Have renewed certificate fine for years but now i can't renew it

Help
1

A quick preface: I've had certbot renew manually working perfectly fine for the past 4 years, and I haven't changed anything since - our websites are still up, and it seems the certificate was unable to renew for reasons I apparently can't even begin to understand.
I have tested (due to log data) to open only the port 80, ports 80 and 443 as well, with external access ok (tested via curl), but renewal still unsuccessfully.

My domain is: w3.dmat.ufrr.br

I ran this command: /usr/local/bin/certbot -v renew

It produced this output: letsencrypt.log

2023-01-30 10:57:04,703:DEBUG:certbot._internal.main:certbot version: 2.1.0
2023-01-30 10:57:04,704:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2023-01-30 10:57:04,704:DEBUG:certbot._internal.main:Arguments: ['-v']
2023-01-30 10:57:04,704:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-01-30 10:57:04,719:DEBUG:certbot._internal.log:Root logging level set at 20
2023-01-30 10:57:04,722:DEBUG:certbot._internal.display.obj:Notifying user: Processing /usr/local/etc/letsencrypt/renewal/w3.dmat.ufrr.br.conf
2023-01-30 10:57:04,739:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x803750fd0> and installer <certbot._internal.cli.cli_utils._Default object at 0x803750fd0>
2023-01-30 10:57:04,773:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2023-01-30 10:57:05,097:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2023-01-30 10:57:05,099:DEBUG:certbot.ocsp:OCSP response for certificate /usr/local/etc/letsencrypt/archive/w3.dmat.ufrr.br/cert18.pem is signed by the certificate's issuer.
2023-01-30 10:57:05,106:DEBUG:certbot.ocsp:OCSP certificate status for /usr/local/etc/letsencrypt/archive/w3.dmat.ufrr.br/cert18.pem is: OCSPCertStatus.GOOD
2023-01-30 10:57:05,112:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2023-02-01 12:42:50 UTC.
2023-01-30 10:57:05,112:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2023-01-30 10:57:05,112:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2023-01-30 10:57:05,115:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x80380e0a0>
Prep: True
2023-01-30 10:57:05,115:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x80380e0a0> and installer None
2023-01-30 10:57:05,115:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2023-01-30 10:57:05,124:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/52352385', new_authzr_uri=None, terms_of_service=None), f78e0eb739eaea99db604e79225fce54, Meta(creation_dt=datetime.datetime(2019, 2, 27, 23, 27, 30, tzinfo=<UTC>), creation_host='w3.dmat.ufrr.br', register_to_eff=None))>
2023-01-30 10:57:05,125:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-01-30 10:57:05,126:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-01-30 10:57:05,736:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 659
2023-01-30 10:57:05,737:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:25 GMT
Content-Type: application/json
Content-Length: 659
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "Rg7Z5c7DWGY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-01-30 10:57:05,740:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for w3.dmat.ufrr.br
2023-01-30 10:57:05,802:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /usr/local/etc/letsencrypt/keys/0041_key-certbot.pem
2023-01-30 10:57:05,808:DEBUG:certbot.crypto_util:Creating CSR: /usr/local/etc/letsencrypt/csr/0041_csr-certbot.pem
2023-01-30 10:57:05,809:DEBUG:acme.client:Requesting fresh nonce
2023-01-30 10:57:05,809:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-01-30 10:57:05,983:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-01-30 10:57:05,984:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:25 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 1DFAv9DB8t1i2Xd7Fq10Er14tytuFJBO6KTaHjfAtLH1JDo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-01-30 10:57:05,985:DEBUG:acme.client:Storing nonce: 1DFAv9DB8t1i2Xd7Fq10Er14tytuFJBO6KTaHjfAtLH1JDo
