Failure to renew on nginx: sudo certbot renew

My domain is:

https://50-116-11-226.ip.linodeusercontent.com

I ran this command:

sudo certbot renew
sudo certbot run

It produced this output:

david@50-116-11-226:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/50-116-11-226.ip.linodeusercontent.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for 50-116-11-226.ip.linodeusercontent.com
Failed to renew certificate 50-116-11-226.ip.linodeusercontent.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/50-116-11-226.ip.linodeusercontent.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):

 Debian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is:

Linode

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes to manage hosting service and Firewall; SSH for the rest

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.28.0

1 Like

Welcome to the community @cypho

The failure you show is saying you have made too many failed attempts and need to wait an hour before trying again.

And, I see you posted 5H ago so that problem went away. (sorry for delay, has been very busy day here)

But, to assess why the renew was failing can you try this command? The dry-run uses the test system and will not be affected by rate limits.

sudo certbot renew --dry-run

Let us know the result of that and we can go from there.

5 Likes

Hi Mike,

Results are:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/50-116-11-226.ip.linodeusercontent.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for 50-116-11-226.ip.linodeusercontent.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: 50-116-11-226.ip.linodeusercontent.com
  Type:   connection
  Detail: 50.116.11.226: Fetching http://50-116-11-226.ip.linodeusercontent.com/.well-known/acme-challenge/U8YRROaa47WovGVI2r3jWIdRA-QgrBh5y6GW2UVmTTA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate 50-116-11-226.ip.linodeusercontent.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/50-116-11-226.ip.linodeusercontent.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The debug log at /var/log/letsencrypt/letsencrypt.log is hilariously long and, to me, impenetrable; let me know if you'd like me to post it.

That's the only line we care about right now :slight_smile: Your port 80 is not open and needs to be for an http challenge to succeed. The Let's Encrypt server made a request to your server with that URL (http://50-116...) and the request timed out. I see you only have port 443 open.

Best practice is to always keep port 80 open. See the Let's Encrypt docs for that

6 Likes

This is what I like to see, thanks so much, and thanks for the link to keeping port 80 open.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/50-116-11-226.ip.linodeusercontent.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for 50-116-11-226.ip.linodeusercontent.com
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/50-116-11-226.ip.linodeusercontent.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.