08-08 10:50:16,736:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/387729631756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTA2NTc2MDYyIiwgIm5vbmNlIjogImhncG9nU1B1TWtrSW53M2hhSThHNzR6WkVRLWI0c2d1dlpuZzJVLTZKNUg0S2RRTjJqcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzg3NzI5NjMxNzU2In0",
  "signature": "ai6r1NZ_J1vBJeCl_OqcTVXawxvEQkOpF8QF7ztjwGTWgX3UFCXi9-tMNsgglp5mGsU9yEMhLKfFu0_YSA-uLFP1HqFTu4UrOHaCyQcHZYz3N93E3fZW3iIpphtnDVdy2EMDckDQEWppQwjdo5ETz2uiuAWK79VvZO5dIhMD28ZzCIWlQFRPUkDD4IYGgluhp3UNWaVNl5wJIARK3tQZFgXRn4SbIZMRy9eXZURFuiYQjvEblgrW14rkDDev5ZaGOdKD3OHji1FL2S6oTnCH-5lj2WWzM-st4fxQH_BKl7rB7HLsZyTZOearDxDLj_Vde7D7kx0Lbt51qQpEarzWSw",
  "payload": ""
}
2024-08-08 10:50:16,804:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/387729631756 HTTP/1.1" 200 801
2024-08-08 10:50:16,805:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:16 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 106576062
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: hgpogSPurrQjdJLiF3m40ZjIUnow3XewVs2lmtorVPSAIPeZEtw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "library.wccac.net"
  },
  "status": "pending",
  "expires": "2024-08-15T16:50:05Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/gxNSzw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/2Jcaqw",
      "status": "pending",
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4"
    }
  ]
}
2024-08-08 10:50:16,805:DEBUG:acme.client:Storing nonce: hgpogSPurrQjdJLiF3m40ZjIUnow3XewVs2lmtorVPSAIPeZEtw
2024-08-08 10:50:19,807:DEBUG:acme.client:JWS payload:
b''
2024-08-08 10:50:19,808:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/387729631756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTA2NTc2MDYyIiwgIm5vbmNlIjogImhncG9nU1B1cnJRamRKTGlGM200MFpqSVVub3czWGV3VnMybG10b3JWUFNBSVBlWkV0dyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzg3NzI5NjMxNzU2In0",
  "signature": "od_i7dXrDPtNFFVTO9weCPccwHPwG_akKjAX-IV3XUxWxYSu8WjfVtv800jZTg0ZWzLfvRaWocSIdFZ_RwtVhmoKPz1hi-mzCbQ5zIurQGKOT8rjdvftCytZwjSnayG99WLI-9Uw6BIxGQx172ErEFEIOfmRd4laRcWKiaf5Pz2dRImUg3yNDrx2QgNbsDxfAgVgWnfM6dQ2hR0lRR7GJLGagFgSEa-ctbBVLxponGo0moB7a6gvEVTKU6xGMIi5wLDLBXbQg-mowAczNZLC4t2HbXnjBxAnz_3f5GNTQ1P3CuGX0gfHR4sejA1RRO8KbCPIo8IC3XiP_UdeF8HNMw",
  "payload": ""
}
2024-08-08 10:50:19,874:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/387729631756 HTTP/1.1" 200 1066
2024-08-08 10:50:19,875:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Aug 2024 16:50:19 GMT
Content-Type: application/json
Content-Length: 1066
Connection: keep-alive
Boulder-Requester: 106576062
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: hgpogSPuiuULUIDkNrs7HmCAS5Y2eqGGg9icd96Ut5rjJl-rCmA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "library.wccac.net"
  },
  "status": "invalid",
  "expires": "2024-08-15T16:50:05Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387729631756/v_Euwg",
      "status": "invalid",
      "validated": "2024-08-08T16:50:09Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "52.10.248.255: Fetching http://library.wccac.net/.well-known/acme-challenge/NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "token": "NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4",
      "validationRecord": [
        {
          "url": "http://library.wccac.net/.well-known/acme-challenge/NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4",
          "hostname": "library.wccac.net",
          "port": "80",
          "addressesResolved": [
            "52.10.248.255"
          ],
          "addressUsed": "52.10.248.255"
        }
      ]
    }
  ]
}
2024-08-08 10:50:19,875:DEBUG:acme.client:Storing nonce: hgpogSPuiuULUIDkNrs7HmCAS5Y2eqGGg9icd96Ut5rjJl-rCmA
2024-08-08 10:50:19,875:INFO:certbot._internal.auth_handler:Challenge failed for domain library.wccac.net
2024-08-08 10:50:19,875:INFO:certbot._internal.auth_handler:http-01 challenge for library.wccac.net
2024-08-08 10:50:19,876:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: library.wccac.net
  Type:   connection
  Detail: 52.10.248.255: Fetching http://library.wccac.net/.well-known/acme-challenge/NaUBJ83vXqpUdWXBg0WULSeY2lUva-ZL1hYbL4wowh4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2024-08-08 10:50:19,877:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-08 10:50:19,877:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-08-08 10:50:19,877:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-08-08 10:50:20,068:ERROR:certbot._internal.renewal:Failed to renew certificate library.wccac.net with error: Some challenges have failed.
2024-08-08 10:50:20,070:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/main.py", line 1550, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-08 10:50:20,072:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-08 10:50:20,072:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2024-08-08 10:50:20,072:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/library.wccac.net/fullchain.pem (failure)
2024-08-08 10:50:20,072:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-08 10:50:20,073:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/3834/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
  File "/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-08-08 10:50:20,073:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