2023-01-30 10:57:05,985:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "w3.dmat.ufrr.br"\n    }\n  ]\n}'
2023-01-30 10:57:05,989:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiMURGQXY5REI4dDFpMlhkN0ZxMTBFcjE0dHl0dUZKQk82S1RhSGpmQXRMSDFKRG8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "Ax-0-zRiperYY7HWSzc6fTW-QBLiKrRIIXvcb2Nu4xUMUm26_ED76toBxUCv8sjJJJGJr5Uxk1nREQVQYp1rqjhSEhz57BHwoF2k8oP7SWLkzlt6o5PWyHJ_53da0hxjcJ0p6slSTj8Bq19OfaJ9u9BFcGgHO_9WiEHzcrcpycQgVEi7mrV1cHbnG6RdPUSbc_YnD-dSBwHKeQDfoI6m-adjWU1tH63y3uQQIQKtErS8EU8vA7NjIYaeYbU5C4CF7CITprJ_y1q4TbFS_zRM7K7pvo-iR4Wb_w_0m1KUIHofrp-s5LF6sIcpCrOkO0AZPQjaA8IDAic21iO-UmV5Dw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInczLmRtYXQudWZyci5iciIKICAgIH0KICBdCn0"
}
2023-01-30 10:57:06,362:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339
2023-01-30 10:57:06,364:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 30 Jan 2023 14:58:26 GMT
Content-Type: application/json
Content-Length: 339
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/52352385/161887272967
Replay-Nonce: C878779yrcD_7uSpYlqkE8Is9JAg_mWluNZaZ4jz_ivvYz0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-02-06T14:58:26Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "w3.dmat.ufrr.br"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/52352385/161887272967"
}
2023-01-30 10:57:06,364:DEBUG:acme.client:Storing nonce: C878779yrcD_7uSpYlqkE8Is9JAg_mWluNZaZ4jz_ivvYz0
2023-01-30 10:57:06,365:DEBUG:acme.client:JWS payload:
b''
2023-01-30 10:57:06,368:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiQzg3ODc3OXlyY0RfN3VTcFlscWtFOElzOUpBZ19tV2x1TlphWjRqel9pdnZZejAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE5OTQ0Njk0NDQwNyJ9",
  "signature": "mGbHZmQjpp-4uo3yYZQUNfIVZmZV0Wrq2muBw2RMRNnbr1nRh2iZ-lCV1KndqcagDhRVNZvzGs5Z0ebKIM7a9LFsfwaP4LqR4-R234KvqV4CTULBxO_J3e8iKNYouEkaKOVrqNaIDsMFdn7tVo2kIwCbUC1a9lc8R0sajGb3-siXZnp6kxrk77WrE9RBSmoPe6kbfr-Q3ORImZabLliF9uqpC5UACa6tZyaqouuU_p3TwOy2pweappSic7mEEJ3fiSI41j7g94IsJJeQ0kIAU8_xA-tPZ21zKQW26UrEOTqwLLO1IA1ETZxrXgfgA9Btawx_uRnt7h5o5tbirbxqng",
  "payload": ""
}
2023-01-30 10:57:06,558:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/199446944407 HTTP/1.1" 200 799
2023-01-30 10:57:06,559:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:26 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 1DFAF68H6AMbTtCgDWePXYD7uCnZ-_uXaGRHXm3b_1MG0Lk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "w3.dmat.ufrr.br"
  },
  "status": "pending",
  "expires": "2023-02-06T14:58:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/-f0Rcg",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/7Zhh2Q",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    }
  ]
}
2023-01-30 10:57:06,560:DEBUG:acme.client:Storing nonce: 1DFAF68H6AMbTtCgDWePXYD7uCnZ-_uXaGRHXm3b_1MG0Lk
2023-01-30 10:57:06,561:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-01-30 10:57:06,561:INFO:certbot._internal.auth_handler:http-01 challenge for w3.dmat.ufrr.br
2023-01-30 10:57:06,564:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2023-01-30 10:57:06,564:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2023-01-30 10:57:06,569:DEBUG:acme.client:JWS payload:
b'{}'
2023-01-30 10:57:06,571:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiMURGQUY2OEg2QU1iVHRDZ0RXZVBYWUQ3dUNuWi1fdVhhR1JIWG0zYl8xTUcwTGsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzE5OTQ0Njk0NDQwNy9ha0dfbncifQ",
  "signature": "FmW4xEpy4MS4BYaoDKmtuDCokkzWOzjk-qfSrS9tfET1ULCbZ-bZdBuDlvNUJkkdv4i4lMo2dKg1dVFIkeydGu7EGUCqQvQ09klQXA167VwCGuA9UGVG9VV6nFUnA5buQfssYJi-37TWMxBZZ9c-oFIjDShRAuW8c7K4nMEGsfg1MquOeITGAMSzJOb1OUkCa2XaCmUw3lX36xmeES0xt0S15kXmxr2grvhAEbwF0WDOmYUinely_99R0o_50EfpTX2mszVwbz9Dg727zf1avOVUgJ3bkST9vyMXyzclh9fb_2BQut9kZfPZqkp_Np-K-mfD2No0SianH1ZuwT3rCw",
  "payload": "e30"
}
2023-01-30 10:57:06,777:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/199446944407/akG_nw HTTP/1.1" 200 187
2023-01-30 10:57:06,778:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:26 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw
