Had to renew and it was hard looks like it worked


#1

I was getting close to have to renew and I did the same as last time but this time it said do a apt install certbot last time I had to install it with a git@github.com:certbot/certbot.git

Then doing a certbot renew got RED color errors. Replace my real domain name with XXXX.XXX

Attempting to renew cert (XXXX.XXX-0001) from /etc/letsencrypt/renewal/XXXX.XX-0001.conf produced an unexpected error: Failed authorization procedure. XXXX.XX (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://XXXX.XXX/.well-known/acme-challenge/x057a6BUHC_zmq68468LXO1BRcJV6QdIMZap_MN38f0: Timeout during connect (likely firewall problem). Skipping.

Maybe it was because it shows a http and not a https in the fetching red part.

Looks like it worked when I did this:

root@rayday:/media/6TB/USBdisk2-3TB/root/letsencrypt# certbot run -a webroot -i apache -w /media/6TB/USBdisk2-3TB/var/www -d XXXX.XXX
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/XXXX.XXX.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for XXXX.XXX
Using the webroot path /media/6TB/USBdisk2-3TB/var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. XXXX.XXX (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://XXXX.XXX/.well-known/acme-challenge/Iii8GxdSguDOVmcWwVlxzHjTjFJNC_bURhrzqtAVsYI: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: XXXX.XXX
   Type:   connection
   Detail: Fetching
   http://XXXX.XXX/.well-known/acme-challenge/Iii8GxdSguDOVmcWwVlxzHjTjFJNC_bURhrzqtAVsYI:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
root@rayday:/media/6TB/USBdisk2-3TB/root/letsencrypt# ssl-cert-check -c /etc/letsencrypt/live/XXXX.XXX/cert.pem

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
FILE:/etc/letsencrypt/live/XXXX.XXX/cert.pem   Valid        Sep 9 2018   90    
root@rayday:/media/6TB/USBdisk2-3TB/root/letsencrypt#

It says 90 days now so looks like it worked. Maybe this will help some one else.

-Raymond Day


#2

Hi,

Please share us some information so we could help you…

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you


#3

Hi @Ray

the http-01 - challenge uses always http / Port 80. So this port must be available. If a firewall blocks this port or if there is no http-service there, http-01 - challenge will fail.


#4

That must be it I said to only use https and not both when I set it up.


#5

It’s a open port to my home internet running on a Intel compute stick with Ubuntu server on it. So yes can login as root. No control panel. If any thing have Webmin on it but don’t have a open port on 10000 it’s port so just get to it on my LAN.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.