Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: joeman1.com

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: joeman1.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate for joeman1.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: joeman1.com
Type: connection
Detail: 67.60.122.30: Fetching http://joeman1.com/.well-known/acme-challenge/_gttZHYqpM2LB2g3vqmGgeL7U1UEsxQSOYNwmWzcpco: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

httpd-2.4.37-47.module+el8.6.0+823+f143cee1.1.x86_64

The operating system my web server runs on is (include version):

cat /etc/redhat-release

Rocky Linux release 8.6 (Green Obsidian)

My hosting provider, if applicable, is: Self hosting

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

This worked for years with CentOS as well as Rocky Linux. Got an alert in e-mail that my domain expires in 12 days and now I cant update anymore.

My website is fully accessible on the internet and I have no issues with connecting and using my services.

Please let me know how to fix. Thanks!

Welcome @joeg1484

Does the problem repeat? Because I just tested your site various ways and always got through. I did see your site is sometimes very slow to respond so maybe it was just an unlucky attempt?

As one test, see Let's Debug test site result

Has something changed?
I don't see the HTTP timeout error.
I get "301 Moved Permanently", and then the HTTPS is rather slow to respond.
Which is a missed opportunity - to have handled the challenge requests then and there (in HTTP) - rather than redirect them to HTTPS and start the requesting all over.

My minds sees these kinds of "virtual things" in a "physical world" and just has to laugh:
Guy walks up to counter and requests an HTTP transaction.
Guy behind counter says that he must go to the next line for HTTPS - there is no one in the line so he backs out and goes right over into that other line and goes straight up to counter.
The same guy behind the counter slides his chair over, switches his hat (from HTTP to HTTPS) and asks the same guy "Hi, how may I help you?"

Hello,

Thanks for the reply. So nothing has changed since I built it a few
years ago.. I do redirect http to https:

This works great from an application standpoint. Is this breaking the
certbot application?

As I mentioned, this has worked flawlessly for quite some time. Just
this last update request has failed.

Let me know if you want to see any other logs or config.

Thanks again for the help!
Joe

Hi,

OK so this is weird... Yes, it failed with just the certbot --apache
command, but if I add the -v (Verbose) option it worked:

certbot -v --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: joeman1.com

Select the appropriate numbers separated by commas and/or spaces, or
leave input
blank to select all options shown (Enter 'c' to cancel): 1
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for joeman1.com
Performing the following challenges:
http-01 challenge for joeman1.com
Waiting for verification...
Cleaning up challenges

Successfully received certificate.
Certificate is saved at:
/etc/letsencrypt/live/joeman1.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/joeman1.com/privkey.pem
This certificate expires on 2022-09-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this
certificate in the background.

Deploying certificate
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf
Successfully deployed certificate for joeman1.com to
/etc/httpd/conf.d/ssl.conf
Redirecting vhost in /etc/httpd/conf.d/redirect_http.conf to ssl vhost
in /etc/httpd/conf.d/ssl.conf
Your existing certificate has been successfully renewed, and the new
certificate has been installed.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

So maybe a timing thing?

Joe

Yes, most likely. Both Rudy and I saw your site fine too so supports diagnosis of a temp problem.

You use the --apache plug-in so it should override your redirect just for the single acme challenge. And, that seems to work since your first post had HTTP:// in the error message. It would have shown HTTPS:// had the plug-in not overridden your redirect. So, I don't think you need to do anything about your redirect.

Glad it's working.

Yes, I see the modification to the redirect and I deleted my "Chicken scratch" and just used what the certbot application put in. Seems to work fine :).

Thanks again for the help!
Joe

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.