My web server is (include version): Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 9.13 (stretch)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Welcome back @DHW0715

Let's Encrypt times out connecting to your domain using HTTP. And, I cannot connect either with HTTP or HTTPS from my test server on AWS EC2 on us-east.

The first two things that come to mind are:

Have you gotten a new public IP recently?
Have you enabled a firewall, EC2 Security Rules, or VPC rules?

curl -i -m8 http://library.wccac.net
curl: (28) Connection timed out after 8001 milliseconds
curl -i -m8 https://library.wccac.net
curl: (28) Connection timed out after 8001 milliseconds

Thanks for your quick response!

Sorry I forgot to mention:

• System admin recently added a whitelist to port 80 and 443 due to overwhelming by scan bots.
• When I noticed the certificate renewal problem, I already asked for adding https://acme-staging-v02.api.letsencrypt.org (172.65.46.172) to the whitelist

What other Let's Encrypt related IP should I add to the whitelist?

An allow list? How many people access your domain? If meant for the general public that won't allow that. See my failures to your "home" page from my test server.

Let's Encrypt does not publish the IP addresses used by its authentication servers. There are multiple locations world-wide and the IP change regularly. See this FAQ and its link: FAQ - Let's Encrypt
And also this about world-wide validation: Multi-Perspective Validation & Geoblocking FAQ

Assuming you require limited HTTP(s) access you have options:

Look at something like AWS WAF which allows you to make rules about access. You could allow any URI with /.well-known/acme-challenge/ on port 80 and block all others, for example.

Use a DNS Challenge (link here). Assuming your DNS provider allows queries from anywhere as these must be allowed world-wide for LE authentication too. To automate requires your DNS provider to support an API to add/remove TXT records for authentication.

If your DNS provider does not offer an API you could setup your own DNS server just for the challenges (see acme-dns). Or CNAME the authentication record to another provider that does. Or of course switch DNS providers (Route53 integrates with Certbot).

Lastly, you could look at using a different Certificate Authority. You are still going to have some validation issues if you severely restrict access but perhaps you can find a CA that is currently less robust. But note other CA may well be or become similar to LE in this regard over time.

Thanks for your advice Mike.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.