Replay-Nonce: 1DFA3V2Q4poKA_bZsUxyR9p19BJYpGOKDfcLiSGwmpfLBDo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
  "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
}
2023-01-30 10:57:06,779:DEBUG:acme.client:Storing nonce: 1DFA3V2Q4poKA_bZsUxyR9p19BJYpGOKDfcLiSGwmpfLBDo
2023-01-30 10:57:06,779:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-01-30 10:57:07,817:DEBUG:acme.client:JWS payload:
b''
2023-01-30 10:57:07,820:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiMURGQTNWMlE0cG9LQV9iWnNVeHlSOXAxOUJKWXBHT0tEZmNMaVNHd21wZkxCRG8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE5OTQ0Njk0NDQwNyJ9",
  "signature": "khTCsDXLtaukA45Zlqfj-CFs2PZujsXPi7Pck4FkdF0FMVBMEpq7oGNcWw9iSd0LyKusLT3oargLPafX405knSlkIGqtP_aJ4o-OSHDiTL_pPPt45csNJ0Q6IwEuA-_5Jvz5nNKKI13ll8t-iGtLmxZbanT7uDKU-4LilsfxyGnxAKECtXKLVzAayuO_IJh72y1yoLzYKv35bq0oTvkJB2PD1GSoRH-OIXYpfe2qqRwYEcf3TLT7qroWKUn5VJUjfpLuTXxArMNWDTjuLCtJFhGcd5qcSTAsmFniNaB9chAisRjzgHuJrqtiojaicb5DQ7YxZZSI_B3QZ-TTGKld3g",
  "payload": ""
}
2023-01-30 10:57:08,008:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/199446944407 HTTP/1.1" 200 799
2023-01-30 10:57:08,010:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:27 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA2UFb7Tg0oiluZkQ8uX-QWeXKrcK_OCWcGVQtUZ13oc4E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "w3.dmat.ufrr.br"
  },
  "status": "pending",
  "expires": "2023-02-06T14:58:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/-f0Rcg",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/7Zhh2Q",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    }
  ]
}
2023-01-30 10:57:08,010:DEBUG:acme.client:Storing nonce: 5CA2UFb7Tg0oiluZkQ8uX-QWeXKrcK_OCWcGVQtUZ13oc4E
2023-01-30 10:57:11,112:DEBUG:acme.client:JWS payload:
b''
2023-01-30 10:57:11,116:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiNUNBMlVGYjdUZzBvaWx1WmtROHVYLVFXZVhLcmNLX09DV2NHVlF0VVoxM29jNEUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE5OTQ0Njk0NDQwNyJ9",
  "signature": "Bqv0KqoUHsLCLrtrN-QjuQoPWNFT1holNDVVJtPQ6KQ2gAGiFQ53rAsC1CAVt6ktE5fju9lSkq6Zfvso_b6N3SUvtzN2DN8XAh-YivZpec7i-eDgfK0P8caGsyI7ale4v29plLsvmoIfigm-eb9arjjxrdqlOGs8XvEIlcTs5bWJBAd_YavxTKNRUG2ZppofCze_TObY1pLY3Pja-Q6KnDbOZhbRBjQWamcE7A4_jL-kmyMVwdt3Frmox9XQWYgWShptfnHN5KNFrgZ9xegWeFPJCb4NO1_88GS_MEir504Juj1BGeSJNm3XBDEE8PwTiwvnJFvcJg2Y3JLM4mvD8Q",
  "payload": ""
}
2023-01-30 10:57:11,296:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/199446944407 HTTP/1.1" 200 1037
2023-01-30 10:57:11,297:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:31 GMT
Content-Type: application/json
Content-Length: 1037
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA26ceWPB9JzYc_NGaF04rlWQVqx7M7WJSKM1qKHvrW2RY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "w3.dmat.ufrr.br"
  },
  "status": "invalid",
  "expires": "2023-02-06T14:58:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "200.129.159.22: Fetching http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs: Connection reset by peer",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs",
      "validationRecord": [
        {
          "url": "http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs",
          "hostname": "w3.dmat.ufrr.br",
          "port": "80",
          "addressesResolved": [
            "200.129.159.22"
          ],
          "addressUsed": "200.129.159.22"
        }
      ],
      "validated": "2023-01-30T14:58:26Z"
    }
  ]
}
2023-01-30 10:57:11,298:DEBUG:acme.client:Storing nonce: 5CA26ceWPB9JzYc_NGaF04rlWQVqx7M7WJSKM1qKHvrW2RY
2023-01-30 10:57:11,298:INFO:certbot._internal.auth_handler:Challenge failed for domain w3.dmat.ufrr.br
2023-01-30 10:57:11,299:INFO:certbot._internal.auth_handler:http-01 challenge for w3.dmat.ufrr.br
2023-01-30 10:57:11,299:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: w3.dmat.ufrr.br
  Type:   connection
  Detail: 200.129.159.22: Fetching http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs: Connection reset by peer

