Certonly standalone plugin challenge error

Hello Let's Encrypt community

I was trying to renew a certificate with the command certbot renew --standalone that used to work for me. This time it does not work as I have a challenge validation error.
Note that I never used the manual http or webroot plugins (server has no .well-known).
I noticed that my certificate was actually expired already. I thought the renewal would not work on expired certificates, so I tried to create a new one with the command certbot certonly --standalone
The issue is that I have the same error with this command. From my understanding reading the documentation, certonly --standalone should not try to validate an acme-challenge, so I am surprised by this error.
Also note that my port 80 is not in use.
Could I be doing something wrong that prevents me from using the standalone feature?

Thank you for the help!

My domain is: wowgathering.fr

I ran this command: certbot certonly --standalone

It produced this output:
Renewing an existing certificate for wowgathering.fr

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: wowgathering.fr
Type: connection
Detail: Fetching http://wowgathering.fr/.well-known/acme-challenge/QiYh6lc2tDMz10VbCBNcxsurK30f2BiTFZg-qLc9yVQ: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the liste d domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.

My web server is: Nodejs Express (node version is 14.17.0)

The operating system my web server runs on is: Centos 8

My hosting provider is: OVH

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is: certbot 1.21.0

From which documentation did you infer that? Maybe the documentation is lacking clearity, because the whole purpose of the standalone plugin is validation of the acme-challenge.

Currently there is already a webserver listening on port 80, probably your Node.js Express server. Did you stop your Express server before running certbot? And are you running certbot on the same server as where your domain name points to?

Hello @Osiris thank you for your reply!

Indeed I ran the server a few minutes ago which is why you saw port 80. Yes I did stop the server before running certbot. Also yes, I am running certbot from the same server as the one my domain points to.

Regarding my possible misunderstanding, I looked at User Guide — Certbot 1.21.0 documentation. It says that this mode does not even need an existing server.

It says "server software" and with that the documentation means e.g. an Apache webserver or nginx webserver. The standalone plugin itself will spin up a temporary webserver to facilitate the http-01 challenge through port 80.

So if the challenge fails, it means the request from the world wide web on port 80 is not properly being forwarded to the standalone plugin listening on port 80 itself.

Thank you for the clarification on the standalone process. It made me think it could then be a firewall issue: that was the case. Marking your answer as solution. Have a good day!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.