Failed to renew automatically with certbot installed with snap

Hello I have a question on how to correctly configure certbot installed with snap in Ubuntu to automatically renew the cert.

Basically my site is hosted with nginx and the cert needs renewal few days ago and it failed.

So I need to manually renew it by using sudo certbot renew --nginx.
(without --nginx flag it will say "timeout during connect (likely firewall problem)", probably because it does not know how to do the ACME challenge).

Then I go into the logs for the certbot renew service:
sudo systemctl status snap.certbot.renew.service

Sep 27 00:54:29 desktop systemd[1]: Starting Service for snap application certbot.renew...
Sep 27 00:57:09 desktop certbot.renew[71602]: Failed to renew certificate with error: Some challenges have failed.
Sep 27 00:57:09 desktop certbot.renew[71602]: All renewals failed. The following certificates could not be renewed:
Sep 27 00:57:09 desktop certbot.renew[71602]:   /etc/letsencrypt/live/mysite.com/fullchain.pem (failure)
Sep 27 00:57:09 desktop certbot.renew[71602]: 1 renew failure(s), 0 parse failure(s)
Sep 27 00:57:09 desktop systemd[1]: snap.certbot.renew.service: Main process exited, code=exited, status=1/FAILURE
Sep 27 00:57:09 desktop systemd[1]: snap.certbot.renew.service: Failed with result 'exit-code'.
Sep 27 00:57:09 desktop systemd[1]: Failed to start Service for snap application certbot.renew.

Apparently it has the same problem where the automatic renewal service don't know to use --nginx to do ACME challenge.

How do I make the automatic renewal work?

Thanks all

NOTE: My server is listening on port 8080 and when the renewal failed I read about the ACME challenge need to open port 80 for it to work. At the point when trying to renew manually I also added --nginx flag so I am not sure if the '--nginx' or the port opening is the cause. Since my cert is renewed now I can't test what happened if I close port 80 off. So I can only test this 3 months later...

Hi @gabrielwong1991, and welcome to the LE community forum :slight_smile:

You can test with the --staging environment.

What version of Ubuntu are you running?

It should be automatic.

How was it renewed?

5 Likes

For example

certbot renew --dry-run

will use the staging environment automatically and simulate a renewal.

5 Likes

Solved: I tried with the simulated environment and it is the port that I need to open. Port 80!

Is there a way I could specify the port the ACME challenge goes to? Like port 8080?

Thanks all!

3 Likes

For HTTP-01 authentication, the ACME challenge will always go to port 80 (HTTP) over the Internet.
[that port can then be NAT/port forwarded to any other internal port]

5 Likes

In addition to what Rudy already mentioned: Let's Encrypt is bound by the CA/Browser Forum Baseline Requirements which make this mandatory. So it's not up to Let's Encrypt.

4 Likes

Thank you all for your inputs! The most helpful forum ever!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.