Fails to renew my certificate

Hello guys!

Some problems to renew my certificate is happening:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: glpi.kawasakibrasil.com
Type: connection
Detail: XXX.XXX.XX.XXX: Fetching http://glpi.kawasakibrasil.com/.well-known/acme-challenge/oohmz4OsxifSD4NlY3WLqsSZf_xdtXuZDp6qO0dtmH4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Someone can help me with this error?

Hi @carvalhomayk Welcome to the Community.
Your error explains the issue.

PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  filtered http
443/tcp open     https

Port 80 needs to be open for the process to work.

Firewall? Router? ISP?
Check it out.

ALSO:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

More information would be extremely helpful for the volunteers here.

4 Likes

Hello my friend, tks for your time!

My domain is: glpi.kawasakibrasil.com

I ran this command: sudo certbot --nginx

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: glpi.kawasakibrasil.com
Type: connection

My web server is (include version): nginx version: nginx/1.14.1

**The operating system my web server runs on is (include version):
NAME="Oracle Linux Server"
VERSION="8.9"
ID="ol"
ID_LIKE="fedora"

I checked the ports and all open!

You need to check it from outside the server - from the Internet.
From outside your own country.

4 Likes

Rudy is correct. you can easily confirm this from an external source.

4 Likes

Thanks guys for the comments.

I have a new question, in this case, I need to open the 80 port on the same server from my certbot? That's it?

Because in my firewall, everything is okay.

1 Like

Technically, on the server that responds to HTTP requests for that domain arriving from the public internet.

Do you have any other comms equipment between your server and your ISP? Like a router or other NAT or port forwarding device? Might be a problem there

3 Likes

We simply need more information to help you.

Does your ISP block port 80?
Are you using a firewall on your webserver? If so which firewall are you using?
Oracle Linux Server is packaged with firewalld... are you using that?
If so please post the output from:

sudo firewall-cmd --zone=work --list-all

If not...
Do you have a separate firewall between your webserver and your router?
Port 80 has to be OPEN to the world. Something is blocking access to it.

3 Likes

Okay, let's go!

Does your ISP block port 80? No, that's not the problem.

Are you using a firewall on your webserver? No, we dont't use on webserver.

If so which firewall are you using? We have a Cisco ASA 5506 to management the rules.

Oracle Linux Server is packaged with firewalld... are you using that? No, but follow the command result:

2024-02-06 17 16 08

@carvalhomayk from around the world the Internet is seeing "Connection timed out" for http://glpi.kawasakibrasil.com
Permanent link to this check report

And from my location I see Port 80 is filtered

$ nmap -Pn -p80,443 glpi.kawasakibrasil.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-06 20:28 UTC
Nmap scan report for glpi.kawasakibrasil.com (200.206.66.126)
Host is up (0.20s latency).
rDNS record for 200.206.66.126: 200-206-66-126.interspeedy.com.br

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds

And using the online tool Let's Debug yields these results https://letsdebug.net/glpi.kawasakibrasil.com/1795027

ANotWorking
ERROR
glpi.kawasakibrasil.com has an A (IPv4) record (200.206.66.126) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with glpi.kawasakibrasil.com/200.206.66.126: Get "http://glpi.kawasakibrasil.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://glpi.kawasakibrasil.com/.well-known/acme-challenge/letsdebug-test (using initial IP 200.206.66.126)
@0ms: Dialing 200.206.66.126
@10000ms: Experienced error: context deadline exceeded
IssueFromLetsEncrypt
ERROR
A test authorization for glpi.kawasakibrasil.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
200.206.66.126: Fetching http://glpi.kawasakibrasil.com/.well-known/acme-challenge/h92nhoMQWDC1fi1faG_0VMPk4TeHHxPKBuGL_1Of0W0: Timeout during connect (likely firewall problem)

Make special note of that last line "200.206.66.126: Fetching http://glpi.kawasakibrasil.com/.well-known/acme-challenge/h92nhoMQWDC1fi1faG_0VMPk4TeHHxPKBuGL_1Of0W0: Timeout during connect (likely firewall problem)".

3 Likes

Iirc caddy can do tls-alpn-01 and make cert here

4 Likes

ASA by default inspects the traffic leaving and allows the returning traffic to pass through without any need for any ACL, but if you want to allow the traffic initiated from outside to inside, you need an ACL entry to allow it.

Please inspect your ACL via cli or the GUI and adjust it to allow port 80 to the target server accordingly.
EDIT: The Cisco Community is the best place for information on how to do that if you are not familiar with the process.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.