Failed to renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eam.esss.lu.se

I ran this command: certbot --text --agree-tos --non-interactive certonly -a standalone --keep-until-expiring --cert-name eam.esss.lu.se -d eam.esss.lu.se --http-01-port=8888

It produced this output:
Domain: eam.esss.lu.se
Type: connection
Detail: Fetching http://eam.esss.lu.se/.well-known/acme-challenge/56JU3a3FrYdsaF6Mj3L8kkBGtJ5XftfYlfQdfYgXvLw: Error getting validation data

{
“identifier”: {
“type”: “dns”,
“value”: “eam.esss.lu.se”
},
“status”: “invalid”,
“expires”: “2020-03-25T12:51:26Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://eam.esss.lu.se/.well-known/acme-challenge/56JU3a3FrYdsaF6Mj3L8kkBGtJ5XftfYlfQdfYgXvLw: Error getting validation data”,
“status”: 400
},

The operating system my web server runs on is (include version): Centos7

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

Hi @limanzhang

checking that domain there is a blocking instance - https://check-your-website.server-daten.de/?q=eam.esss.lu.se#url-checks

Domainname Http-Status redirect Sec. G
http://eam.esss.lu.se/ 194.47.240.61 -8 0.173 W
ConnectionClosed - The underlying connection was closed: The connection was closed unexpectedly.
https://eam.esss.lu.se/ 194.47.240.61 -8 0.563 W
ConnectionClosed - The underlying connection was closed: The connection was closed unexpectedly.
http://eam.esss.lu.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 194.47.240.61 -8 0.140 W
ConnectionClosed - The underlying connection was closed: The connection was closed unexpectedly.

--standalone is hard to debug. Isn’t it possible to create a webserver you can use to validate your domain?

Works your port rule

port 80 extern -> port 8888 intern?

Here is the topology:
external client -> reverse proxy (port 80) -> backend app
internal client -> backend app

So we have different dns setting for external and internal. Could it be the root cause?

Hi,

I think I know the reason now. We deny all the request to eam.esss.lu.se except for some white list ips. Could you give me the ip of letsencrypt renewal server so that I can put them into whitelist?

Thank you.

No.

https://letsencrypt.org/docs/faq/
What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.

If you can’t allow connections from anywhere, you should consider moving to the dns-01 challenge.