Error renewing a certificate

My domain is: mserv.top

I ran this command:
/bin/certbot certonly --dry-run --staging --break-my-certs --webroot -w /opt/rh/httpd24/root/var/www/html -d mserv.top --webroot -w /opt/rh/httpd24/root/var/www/html -d www.mserv.top --webroot -w /opt/rh/httpd24/root/var/www/html -d vpn.mserv.top --webroot -w /opt/rh/httpd24/root/var/www/html -d mail.mserv.top --webroot -w /opt/rh/httpd24/root/var/www/html -d gigabitspeed.mserv.top

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.mserv.top
Using the webroot path /opt/rh/httpd24/root/var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain mail.mserv.top
http-01 challenge for mail.mserv.top
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.mserv.top
    Type: connection
    Detail: Fetching
    http://mail.mserv.top/.well-known/acme-challenge/s8zJi3b-m-w2mE-KndPwu95_cCITmD5F5WKcVC_yf9g:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.34 (Red Hat)

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810

My hosting provider, if applicable, is: N/A, my own web server and domain

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.34.2

Notes:
I did my own challenge manually and every thing worked fine …
As I currently have a valid certificate, I first disabled SSL and restarted apache; ran the following successful test manually between my SERVER and LAPTOP:

ON SERVER:
[root@server ~]# mkdir -p /opt/rh/httpd24/root/var/www/html/.well-known/acme-challenge
[root@server ~]# cat < /opt/rh/httpd24/root/var/www/html/.well-known/acme-challenge/s8zJi3b-m-w2mE-KndPwu95_cCITmD5F5WKcVC_yf9g

test

EOF
[root@server ~]# ls -l /opt/rh/httpd24/root/var/www/html/.well-known/acme-challenge/s8zJi3b-m-w2mE-KndPwu95_cCITmD5F5WKcVC_yf9g
-rw-r–r-- 1 root root 6 Jun 29 20:00 /opt/rh/httpd24/root/var/www/html/.well-known/acme-challenge/s8zJi3b-m-w2mE-KndPwu95_cCITmD5F5WKcVC_yf9g

ON LAPTOP:
[user@laptop:~]$ nc -vz mail.mserv.top 80
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif ipsec0
src 192.168.1.101 port 49834
dst 155.138.161.117 port 80
rank info not available
TCP aux info available

Connection to mail.mserv.top port 80 [tcp/http] succeeded!
[user@laptop:~] curl -O http://mail.mserv.top/.well-known/acme-challenge/s8zJi3b-m-w2mE-KndPwu95_cCITmD5F5WKcVC_yf9g % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6 100 6 0 0 25 0 --:--:-- --:--:-- --:--:-- 25 [user@laptop:~] echo ? 0 [user@laptop:~] cat s8zJi3b-m-w2mE-KndPwu95_cCITmD5F5WKcVC_yf9g
test

[user@laptop:~]$

You running fail2ban or anything like that?

I can access your server on port 80 only sporadically. For example: https://letsdebug.net/mail.mserv.top/46725 fails for both Let’s Debug and Let’s Encrypt staging, but I can hit your site from a few other servers.

When I do a traceroute from the server that runs letsdebug.net, it times out one hop away from your server.

But I know that back in April, Let’s Debug was able to make a request to your server, but Let’s Encrypt’s staging server was still blocked. And now both are.

Those are all the telltales of a too-aggressive automatic firewall (or maybe you are using some DNSBLs?).

Check iptables.

Thanks for your reply. I did not even think about fail2ban - good call. I disabled fail2ban and firewall temporarily and everything worked fine. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.