Dry run successful but production run fails with same args (--expand)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mll7.com
mserv.pw
mserv.top

I ran this command:

Dry run

certbot certonly --dry-run --staging --break-my-certs --expand -n --webroot -w /var/www/html/www -d mll7.com --webroot -w /var/www/html/www -d www.mll7.com --webroot -w /var/www/html/www -d vpn.mll7.com --webroot -w /var/www/html/www -d mail.mll7.com --webroot -w /var/www/html/www -d meet.mll7.com --webroot -w /var/www/html/www -d jonathanfalk.mll7.com --webroot -w /var/www/html/www -d js.mll7.com --webroot -w /var/www/html/www -d mserv.pw --webroot -w /var/www/html/www -d www.mserv.pw --webroot -w /var/www/html/www -d vpn.mserv.pw --webroot -w /var/www/html/www -d mail.mserv.pw --webroot -w /var/www/html/www -d meet.mserv.pw --webroot -w /var/www/html/www -d jonathanfalk.mserv.pw --webroot -w /var/www/html/www -d js.mserv.pw --webroot -w /var/www/html/www -d mserv.top --webroot -w /var/www/html/www -d www.mserv.top --webroot -w /var/www/html/www -d vpn.mserv.top --webroot -w /var/www/html/www -d mail.mserv.top --webroot -w /var/www/html/www -d meet.mserv.top --webroot -w /var/www/html/www -d jonathanfalk.mserv.top --webroot -w /var/www/html/www -d js.mserv.top

Production run

certbot certonly --expand --rsa-key-size=4096 -n --webroot -w /var/www/html/www -d mll7.com --webroot -w /var/www/html/www -d www.mll7.com --webroot -w /var/www/html/www -d vpn.mll7.com --webroot -w /var/www/html/www -d mail.mll7.com --webroot -w /var/www/html/www -d meet.mll7.com --webroot -w /var/www/html/www -d jonathanfalk.mll7.com --webroot -w /var/www/html/www -d js.mll7.com --webroot -w /var/www/html/www -d mserv.pw --webroot -w /var/www/html/www -d www.mserv.pw --webroot -w /var/www/html/www -d vpn.mserv.pw --webroot -w /var/www/html/www -d mail.mserv.pw --webroot -w /var/www/html/www -d meet.mserv.pw --webroot -w /var/www/html/www -d jonathanfalk.mserv.pw --webroot -w /var/www/html/www -d js.mserv.pw --webroot -w /var/www/html/www -d mserv.top --webroot -w /var/www/html/www -d www.mserv.top --webroot -w /var/www/html/www -d vpn.mserv.top --webroot -w /var/www/html/www -d mail.mserv.top --webroot -w /var/www/html/www -d meet.mserv.top --webroot -w /var/www/html/www -d jonathanfalk.mserv.top --webroot -w /var/www/html/www -d js.mserv.top

It produced this output:

Dry run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jonathanfalk.mll7.com
http-01 challenge for jonathanfalk.mserv.pw
http-01 challenge for jonathanfalk.mserv.top
http-01 challenge for js.mll7.com
http-01 challenge for js.mserv.pw
http-01 challenge for js.mserv.top
http-01 challenge for mail.mll7.com
http-01 challenge for mail.mserv.pw
http-01 challenge for mail.mserv.top
http-01 challenge for meet.mll7.com
http-01 challenge for meet.mserv.pw
http-01 challenge for meet.mserv.top
http-01 challenge for mll7.com
http-01 challenge for mserv.pw
http-01 challenge for mserv.top
http-01 challenge for vpn.mll7.com
http-01 challenge for vpn.mserv.pw
http-01 challenge for vpn.mserv.top
http-01 challenge for www.mll7.com
http-01 challenge for www.mserv.pw
http-01 challenge for www.mserv.top
Using the webroot path /var/www/html/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • The dry run was successful.
    $

Production run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for js.mll7.com
http-01 challenge for js.mserv.pw
http-01 challenge for js.mserv.top
Using the webroot path /var/www/html/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain js.mll7.com
Challenge failed for domain js.mserv.pw
Challenge failed for domain js.mserv.top
http-01 challenge for js.mll7.com
http-01 challenge for js.mserv.pw
http-01 challenge for js.mserv.top
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
apache2 2.4.41
nginx 1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
$ certbot --version
certbot 0.40.0

Since the --dry-run, and my test to your sites, were successful, but the production tests failed...
With:

I can only presume that there is some inline system that is blocking access from the production IPs.
Fail2ban ?
Geo-Location / Geo-Fencing ?

1 Like

Yes, I think it is probably the same thing as the previous thread, where some of the VA IP addresses were getting into /etc/hosts.deny somehow.

I had disabled firewall, HostsDeny, and faill2ban ...ran the commands back to back...

Could you show your webserver access log for just:

certbot certonly --webroot -w /var/www/html/www -d js.mserv.top
1 Like

3.19.56.43 - - [05/Jun/2021:19:24:17 -0500] "GET /.well-known/acme-challenge/ha4wUcZBG6IvdGnAI2MGK1SYNzuWopY5cto5iL9qgXo HTTP/1.1" 200 336 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.184.114.154 - - [05/Jun/2021:19:24:17 -0500] "GET /.well-known/acme-challenge/ha4wUcZBG6IvdGnAI2MGK1SYNzuWopY5cto5iL9qgXo HTTP/1.1" 200 336 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.39.4.59 - - [05/Jun/2021:19:24:17 -0500] "GET /.well-known/acme-challenge/ha4wUcZBG6IvdGnAI2MGK1SYNzuWopY5cto5iL9qgXo HTTP/1.1" 200 334 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Looks like you are missing the primary VA again - 64.78.149.164.

1 Like

Oh yes, you are right, I missed one firewall... sorry for bothering you

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.