First attempt to renew failed. Help pls

Earthenware · June 1, 2022, 6:56pm

I ran this command: certbot renew

It produced this output:
2022/06/01 18:39:10.932149 system_key.go:129: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 8
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/grollige.com.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Failed to renew certificate grollige.com with error: Requesting acme-v02.api.letsencrypt.org/directory: No route to host

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/grollige.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:
IONOS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.25.0

Machine is healthy (as far as I can tell). This is the first time I've tried to renew my cert. Hopefully, all necessary information is above. Thanks.

Osiris · June 1, 2022, 7:05pm

Could you try the following command and provide its output here?

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org

Earthenware · June 1, 2022, 7:13pm

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
send: Operation not permitted

... but that might be a firewall problem. I'm just checking that now...

Osiris · June 1, 2022, 7:14pm

Did you run it as root? I.e., using sudo or literally as the root user?

Earthenware · June 1, 2022, 7:16pm

Literally as the root user. I included the 'sudo', but I didn't expect that to make any difference. I can't say that I've noticed any in the past.
It's rebooting now. I'll check when it comes back up.

Osiris · June 1, 2022, 7:17pm

Hm, weird, that shouldn't return that error.

Earthenware · June 1, 2022, 7:18pm

I think it's a firewall problem, as traceroute is working now.

Can anyone remember off the top of their heads which UDP/TCP ports I need to open for traceroute?

Osiris · June 1, 2022, 7:19pm

The -T -p 443 makes sure it uses TCP port 443, just as HTTPS does.

Earthenware · June 1, 2022, 7:38pm

It looks like a firewall problem, probably DNS-related. I'll report back when I've fixed it (hopefully).

Osiris · June 1, 2022, 7:40pm

Howcome DNS related? Looks like the hostname resolves nicely to the correct IP address (172.65.32.248).

You don't happen to route 172.0.0.0/8 as a private IP space, don't you?

Earthenware · June 1, 2022, 8:46pm

Sorted.

It was a firewall problem. I wasn't allowing any outgoing traffic destined for TCP 443 (on the expectation that any 443 traffic would be incoming).

I can only assume that I created these rules after I initially set up "Let's Encrypt".

Thanks for your time and help.

system · July 1, 2022, 8:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.