Failed to renew automatically with certbot installed with snap

gabrielwong1991 · September 27, 2022, 2:18pm

Hello I have a question on how to correctly configure certbot installed with snap in Ubuntu to automatically renew the cert.

Basically my site is hosted with nginx and the cert needs renewal few days ago and it failed.

So I need to manually renew it by using sudo certbot renew --nginx.
(without --nginx flag it will say "timeout during connect (likely firewall problem)", probably because it does not know how to do the ACME challenge).

Then I go into the logs for the certbot renew service:
sudo systemctl status snap.certbot.renew.service

Sep 27 00:54:29 desktop systemd[1]: Starting Service for snap application certbot.renew...
Sep 27 00:57:09 desktop certbot.renew[71602]: Failed to renew certificate with error: Some challenges have failed.
Sep 27 00:57:09 desktop certbot.renew[71602]: All renewals failed. The following certificates could not be renewed:
Sep 27 00:57:09 desktop certbot.renew[71602]:   /etc/letsencrypt/live/mysite.com/fullchain.pem (failure)
Sep 27 00:57:09 desktop certbot.renew[71602]: 1 renew failure(s), 0 parse failure(s)
Sep 27 00:57:09 desktop systemd[1]: snap.certbot.renew.service: Main process exited, code=exited, status=1/FAILURE
Sep 27 00:57:09 desktop systemd[1]: snap.certbot.renew.service: Failed with result 'exit-code'.
Sep 27 00:57:09 desktop systemd[1]: Failed to start Service for snap application certbot.renew.

Apparently it has the same problem where the automatic renewal service don't know to use --nginx to do ACME challenge.

How do I make the automatic renewal work?

Thanks all

NOTE: My server is listening on port 8080 and when the renewal failed I read about the ACME challenge need to open port 80 for it to work. At the point when trying to renew manually I also added --nginx flag so I am not sure if the '--nginx' or the port opening is the cause. Since my cert is renewed now I can't test what happened if I close port 80 off. So I can only test this 3 months later...

rg305 · September 27, 2022, 5:03pm

Hi @gabrielwong1991, and welcome to the LE community forum

You can test with the --staging environment.

What version of Ubuntu are you running?

It should be automatic.

How was it renewed?

schoen · September 27, 2022, 5:04pm

For example

certbot renew --dry-run

will use the staging environment automatically and simulate a renewal.

gabrielwong1991 · September 27, 2022, 6:14pm

Solved: I tried with the simulated environment and it is the port that I need to open. Port 80!

Is there a way I could specify the port the ACME challenge goes to? Like port 8080?

Thanks all!

rg305 · September 27, 2022, 6:27pm

For HTTP-01 authentication, the ACME challenge will always go to port 80 (HTTP) over the Internet.
[that port can then be NAT/port forwarded to any other internal port]

Osiris · September 27, 2022, 8:18pm

In addition to what Rudy already mentioned: Let's Encrypt is bound by the CA/Browser Forum Baseline Requirements which make this mandatory. So it's not up to Let's Encrypt.

gabrielwong1991 · September 27, 2022, 9:09pm

Thank you all for your inputs! The most helpful forum ever!

system · October 27, 2022, 9:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Making sure auto-renewal is enabled with certbot Help	10	23632	October 16, 2023
Snap install of certbot on ubuntu 22 - renew process Help	10	2885	June 1, 2023
Can't renew one of my domains Help	6	874	March 8, 2021
Automatic Renewal not working Help	6	555	December 23, 2023
Upgraded to snap and now have problems Help	6	694	February 9, 2021

Failed to renew automatically with certbot installed with snap

Related topics