Facing issue while running sudo certbot renew --dry-run

Hi Team,
My domain uses the Let's Encrypt certificate for SSL communication. I can generate the certificate but I can not able to renew the certificate. I am using apache httpd configuration.

I have explicitly verified the ACME using the below command.
curl -v http://everprint.io/.well-known/acme-challenge/test
curl -v http://myeverbee.io/.well-known/acme-challenge/test

My domain is: everprint.io, www.everprint.io, myeverbee.io, www.myeverbee.io

I ran this command: sudo certbot renew --dry-run -v

It produced this output:
letsencrypt.txt (111.4 KB)
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/everprint.io.conf


Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for everprint.io and www.everprint.io
Performing the following challenges:
http-01 challenge for everprint.io
http-01 challenge for www.everprint.io
Waiting for verification...
Challenge failed for domain everprint.io
http-01 challenge for everprint.io

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: everprint.io
Type: connection
Detail: 52.9.2.39: Fetching http://everprint.io/.well-known/acme-challenge/KM8sjWVdWRTXjgxEallYGCHMkGhRaeKTSm7Q44GUINw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate everprint.io with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/myeverbee.io.conf


Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for myeverbee.io and www.myeverbee.io
Performing the following challenges:
http-01 challenge for myeverbee.io
http-01 challenge for www.myeverbee.io
Waiting for verification...
Challenge failed for domain myeverbee.io
Challenge failed for domain www.myeverbee.io
http-01 challenge for myeverbee.io
http-01 challenge for www.myeverbee.io

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: myeverbee.io
Type: connection
Detail: 52.9.2.39: Fetching http://myeverbee.io/.well-known/acme-challenge/tCPCh5YrrJqpcgkO-eOCys6t2JmiSuQg4_tEo8MMli4: Timeout during connect (likely firewall problem)

Domain: www.myeverbee.io
Type: connection
Detail: 52.9.2.39: Fetching http://www.myeverbee.io/.well-known/acme-challenge/pY9pulLWWRmN2rgJni8EZ2jE-pmfWm7LbqsAOe904rg: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate myeverbee.io with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/everprint.io/fullchain.pem (failure)
/etc/letsencrypt/live/myeverbee.io/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.58 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 24.04.1 LTS

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.9.0

One more thing even now i am able to delete the same certificate and regenerate. But renewal alone is failing.

Hello @Manikandan29, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results https://letsdebug.net/myeverbee.io/2348817?debug=y

ANotWorking
Error
myeverbee.io has an A (IPv4) record (52.9.2.39) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with myeverbee.io/52.9.2.39: Get "http://myeverbee.io/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://myeverbee.io/.well-known/acme-challenge/letsdebug-test (using initial IP 52.9.2.39)
@0ms: Dialing 52.9.2.39
@10002ms: Experienced error: context deadline exceeded

Also shows 2 IPv4 Address, they need to both be active and respond the same.

HTTPRecords
Debug
A and AAAA records found for this domain
myeverbee.io. 0 IN A 52.9.2.39
myeverbee.io. 0 IN A 54.193.24.38

Using nmap we see the IPv4 Address of 52.9.2.39 is filtered (i.e. not accessible) for the public Internet.

Checking the domain name everprint.io shows 2 IPv4 Address and Other addresses for everprint.io (not scanned): 52.9.2.39

$ nmap -Pn -p80,443 everprint.io
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-28 17:20 UTC
Nmap scan report for everprint.io (54.193.24.38)
Host is up (0.027s latency).
Other addresses for everprint.io (not scanned): 52.9.2.39
rDNS record for 54.193.24.38: ec2-54-193-24-38.us-west-1.compute.amazonaws.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Checking IPv4 Address 54.193.24.38 is open, this is good; which is same as the domain name showed.

$ nmap -Pn -p80,443 54.193.24.38
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-28 17:21 UTC
Nmap scan report for ec2-54-193-24-38.us-west-1.compute.amazonaws.com (54.193.24.38)
Host is up (0.026s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Checking IPv4 Address 52.9.2.39 the one not previously tested is filtered for both Ports 80 & 443; not so good.

$ nmap -Pn -p80,443 52.9.2.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-28 17:21 UTC
Nmap scan report for ec2-52-9-2-39.us-west-1.compute.amazonaws.com (52.9.2.39)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
1 Like

Thanks for the prompt response...I got the issue from your response and fixed it now.

3 Likes