Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: Ubuntu 16.04
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0
Port 80 is open but here I get the following findings:
Fatal: Check of /.well-known/acme-challenge/random-filename is blocked, http connection error. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
Thanks a lot for the quick response. I used Letsencrypt to make a certificate for the first time in January, and it worked perfectly when port 80 was allowed. Now with the same configuration, it is not working. Can you please guide, where should I look?
Thanks for your inputs. I think firewall rules were ok, but i could not find what the problem with my apache was. But luckily found a workaround. used the certbot certonly --standalone after stopping apache, and certificate was renewed without a problem.
That might be a workaround for getting a certificate, but doesn't fix your general Apache webserver problem.
For example, if (new) users go to your site by typing the address in the address bar without explicitely using https://, they'll get the same "Empty response" error in their browser as shown above. Only by explicitely typing https:// users will be able to go to your site.
I agree that it does look that way, but if running in --standalone mode works then that implies that it's something specific to Apache (though again, I can't imagine how, as I haven't heard of an Apache config line for "just close the connection rather than responding"). Some kind of local firewall that knows how to hook into Apache but not into certbot's standalone mode?
When an HTTP connection is made and the connection closes, is there anything interesting in the Apache log files? I think they're usually in /var/log/httpd but there are a lot of ways to have Apache installed and configured.
It is a Ubuntu running on a virtual machine. I also checked via TCP dump for port 80, and could not see anything abnormal
There is no fail2ban implemented. Now after the certificate renewal, port 80 has been blocked again.