Certificate renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:stjuderedcap.schoolofstjude.org

I ran this command:certbot renew

It produced this output:Timeout during connect (likely firewall problem)

My web server is (include version): wamp server 3.2.6-64bit

The operating system my web server runs on is (include version): Windows Server 2019 datacenter

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.2.0

Someone has blocked port 80 which is preventing the HTTP Challenge to complete.

Your port 443 (HTTPS) is fine. It is just port 80 that is blocked

Hi @tarimon, and welcome to the LE community forum

HTTP authentication requires TCP port 80 to be opened and it should be allowed to reach the ACME client [certbot].

Something must have changed since the cert was issued on March 29th.

Seems port 80 remains unavailable to the World Wide Web.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Agree. But, they got a fresh cert 2 days ago so they may have opened it to renew and then closed again.

Hopefully they have automated that or at least keep very good notes

Hello Mike,

Thank you for your support and Yes, although I have subscribed for reminders before expirations, I will like to eliminate the manual process and automate this.

Our architecture is a Windows server running a Wamp server with Apache.

I initially used Certbot with: certbot -d stjuderedcap.schoolofstjude.org --manual --preferred-challenges dns certonly

The above worked.

Now I am trying to automate it with a manual authentication hook

Why that one? I think using --webroot method would be easier. If you need something to open and close port 80 automatically you could use the --pre-hook and --post-hook.

You have Route53 as your DNS provider so could use a DNS Challenge instead. That avoids opening port 80 but is often more difficult to automate. And, I don't remember if Certbot supports the Route53 plug-in on Windows. I don't think it does but not certain.
For that you may have to look at other ACME Clients designed for Windows. Certify the Web is a good option

I'd think so too...
But that implies not using --standalone which implies something else would be listening on port 80.

Sadly, I still don't see anything listening on port 80 now:

curl -Ii http://stjuderedcap.schoolofstjude.org/
curl: (56) Recv failure: Connection reset by peer

So, my questions are:

• Will port 80 be opened?
• If so, what will be listening?

Yeah, my bad. I thought their original request was HTTP Challenge from error on first post but I now see it was a manual DNS Challenge (from post #6).

So, automating that may need a different ACME Client because I am pretty sure the Route53 plug-in is not supported by Certbot on Windows.

Certify the Web includes Route53 support (link here)

This seems easier than writing your own manual Auth hook. Or open port 80 for Certbot --webroot

@rg305 Do you know for sure about the DNS plug-ins on Windows? I'm only like 80% sure Certbot does not support them there.

I was leaning towards not having to use the DNS plugin.
And, since certbot for Windows and Apache don't play well together...
I was leaning towards --webroot as well.

But we can only take the horse to water - we can't make him drink it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.