Erro renovação certifcado Certbot Windows Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: esus.iacanga.sp.gov.br

I ran this command: certbot renew

It produced this output: Renewing an existing certificate for esus.iacanga.sp.gov.br

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: esus.iacanga.sp.gov.br
Type: connection
Detail: 170.238.91.194: Fetching http://esus.iacanga.sp.gov.br/.well-known/acme-challenge/0KMCfNKV4wU3j7Bti8hIuvu4QSpMbiwfq_hbf1aVvUw: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate esus.iacanga.sp.gov.br with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
C:\Certbot\live\esus.iacanga.sp.gov.br\fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): iacanga.sp.gov.br

The operating system my web server runs on is (include version): Windows Server 2019 Standard

My hosting provider, if applicable, is:iacanga.sp.gov.br

I can login to a root shell on my machine (yes or no, or I don't know): não sei.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): não uso o serviço esus -pec

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot (beta) 2.6.0

Ports 80 and 443 are open on both the local server firewall and the edge router.

Could you please help us with certificate renewal?

Well, port 80 doesn't look open from the Internet.

Your domain needs to be working before you can get a certificate for it.

(And this isn't related to your problem, but certbot on Windows has been discontinued, and you should probably work on switching to something like simple-acme or Certify The Web at some point.)

Whoops, just realized that you are using standalone mode. Can you say more about what's running on this server, if it doesn't have a web site already running and you need to use standalone mode?

Run the certbot renew with --debug-challenges so that it will pause while the temporary web server is running, and while it's paused, try that https://check-host.net/ with the HTTP button to test connectivity from the rest of the world.

Good morning petercooperjr

This is a basic healthcare software application that is installed locally on the server, but access is via web browser (ESUS-PEC).

We were asked to configure the application for HTTPS access so we could integrate it with GOV.BR.

We followed the steps in these links: Configuração HTTPS Manual (Windows) | Ministério da Saúde

We followed the steps in the link, opening ports 80 and 443, and opening openssl and certbot.

We managed to get the application working via HTTPS and it functioned for 90 days.

However, the problem we are facing is the certificate renewal through CERTBOT. I checked the directory C:\Certbot\live\esus.iacanga.sp.gov.br

and they are not renewing automatically as they should.

I will attach images of the application and the error that occurs when accessing it.

arquivos_do_Certbot997×331 50.3 KB

link de acesso externo:

https://esus.iacanga.sp.gov.br/ ou https://170.238.91.194

Those manual installation instructions seem poorly written to me, or at least very out of date. They shouldn't be recommending certbot for use on Windows, especially if one then needs to run openssl commands to translate it to the format used by the actual application. Having it be a separate scheduled task that runs monthly that one hopes lines up with when certbot renews, rather than running it as a certbot deploy hook, really doesn't make any sense. I'm also not understanding how they expect certbot in standalone mode to work if there is already a web server running on the system.

It looks like there's an "automated" process, can you use that instead?

Regardless, you'd need your system to first be replying on http port 80 in order for a certificate to be issued.

@petercooperjr consegui resolver aqui......realmente era uma erro na regra do firewall de entrada criei a regra de entrada 80 para o servidor da aplicação, porém a porta de destino ao invés de colocar 80 acabei colocando 443......ai corrigi e o certificado voltou a renovar.

Obrigado pela grande ajuda.