Failed to update let's encrypt certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:jsid.edu.et, www.jsid.edu.et

I ran this command: certbot --force-renewal -d www.jsid.edu.et,jsid.edu.et

It produced this output: "Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jsid.edu.et
http-01 challenge for www.jsid.edu.et
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. jsid.edu.et (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 196.189.91.218: Fetching http://1.1.1.2/webAuth/index.htm?jsid.edu.et/.well-known/acme-challenge/cQUucLKGBy2rWhaKovRgkG6CLhSo_8nb6QO0f5qgiP8: Invalid host in redirect target "1.1.1.2". Only domain names are supported, not IP addresses, www.jsid.edu.et (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 196.189.91.218: Fetching http://www.jsid.edu.et/.well-known/acme-challenge/rHSZ2sScCWN7R3v0Ww1XABH-LcTU3G-Gs-cmtBK9hnk: Connection reset by peer"

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is: Ethiotelecom

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.27.0

Please don't use this option unless you know what it actually does. What it does NOT do is magically force Let's Encrypt to issue a certificate without a valid authorization and thus does not help in your case.

Further more, the error message returned by the ACME server regarding the invalid host in redirection target should provide more than enough information for you to proceed with. If that is not the case, please elaborate on what is not clear about the error message and/or any issue you're having with it.

Also, your Certbot version is ancient. While updating Certbot would not fix the issue you're currently having, I do recommend to update to the most recent version.

same here , I can't renew certs , Not with certbot think it have to do with Ethiotelecom

Thank you but, even updating certbot to 1.3, it's redirecting to http://1.1.1.2/webAuth/index.htm?jsid.edu.et/.well-known/acme-challenge/QQICBCpgScLcfMZoa5x480Sz1vqmgsROMmelWJIL9RI: Invalid host in redirect target "1.1.1.2". Only domain names are supported, not IP addresses. how to configure with ACME protocol?

The redirect is being done by your server. If webmin is managing your Apache config then check its settings.

Thank you for the reply. yeah there is webmin and i tried to disable it to bypass the redirection to 1.1.1.2 and still unable to figure out the problem.
I also tried to install certbot using snap install --classic certbot, the starting to download and the download progress became 100% immediately then shows this.

image834×82 5.19 KB

Good news is I see the redirects look normal now.

Bad news is it looks like your system's DNS is not working right. What do these commands show?

curl -I https://api.snapcraft.io
curl -4 https://ifconfig.co

curl -I https://api.snapcraft.io print

curl -4 https://ifconfig.co gives 196.189.91.218 which is my public IP

Those look good. I'm not sure how to proceed. Maybe another volunteer will have an idea or try the snapcraft forum.

One thing ... did you just try it again? Maybe it was a temp problem.

Now that the redirection has been removed, I would try again.
Maybe first use the testing/staging environment:
certbot -d www.jsid.edu.et,jsid.edu.et --dry-run

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')

Well, you're trying to renew, right? So the renew subcommand would fit I believe.

same problem. the issue is acme challenge. what txt should I put to dns text record to verify the ownership of my domain?

Where does the dns-01 challenge suddenly come from? Previously only the http-01 challenge was used.

yeah http-01 challenge. but in any case can be fixed.

That's owned by cloudflare, it's unlikely that redirect will point to something working. Unless that's intended. Are you redirecting foreign connections to that IP?

Did you try?:
certbot certonly -d www.jsid.edu.et,jsid.edu.et --dry-run

If so, what does the log file show?

sudo snap install --classic certbot
error: cannot perform the following tasks:

• Download snap "core20" (1623) from channel "stable" (Get https://api.snapcraft.io/api/v1/snaps/download/DLqre5XGLbDqg9jPtiAhRRjDuPVa5X1q_1623.snap: dial tcp: lookup api.snapcraft.io on 8.8.8.8:53: read udp 10.180.53.218:41308->8.8.8.8:53: i/o timeout)
  still this problem happens what will be the solution, any one faced such problem?

Your system can't connect to your DNS server. That's going to be a problem on your end.

Thank you danb35, but how you verified that? so how can I fix it?