Changed local IP, now certs won't renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: emby.remrah.com

I ran this command: certbot renew

It produced this output:root@emby:/etc/letsencrypt/live/emby.remrah.com# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/emby.remrah.com.conf

Renewing an existing certificate for emby.remrah.com
Failed to renew certificate emby.remrah.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: too many failed authorizations (5) for "emby.remrah.com" in the last 1h0m0s, retry after 2025-05-06 19:46:21 UTC: see Rate Limits - Let's Encrypt

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/emby.remrah.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): emby, Version [4.8.11.0], not using a webserver, just the certificate

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-215-generic x86_64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 4.0.0

I know changing the local IP address shouldn't make any difference. The public one hasn't changed.

So it looks like firewall, but here's the rules. Only enabled when renewing. I even put the server in the DMZ to test and but that failed too.

Firewall >> Edit Filter Set >> Edit Filter Rule

Filter Set 2 Rule 4
Enable
Comments Lets encryptIn
Schedule Profile None,None,None,None
Clear sessions when schedule is ON
Direction
WAN -> LAN/RT/VPN

Source IP/Country Any

Destination IP/Country <emby's private address>

Service Type Any

Fragments Don't Care
Application Action/Profile Syslog
Filter Pass Immediately

Firewall >> Edit Filter Set >> Edit Filter Rule

Filter Set 2 Rule 5
Enable
Comments Lets encryptOut
Schedule Profile None,None,None,None
Clear sessions when schedule is ON
Direction
LAN/RT/VPN -> WAN

Source IP/Country <Emby's private IP address>

Destination IP/Country Any

Service Type Any

Fragments Don't Care
Application Action/Profile Syslog
Filter Pass Immediately

My Private IP is 193.37.226.x, old reasons, but worked fine until this renewal.

here's the log

letsencrypt.log.txt (522.3 KB)

The oly thing that's changed are the security updates I applied.

Does anyone have any ideas?

Thanks

It would if you have a router or something that directs HTTP(s) requests from your public IP to the private one.

I tried HTTP and HTTPS tests to your domain and can't reach it with either. This was just your "home" page so is not related to Let's Encrypt. Are you able to connect to your domain from outside your own private network? Like a mobile phone with wifi disabled?

The Let's Debug site is helpful to test HTTP connections: Let's Debug

This tests globally so looks like overall connect failure not just certain geographic locations: Check website performance and response : Check host - online website monitoring

Hi Mike,

It's an emby server, so doesn't have anything on port 80 or 443. I opeed up both ports to the web, but obviously it wasn't working, so I changed the Nat to send 80 and 443 to the server and it worked first time. Strange how opening the firewall, even putting it in the DMZ didn't work, but changing Nat did.

Thank you for you help, the debug web page pointed me in the right direction. Thank you

Why would that be a strange outcome? You used the Certbot --standalone option to get the cert. That uses an HTTP Challenge. To satisfy that challenge the Let's Encrypt validation server sends an HTTP request (port 80) to your domain (server) and needs a proper reply.

The request coming to you on port 80 must reach the machine where Certbot is running so its standalone server can reply properly.

When you changed your internal IP you needed to update your NAT so it got sent to Certbot.

See HTTP Challenge details: Challenge Types - Let's Encrypt