Errors renewing certificate, Apache, Win 10

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mac-fife.uk

I ran this command: certbot renew --standalone --dry-run (with Apache stopped)

It produced this output:
Processing C:\Certbot\renewal\www.mac-fife.uk.conf

Simulating renewal of an existing certificate for www.mac-fife.uk and 18 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: pop.mac-fife.uk
Type: connection
Detail: During secondary validation: 80.229.8.213: Fetching http://pop.mac-fife.uk/.well-known/acme-challenge/rsLN5DSJakCiVmaTJy8TDOtSms9sg8wdx4FwonR_LzY: Timeout during connect (likely firewall problem)

Domain: smtp.mac-fife.uk
Type: connection
Detail: During secondary validation: 80.229.8.213: Fetching http://smtp.mac-fife.uk/.well-known/acme-challenge/8UaL7kkvkfsAireog8jxOF8QdyJC1oDzHB-a9q60qp0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version): Apache 2.4.54

The operating system my web server runs on is (include version): Windows 10 Pro

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.7.4

I realise that Certbot is no longer officially supported on Windows but I've also tried Certify the Web, with similar results.
This method of renewing certificates - stop Apache, run certbot renew command, restart Apache has always worked up until now, and it seems odd that only some of the 19 domains/subdomains on the certificate are failing. Let's Debug shows no problems:
All OK!

OK

No issues were found with pop.mac-fife.uk. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

Hello @, welcome to the Let's Encrypt community.

That is very like the case; I observe some Geo Blocking happening.

Here is showing several location around the world getting "Connection timed out"
Permanent link to this check report

Please read these on Geo access for Let's Encrypt needs several diverse locations.

Edit

Also I suggest looking for a different Windows ACME Client
as Certbot Discontinuing Windows Beta Support in 2024

OK, but I was still getting errors even with the firewall completely turned off (momentarily). Changes locally here (that I can think of) are that a) I recently had FTTP installed and consequently had a number of IP address changes before my static IP was restored and b) my domain registrar changed, probably since I last renewed the certificate.

With the firewall off, what did this show? Still lots of countries that could not connect?

Edit: I just rerun the connection report with my server PCs firewall turned off and I see the same pattern of timeouts. I'm suspecting that the blocks may be being applied by my ISP.

That would be rare. Some ISP block port 80 entirely. But, to selectively block just some is unusual. Perhaps some kind of firewall setting in your router?

I wondered about that, as my ISP supplied a new router for the FTTP, but I don't see anything. I copied the port forwarding rules from the old router (which appear to work OK). I tried putting the server in the DMZ, with no effect.

OK, turning of the router firewall entirely allows all countries/hosts to pass the connection check. I can work with temporarily doing that to renew the certificates - I'll try that tomorrow, as it's late here now.

What's the concern about leaving port 80 open always? Here's some extra background: Best Practice - Keep Port 80 Open - Let's Encrypt

Are you able to allow all traffic on port 80 but block the countries you wish just for port 443? Because I can suggest some changes to your Apache VirtualHost so only ACME challenges do not get redirected.

Or, allow all HTTP requests with below format but reject others?

http://(domain)/.well-known/acme-challenge/(randomToken)

Or is there an API for your router to allow you to develop scripts pre and post renewal? Certbot has pre-hook and post-hook but you should be migrating away from Certbot on Windows as you know.

Apache has a built-in ACME Client called mod_md. I don't know how well it is supported on Windows but that may be an option. It supports a TLS-ALPN challenge which is similar to the HTTP Challenge you use but uses a TLS connection on port 443 instead (mod_md handles it).

A DNS Challenge doesn't need either of those ports but works best with API access to your DNS provider. I believe yours is GoDaddy who recently introduced limits but there are other ways to do DNS Challenges. I'd recommend looking at Certify The Web as a Certbot replacement.

Yeah if you can't solve the http problem then DNS validation is probably the way to go.

DNS validation relies on automated updates to DNS so it depends who your provider is and in this case I think it's GoDaddy and they have/had limits on their API so that only certain customers had access.

As an alternative to updating GoDaddy DNS directly you could consider trying something like acme-dns (which you CNAME to so it an answer the challenge for you).

Couldn't they also use Certify DNS?

So far as I can tell, port 80 is open all the time, along with port 443. It seems to be some weird oddity in the router that's doing the geo-blocking, as I have port forwarding rules set up in it for port 80 and 443 (and other ports for my mailserver) and all of that appears to work.
The router is essentially a re-badged BT Smart Hub 2 which offers limited control of the firewall, outside of port forwarding rules: Basically a) Block everything and set up rules for all traffic in/out, b) Default, which allows all out traffic an needs rules for inbound traffic (and is how I normally leave it, or c) Off. The router is new to me and I'm not sure I've dug into all the controls yet, but I'm suspecting that the "Smart" part of it is what's doing the geo-blocking.
Anyway, certificate successfully renewed this morning . I only have one certificate and manually disabling the router firewall for a couple of minutes every few months is no biggie for me - I just set a reminder.
On ACME clients, yes, I'm looking to replace Certbot and have installed "Certify the Web" but I'm still getting to grips with that.
My domain registrar is actually 123-Reg, and I don't see any DNS API offered by them.
Thanks all.

@MikeMcQ Certify DNS is an option but it's a paid service and I kind of feel this is a home-lab situation so acme-dns seems like the right choice.

@MacFife Sounds like you managed to get it working. If you have any questions about Certify The Web let me know (I work on that). The easiest option is to stop apache and let it get the cert using it's own port 80 server, then restart apache, or you can use the webroot method to do http validation via apache itself. We have some guidance for how to do apache stuff here: Using with Apache, nginx or Other Web Servers | Certify The Web Docs but it relies on you editing your own apache config.

@webprofusion yeah I tinkered with Certify the Web and figured out that stopping Apache was likely my best bet. But as that was before the revelation with the router firewall, so I still got failures. It seems like I'm going to have to turn off the router firewall during renewal, unless I can find some setting buried deep in the menus.
I'm (moderately) comfortable with editing Apache configs.

It does seem like the "smart" setting might be important as you could imagine that might be doing something geographic or user agent based.

That is a very good guess.

They are owned by GoDaddy

Ah. I should have read past its splash page

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.