First attempt to renew failed. Help pls

My domain is:

I ran this command: certbot renew

It produced this output:
2022/06/01 18:39:10.932149 system_key.go:129: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 8
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Failed to renew certificate with error: Requesting No route to host

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.25.0

Machine is healthy (as far as I can tell). This is the first time I've tried to renew my cert. Hopefully, all necessary information is above. Thanks.

1 Like

Could you try the following command and provide its output here?

sudo traceroute -T -p 443

traceroute to (, 30 hops max, 60 byte packets
send: Operation not permitted

... but that might be a firewall problem. I'm just checking that now...

Did you run it as root? I.e., using sudo or literally as the root user?


Literally as the root user. I included the 'sudo', but I didn't expect that to make any difference. I can't say that I've noticed any in the past.
It's rebooting now. I'll check when it comes back up.

Hm, weird, that shouldn't return that error.

1 Like

I think it's a firewall problem, as traceroute is working now.

Can anyone remember off the top of their heads which UDP/TCP ports I need to open for traceroute? :slight_smile:

The -T -p 443 makes sure it uses TCP port 443, just as HTTPS does.

1 Like

It looks like a firewall problem, probably DNS-related. I'll report back when I've fixed it (hopefully).

Howcome DNS related? Looks like the hostname resolves nicely to the correct IP address (

You don't happen to route as a private IP space, don't you?



It was a firewall problem. I wasn't allowing any outgoing traffic destined for TCP 443 (on the expectation that any 443 traffic would be incoming).

I can only assume that I created these rules after I initially set up "Let's Encrypt".

Thanks for your time and help.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.