Certificate renewal is not working as expected

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.nuy.info

I ran this command: certbot -v renew

It produced this output:
certbot -v renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.nuy.info.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for www.nuy.info
Performing the following challenges:
http-01 challenge for www.nuy.info
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.nuy.info
http-01 challenge for www.nuy.info

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.nuy.info
Type: connection
Detail: 83.81.79.251: Fetching http://www.nuy.info/.well-known/acme-challenge/lcsAP11W6_i0WU0jKMRqlr8VNOz43pTIgt1Bq28O2IQ: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate www.nuy.info with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.nuy.info/fullchain.pem (failure)

Running post-hook command: /etc/letsencrypt/renewal-hooks/post/create_p12_file.sh
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.58

The operating system my web server runs on is (include version):Ubuntu 24.04.1

My hosting provider, if applicable, is: selfhosted

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I do have webmin but also manage manual

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

Welcome to the community @CasN

Have you changed how you handle HTTP requests on port 80? Because those requests are timing out. You must have had this port open and working when you last got your cert about 2 months ago.

HTTPS requests (port 443) are working fine so it is just port 80 that is a problem.

Check any firewall and any router settings including port forwarding / NAT.

Thanks Mike, that was the answer. Port 80 appeared to be closed (The certificate I got immediately after setting the server from scratch) and somehow enabled later only https.

Great. I see from the public cert CT logs that you got a cert today.

But, your server is not yet using it. You may just need to gracefully reload Apache to refresh its config

It is also possible to update your cert renewal profile with a --deploy-hook to do that each time the cert is renewed

https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-v2-3-0-and-newer

Next to what Mike said: the above is probably also better suited as a deploy hook instead of a post-hook. Deploy hooks are run on a certificate basis, while post hooks are run just once independend of how many certs were renewed.

Thanks for the advices. I did restart Apache so now it should be fine. Next step will be to look into your advice to make sure all goes fully automatic in the future.

Also, that could use an update.

Certbot updated too, thanks for the tip

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.