Fail to renew when previous renewels worked just fine

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
rathel.no-ip.org

I ran this command:
sudo letsencrypt renew

It produced this output:
Attempting to renew cert (rathel.no-ip.org) from /etc/letsencrypt/renewal/rathel.no-ip.org.conf produced an unexpected error: Failed authorization procedure. rathel.no-ip.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rathel.no-ip.org/.well-known/acme-challenge/AjDssd51MHngvFY5_f4XdNbhKTV0qZIjPnCBGSs-sdA: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/rathel.no-ip.org/fullchain.pem (failure)

My web server is (include version):
Server version: Apache/2.4.38 (Raspbian)

The operating system my web server runs on is (include version):
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I’m getting a time out too.

Is your public IP address still 50.26.210.172? Or has it changed recently and did your DDNS software fail to update your hostname?

Still the same ip address.

Well, port 80 is blocked on that IP address. So double, no, triple check all your firewalls and, if applicable, NAT router portmaps.

As far as I can tell everything seems open.

It’s not… See for example https://downforeveryoneorjustme.com/rathel.no-ip.org?proto=http

I understand that but I can’t figure out where port 80 is blocked. Server is not running a firewall and it is open in the router I haven’t had any problems before this renewel.

In a couple of minutes of searching, I have read many claims that Suddenlink blocks port 80 for residential users.

It might be worthwhile to call them and ask them directly about it. I understand that you say this used to work, but if you’re stuck, it’s probably worth finding out.

Ah I think you might be right. I didn’t even think this could be an issue. I just recently switched to Suddenlink because we moved. That last isp worked with port 80. Would it be possible to change ports? I haven’t looked into it all yet. I’m not home.

Can’t change port, no. Let’s Encrypt has to follow strict rules about that.

There are a couple of other challenge types besides HTTP that do not rely on port 80 (https://letsencrypt.org/docs/challenge-types/) - DNS-01 and TLS-ALPN-01.

You can’t use DNS-01 because you don’t have your own domain and no-ip doesn’t support it.

You can use TLS-ALPN-01, but not with Certbot. So you will have to make some changes in order to do it. Something like using acme.sh:

acme.sh --issue --alpn -d rathel.no-ip.org --pre-hook "service apache2 stop" --post-hook "service apache2 restart"

You could also beg your ISP to not block port 80 … :frowning: .

1 Like

Thanks I’ll look into it more.

On a sort of related note (not sure if it's available on Raspbian), but mod_md also has the tls-alpn-01 challenge.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.