Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My web server is (include version): Apache Server 2.4
The operating system my web server runs on is (include version): Synology NAS DSM 7.2.1
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):-
Three of my certificates were renewed, the others were not. When checking the domains with letsdebug, everything looks fine. It has always worked for the last 3 years and no changes have been made. What could help here?
The IP address of drive.mbreich.de is changed to 91.45.154.141 on the meantime. May be transient problem while DNS data is changing? Is it still failing to renew the certificate?
EDIT: Let'sdebug is failing: Let's Debug
Is the inbound HTTP access blocked by chance?
Since you are using the HTTP-01 challenge, it states "The HTTP-01 challenge can only be done on port 80." and "It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443." as well as "Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep."
Thus since there is the redirect to HTTPS both Ports 80 & 443 must be accessible.
$ curl -Ii http://drive.mbreich.de/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to drive.mbreich.de port 80 after 133583 ms: Connection timed out
$ nmap -Pn -p80,443 drive.mbreich.de
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-29 20:08 UTC
Nmap scan report for drive.mbreich.de (91.45.154.141)
Host is up.
rDNS record for 91.45.154.141: p5b2d9a8d.dip0.t-ipconnect.de
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.98 seconds
thanks for the quick answer.
Port 80 is always opened beforehand via script, but is now permanently open. Geoblocking was activated for https on the FW, I have also removed it.
The script is currently running daily in the hope of finally receiving new certificates. Unfortunately, since yesterday I get the message: {"error":104, "file": "client_v2-base.cpp", "msg": "too many failed authorizations (5) for "mbreich.de" in the last 1h0m0s, retry after 2024-09-29 22:20:00 UTC: see Failed Validation Limit - Let's Encrypt"}
I always adapt the script so that it only runs again after the specified time. But the error comes back even then. What can I do?
You have a redirect from HTTP to HTTPS. Is the challenge established by the ACME client accessible via HTTPS too?
That may not be the root cause of you problem, but it might be worth to check.
Yes, you're right.
Now that the rate limit had finally expired, I followed the certificate renewal individually and live in the logs.Now that the rate limit had finally expired, I tracked the certificate renewal individually and live in the logs. I noticed that the http requests were being redirected to the https pages. To work around this, I created a reverse proxy entry for each subdomain that redirects port 80 to localhost:80.
From my perspective on the central Oregon Coast, I am timing out on access and according to my lightweight scans the system seems to be down.
Go Figure.
