Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Please can someone help me? Last time (3 months ago) I renewed with no issue. On the firewall there is a rule that can allow all http (80) connection through WAN (public ip).
Hi, can you confirm if you are actually using Certbot or some other tool? You're on windows so the other most likely options are win-acme, Posh-ACME or Certify The Web
Port 80 is apparently not open so I'd suggest if your machine is a virtual machine hosted in a cloud environment that you should check in the cloud/vm control panel that TCP port 80 is open for incoming connections.
Http validation works by making an http (not https) request to your machine, so you really do need that port 80 open. The actually validation will either work via IIS or via a self hosting mechanism controlled by your ACME compatible client software.
Hello,
I'm using win-acme.
During the renewal I enable a firewall rule that open the http conection from the VM windows machine (win server 2012 R) where I run the tool for certification renew to external wan.
Great, so you need to open port 80 all the way through:
your network firewall (as in your picture)
any network filtering at the VM level (hyper v, vmware, cloud etc)
in Windows Firewall (important!).
You should ideally just leave port 80 open and not try to enable/disable it for renewals and your renewals should ideally be automatic, not manual.
If you are disabling port 80 because you are worried about people accessing some service on that port, remove the services (e.g. IIS port 80 bindings) and use the self hosting option of win-acme (this will spin up a temporary http listener during renewal).
If you are just generally worried about allowing port 80 to be open and you have no services running on that port, then don't worry there is no extra risk. If someone else tells you to block that port for a security reason please do point them to this conversation and they can explain here why port 443 is any different
If you absolutely must block port 80 you can get win-acme to serve validation on a different port and NAT http requests to that but that's usually not necessary. Alternatively you can switch to using DNS validation instead of http validation.
I had to create a new FW's rule, that's all.
and I got the new certificate renewed
I don't understand why the previous fw rule stop working...
Many thanks
One question again not concern the topic.
How can i change the certificate name during renewal or maybe after I done that. I would to set a friendly name.
Great, glad you got it working. I'm not a firewall expert but I'm guessing whatever the definition of 'LetsEncryptACMEClient' is was affecting it, if changing to 'Any' made it work.
