Certificate Renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:etrust.pacifictrustees.com

I ran this command:/mnt/utils/certbot-auto renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/etdemo.pacifictrustees.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for etdemo.pacifictrustees.com
Waiting for verification…
Challenge failed for domain etdemo.pacifictrustees.com
http-01 challenge for etdemo.pacifictrustees.com
Cleaning up challenges
Attempting to renew cert (etdemo.pacifictrustees.com) from /etc/letsencrypt/renewal/etdemo.pacifictrustees.com.conf produced an unexpected error: Some challenges have failed… Skipping.

Processing /etc/letsencrypt/renewal/etrust.pacifictrustees.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for etrust.pacifictrustees.com
Waiting for verification…
Challenge failed for domain etrust.pacifictrustees.com
http-01 challenge for etrust.pacifictrustees.com
Cleaning up challenges
Attempting to renew cert (etrust.pacifictrustees.com) from /etc/letsencrypt/renewal/etrust.pacifictrustees.com.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/etdemo.pacifictrustees.com/fullchain.pem (failure)
/etc/letsencrypt/live/etrust.pacifictrustees.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/etdemo.pacifictrustees.com/fullchain.pem (failure)
/etc/letsencrypt/live/etrust.pacifictrustees.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: etdemo.pacifictrustees.com
  Type: connection
  Detail: Fetching
  http://etdemo.pacifictrustees.com/.well-known/acme-challenge/kEq_JXt3LyEM69UmOGOVgkDWLbcj-5s1VteD_9ixIBw:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

• The following errors were reported by the server:

  Domain: etrust.pacifictrustees.com
  Type: connection
  Detail: Fetching
  http://etrust.pacifictrustees.com/.well-known/acme-challenge/dm9Hvm-ztg8YzPXHNUnzwZKpvMsiOyQBFOoQortZKxE:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Wix

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

Is port 80 open to that IP address? Because I’m getting a timeout too on HTTP (port 80), but HTTPS (port 443) is connecting properly.

Port 80 is closed. We have closed it due to our firewall permissions.

An open port 80 is required for the http-01 challenge. The webroot plugin uses this challenge exclusively.

Alright let me open up port 80 and try it again

I’ve opened up port 80, but its still giving me the same error. I double checked the open port in cmd using telnet btw

Hi @LJW

there is no answer - see etdemo.pacifictrustees.com - Make your website better - DNS, redirects, mixed content, certificates

Your https answers, your http not.

So

• your http doesn't work internal (or)
• http works internal, but there is a blocking firewall / .htaccess / another thing

Works http from that machine?

curl http://etdemo.pacifictrustees.com/.well-known/acme-challenge/1234

should have a correct http status 404 - Not Found.

According to my vendor, that website isn’t functional. I used telnet and it shows its open.

telnet is port 23…

Is your webserver listening on port 80?

If it isn't, you should move to "Authenticator standalone" and add the proper hooks, like:

certbot renew --cert-name $CERT_NAME \
              --standalone \
              --pre-hook "command to open firewall on 80" \
              --post-hook "command to close firewall on 80" \
              --deploy-hook "cmd to reload the webserver"

Where $CERT_NAME is a certificate name you get from certbot certificates

Don't forget ipv6 when opening/closing firewalls, Let's Encrypt doesn't like to use ipv4 when it can avoid it.

image1366×768 50.8 KB

Above is the response.

This is the case. If you access etrust.pacifictrustees.com right now, you're able to access it albeit it being a public connection.

This is not the case.

Your check says, your port 80 works internal.

So it works (it has a correct http answer - 301 instead of 404).

So it's a firewall / routing problem you have to find and fix.

PS: Checking port 80 - same result: Timeout.

PPS: And you have two subdomains - etrust and edemo.

Of course you also have the alternative of moving to dns-01 authentication. But that's probably a very big overkill.

I’m still getting port 80 closed. Both subdomains same ip 211.24.110.124 so my checking both was overkill. I agree completely with @JuergenAuer. HTTPS works albeit with old certificates.

But the thing is, I have not changed the firewall configuration in some time. If it helps, I updated the Ubuntu server. Following that, I installed and uninstalled apache after realizing it will cause a port conflict

Where can I find this 301 value. Sorry I'm new to web server troubleshooting

Please tell us what’s going on with your port 80:

ss -tlpn | grep :80 

hello970×166 4.33 KB

Here it is

Really? Can you access the etrust website using https?

So, something is listening on port 80. Something inside a docker container.

This means you cannot make other servers bind to the same port, be it apache or certbot --standalone.

Check that container and see if you can move it on a different port.