Certificate Renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:etrust.pacifictrustees.com

I ran this command:/mnt/utils/certbot-auto renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/etdemo.pacifictrustees.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for etdemo.pacifictrustees.com
Waiting for verification…
Challenge failed for domain etdemo.pacifictrustees.com
http-01 challenge for etdemo.pacifictrustees.com
Cleaning up challenges
Attempting to renew cert (etdemo.pacifictrustees.com) from /etc/letsencrypt/renewal/etdemo.pacifictrustees.com.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/etrust.pacifictrustees.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for etrust.pacifictrustees.com
Waiting for verification…
Challenge failed for domain etrust.pacifictrustees.com
http-01 challenge for etrust.pacifictrustees.com
Cleaning up challenges
Attempting to renew cert (etrust.pacifictrustees.com) from /etc/letsencrypt/renewal/etrust.pacifictrustees.com.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/etdemo.pacifictrustees.com/fullchain.pem (failure)
/etc/letsencrypt/live/etrust.pacifictrustees.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/etdemo.pacifictrustees.com/fullchain.pem (failure)
/etc/letsencrypt/live/etrust.pacifictrustees.com/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: etdemo.pacifictrustees.com
    Type: connection
    Detail: Fetching
    http://etdemo.pacifictrustees.com/.well-known/acme-challenge/kEq_JXt3LyEM69UmOGOVgkDWLbcj-5s1VteD_9ixIBw:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • The following errors were reported by the server:

    Domain: etrust.pacifictrustees.com
    Type: connection
    Detail: Fetching
    http://etrust.pacifictrustees.com/.well-known/acme-challenge/dm9Hvm-ztg8YzPXHNUnzwZKpvMsiOyQBFOoQortZKxE:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Wix

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

2 Likes

Is port 80 open to that IP address? Because I’m getting a timeout too on HTTP (port 80), but HTTPS (port 443) is connecting properly.

2 Likes

Port 80 is closed. We have closed it due to our firewall permissions.

2 Likes

An open port 80 is required for the http-01 challenge. The webroot plugin uses this challenge exclusively.

2 Likes

Alright let me open up port 80 and try it again

3 Likes

I’ve opened up port 80, but its still giving me the same error. I double checked the open port in cmd using telnet btw

2 Likes

Hi @LJW

there is no answer - see https://check-your-website.server-daten.de/?q=etdemo.pacifictrustees.com#url-checks

Your https answers, your http not.

Domainname Http-Status redirect Sec. G
http://etdemo.pacifictrustees.com/ 211.24.110.124 -14 10.023 T
Timeout - The operation has timed out
https://etdemo.pacifictrustees.com/ 211.24.110.124 GZip used - 1124 / 3603 - 68,80 % Inline-JavaScript (∑/total): 5/0 Inline-CSS (∑/total): 1/814 200 Html is minified: 207,91 % 6.750 N
Certificate error: RemoteCertificateChainErrors
small visible content (num chars: 42)
PacT Online Platform Login Forget Password
http://etdemo.pacifictrustees.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 211.24.110.124 -14 10.016 T
Timeout - The operation has timed out

So

  • your http doesn’t work internal (or)
  • http works internal, but there is a blocking firewall / .htaccess / another thing

Works http from that machine?

curl http://etdemo.pacifictrustees.com/.well-known/acme-challenge/1234

should have a correct http status 404 - Not Found.

2 Likes

According to my vendor, that website isn’t functional. I used telnet and it shows its open.

1 Like

telnet is port 23…

Is your webserver listening on port 80?

If it isn’t, you should move to “Authenticator standalone” and add the proper hooks, like:

certbot renew --cert-name $CERT_NAME \
              --standalone \
              --pre-hook "command to open firewall on 80" \
              --post-hook "command to close firewall on 80" \
              --deploy-hook "cmd to reload the webserver"

Where $CERT_NAME is a certificate name you get from certbot certificates

Don’t forget ipv6 when opening/closing firewalls, Let’s Encrypt doesn’t like to use ipv4 when it can avoid it.

1 Like

Above is the response.

This is the case. If you access etrust.pacifictrustees.com right now, you’re able to access it albeit it being a public connection.

1 Like

This is not the case.

Your check says, your port 80 works internal.

So it works (it has a correct http answer - 301 instead of 404).

So it’s a firewall / routing problem you have to find and fix.

PS: Checking port 80 - same result: Timeout.

PPS: And you have two subdomains - etrust and edemo.

2 Likes

Of course you also have the alternative of moving to dns-01 authentication. But that’s probably a very big overkill.

1 Like

I’m still getting port 80 closed. Both subdomains same ip 211.24.110.124 so my checking both was overkill. I agree completely with @JuergenAuer. HTTPS works albeit with old certificates.

1 Like

But the thing is, I have not changed the firewall configuration in some time. If it helps, I updated the Ubuntu server. Following that, I installed and uninstalled apache after realizing it will cause a port conflict

Where can I find this 301 value. Sorry I’m new to web server troubleshooting

1 Like

Please tell us what’s going on with your port 80:

ss -tlpn | grep :80 
2 Likes

Here it is

1 Like

Really? Can you access the etrust website using https?

1 Like

So, something is listening on port 80. Something inside a docker container.

This means you cannot make other servers bind to the same port, be it apache or certbot --standalone.

Check that container and see if you can move it on a different port.

1 Like