Failed to download the temporary challenge files

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
507club.com

I ran this command:
pi@507club:~ $ sudo certbot renew -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/507club.com.conf

Certificate is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate for 507club.com

Reusing existing private key from /etc/letsencrypt/live/507club.com/privkey.pem.

Performing the following challenges:

http-01 challenge for 507club.com

Using the webroot path /var/www/html/507club for all unmatched domains.

Waiting for verification...

Challenge failed for domain 507club.com

http-01 challenge for 507club.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: 507club.com

Type: connection

Detail: 75.70.159.234: Fetching http://507club.com/.well-known/acme-challenge/fXxRDHDA4N7aptp61moL3id_vvYPVe66V86cW2U-ZQM: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges

Failed to renew certificate 507club.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/507club.com/fullchain.pem (failure)

My web server is (include version):
Apache version 2.4.62

The operating system my web server runs on is (include version):
Debian Linux 12

My hosting provider, if applicable, is:
SIte hosted on Raspberry Pi 5 Model B Rev 1.0

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin version 2.202
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.1.0

I can open both Http and Https and they are serving the same webroot

2

Hello @johnaevansjr, welcome to the Let's Encrypt community. :slightly_smiling_face:

You are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt.
And it states The HTTP-01 challenge can only be done on port 80.

From around the world shown here Permanent link to this check report, HTTP Port 80 shows "Connection timed out"

Both Ports 80 ( & 443 ) are filtered and therefor inaccessible for the HTTP-01 challenge requests.

$ nmap -Pn -p80,443 507club.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-10 23:09 UTC
Nmap scan report for 507club.com (75.70.159.234)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.18 seconds

Best Practice - Keep Port 80 Open

Edit

And to assist with debugging there is a great place to start is Let's Debug.
Which shows https://letsdebug.net/507club.com/2306816

ANotWorking
Error
507club.com has an A (IPv4) record (75.70.159.234) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with 507club.com/75.70.159.234: Get "http://507club.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://507club.com/.well-known/acme-challenge/letsdebug-test (using initial IP 75.70.159.234)
@0ms: Dialing 75.70.159.234
@10000ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt
Error
A test authorization for 507club.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
75.70.159.234: Fetching http://507club.com/.well-known/acme-challenge/Vrq2MsWYcL2O58iWf0PBLOB1j4524hD0UHQ8nUdEyxg: Timeout during connect (likely firewall problem)

I find that what I quoted above is true more often than not.

4 Likes
3

Thank you Bruce,

The Lets Debug is very helpful to test this from an external source.
I use Go Daddy and could I be missing a record there for the http?

Internally looks like my server is responding to 80 and 443

nmap -Pn -p80,443 507club.com
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-10 16:20 MST
Nmap scan report for 507club.com (127.0.1.1)
Host is up (0.00011s latency).
Other addresses for 507club.com (not scanned): 192.168.0.22

PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

2 Likes
4

Yeah, but a firewall (or router) can prevent that from the external point of view.
If you try with a smart cellphone with Wi-Fi OFF you will see that the connection cannot be made with its web browser. Internally doesn't have to pass through the filters of the firewall (or router) the same was as externally does.

Just checked again, no change.

$ nmap -Pn -p80,443 507club.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-10 23:45 UTC
Nmap scan report for 507club.com (75.70.159.234)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.48 seconds
4 Likes
5

Thank you Bruce... looking good now.
I was able to accept the http 80 requests and update the cert. :wink:

Valid until Mar 10 23:30:55 2025 GMT

All OK!

OK

No issues were found with 507club.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

3 Likes
6

Hi @johnaevansjr,

You are welcome! :slight_smile:

Supplemental, this is the certificate that was issued today crt.sh | 15704855949 and can be seen being severed here https://decoder.link/sslchecker/507club.com/443

I see your DNS has a CNAME for www

image
image1016×326 25.4 KB

However the certificate mentioned above on cover the domain name 507club.com, but not www.507club.com. Thus if someone comes to your site via www.507club.com there will be a TLS error for them. You might want to add the domain www.507club.com in addition to what you already have.

For 507club.com SSL Server Test: 507club.com (Powered by Qualys SSL Labs)
For www.507club.com SSL Server Test: www.507club.com (Powered by Qualys SSL Labs)
had "Alternative names 507club.com MISMATCH" then "Assessment failed: Unable to connect to the server "

Also there is a more updated Certbot 3.0.1 Release
SNAP Instructions can be found here https://certbot.eff.org/instructions?ws=apache&os=snap
and PIP Instructions can be found here https://certbot.eff.org/instructions?ws=apache&os=pip

With SNAP being the preferred recommended method.

2 Likes
7

Really appreciate your help Bruce.

I've added the www.507club.com as you suggested and renewed the cert.

Thanks also for the certbot version upgrade
I'll work on that next.

3 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.