Failed to renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: api.greencert.se

I ran this command: sudo certbot renew --cert-name api.greencert.se --dry-run --debug

It produced this output:
sudo: unable to resolve host ip-172-31-19-140: Name or service not known
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/api.greencert.se.conf

Account registered.
Simulating renewal of an existing certificate for api.greencert.se

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: api.greencert.se
Type: connection
Detail: 13.50.110.44: Fetching http://api.greencert.se/.well-known/acme-challenge/_gZLmXqp2yXBLxHfqw6N57X04nSMHOvr3viUMHx583M: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate api.greencert.se with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/api.greencert.se/fullchain.pem (failure)

Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1460, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 500, in handle_renewal_request
raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The "Timeout during connect" means the Let's Encrypt server was not able to connect to your domain's server using HTTP. This is required to satisfy the HTTP Challenge you chose with the --nginx option.

I cannot connect to your site using HTTP or HTTPS. Have you recently changed the public IP your EC2 instance uses? Did you update the DNS if so?

Have you changed any EC2 Security Rules which might block all outside access?

This shows HTTP connection problem: Let's Debug

This shows HTTPS connection problem: SSL Server Test: api.greencert.se (Powered by Qualys SSL Labs)

I haven't changed but the current IP and actual IP both are different

Can you explain more about that? The EC2 public IP should be in the DNS

The EC2 private IP is not used from the public internet

Non-authoritative answer:
Name: api.greencert.se
Address: 13.50.110.44

This is the current one but EC2 IP is this one 99.81.77.37

Then that should be in your DNS

The connectivity problem affects anyone trying to reach you from the public internet. It is not just Let's Encrypt that is failing.

Okay got it, thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.