Error on sudo certbot renew --dry-run

This is fine. You only need one of the two.

Nowhere.

That config is just telling nginx to take files from /usr/local/etc/nginx/letsencrypt when someone asks for example.com/.well-known/acme-challenge/

I am not sure it is needed, I think it isn’t.

Thanks @9peppe, Yesterday I post a question about sudo certbot renew --dry-run error. I got answer that I should check something blocking the renewal process. I have fortigate firewall and I have only IPS. other than all the required port in and out is okay.

How to or where should I look into inside my ubuntu machine that my renewal will be okay if IU run --dry-run again? I am not sure what is blocking and don’t know where to look.

What should I do so I can correct error that showing below?

File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

You should definitely not get a python traceback thrown at you.

Is your server listening on port 80? (unsecured http)

I read @JuergenAuer told you already to check your firewall. It is incredibly difficult to help you without knowing the full domain name and without the possibility to run tests against it.

There may be other firewalls in front of your own.

thanks again @9peppe full domain is https://cep..com and http://cep..com is redirected to https. Front of ubuntu there is a FortiGate firewall and IPS on it

It isn’t, not from my point of view. It looks like on http I get kicked away by your fortigate.

On https I can see a webpage.

That very strange. I am from out of office and trying from home using different network and when I type http://cep..com it redirects to me to https://cep..com

I guess it blocks my ip but not yours. I’m connecting from Italy, if that helps your debugging.

I don’t have any ip blocking but I will look inti it.

I saw your ufw config, yeah, but I have no idea what fortigate is doing.

@9peppe I am checking fortigate inbound and outbound config. There is a IPS filter but I will write here bit more detail in 30 min.

Ok, @9peppe

I have IPS filter and it is on and tested. Whats is it mean these liens?

If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

If I am serving correct than than some thing wrong in my firewall config.

I have IPS filter also I have fortigate ssl inspection is on. Do you know if fortigate ssl inspection blocks my renewal?

I don’t know but I don’t think so. Right now I can connect to your website on unencrypted http just fine, and I get the redirect.

@9peppe

In firewall there was a application filter setting was on. I turn that off and try again. Than I run --dry-run and my certificate renewed.

Thank you very much.

Solution to my problem its simply turn off the application filter in fortigate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.