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2023-01-30 10:57:11,300:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-01-30 10:57:11,300:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-01-30 10:57:11,301:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-01-30 10:57:11,301:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2023-01-30 10:57:11,393:ERROR:certbot._internal.renewal:Failed to renew certificate w3.dmat.ufrr.br with error: Some challenges have failed.
2023-01-30 10:57:11,396:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 524, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 1540, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 126, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 387, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-01-30 10:57:11,399:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-01-30 10:57:11,399:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2023-01-30 10:57:11,399:ERROR:certbot._internal.renewal:  /usr/local/etc/letsencrypt/live/w3.dmat.ufrr.br/fullchain.pem (failure)
2023-01-30 10:57:11,399:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-01-30 10:57:11,400:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 1736, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 1629, in renew
    renewal.handle_renewal_request(config)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 550, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2023-01-30 10:57:11,401:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx 1.22.1_2,3

The operating system my web server runs on is (include version): FreeBSD 13.1-RELEASE (-kr p3, -u p5)

My hosting provider, if applicable, is: Federal University of Roraima - UFRR

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel. Direct access to the machine.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0 (certbot-3.9)

1 Like
2

Hello @jlgm, welcome to the Let's Encrypt community. :slightly_smiling_face:

Well is looks like Port 80 isn't responding.

$ curl -Ii  http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs
curl: (7) Failed to connect to w3.dmat.ufrr.br port 80 after 621 ms: Connection refused

Also Let's Debug is reporting the same issue https://letsdebug.net/w3.dmat.ufrr.br/1355749

Best Practice - Keep Port 80 Open

2 Likes
3

nmap is showing only port 443 from my location (Portland, OR, USA metro area)

$ nmap -Pn w3.dmat.ufrr.br
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 18:38 UTC
Nmap scan report for w3.dmat.ufrr.br (200.129.159.22)
Host is up (0.21s latency).
Not shown: 939 filtered ports, 60 closed ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 10.13 seconds
2 Likes
4

Sorry @Bruce5051, so many testing... now port 80 is opened

curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 18:41:40 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes

3 Likes
5

https://letsdebug.net/w3.dmat.ufrr.br/1355771 still isn't happy.
I see with curl

~$ curl -Ii  http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 18:51:00 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes

I see with nmap

$ nmap -Pn w3.dmat.ufrr.br
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 18:46 UTC
Nmap scan report for w3.dmat.ufrr.br (200.129.159.22)
Host is up (0.21s latency).
Not shown: 939 filtered ports, 59 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 8.94 seconds
2 Likes
6

There is nothing in .well-known/acme-challenge. I put an index.html there to test the access.

curl Departamento de Matemática

Departamento de Matemática

Teste ACME - LetsEncrypt

So, i have an external access to .well-known/acme-challenge.

I've tried change to dns-01 challenge without success too.

1 Like
7

Sorry.

curl http://w3.dmat.ufrr.br/.well-known/acme-challenge/

<!DOCTYPE html>
<html>
  <head>
    <title>Departamento de Matem&aacute;tica</title>
    <meta charset="UTF-8">
  </head>
  <body>
    <p>Teste ACME - LetsEncrypt</p>
  </body>
</html>
1 Like
8

I am seeing inconsistent connectivity from around the world Check website performance and response: Check host - online website monitoring some succeed some do not.

The reason I have concern with those results is Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt.

2 Likes
9

I would expect this to return file not found, not 200 OK.

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 19:25:45 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes

More like this

$ curl -Ii http://example.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Mon, 30 Jan 2023 19:29:46 GMT
Expires: Mon, 06 Feb 2023 19:29:46 GMT
Server: EOS (vny/044E)
Vary: Accept-Encoding
Content-Length: 1256
2 Likes
10

And now for the smoking gun; potentially a firewall issue.

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 19:31:22 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes
1 Like
11

Yes, very sus output.

Is there a Palo Alto firewall in use?

4 Likes
12

Guys (@Bruce5051 + rg305), first of all, thanks !!

I got the nginx response 403 (forbidden) in non-existing server struture. Don't know, if that different of 404 error implies certbot to not working.

I have doubts that TI people has made any change in firewall... My big doubt is why that stops working suddenly. It is my first problem of renewall since 2019.

curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/

HTTP/1.1 403 Forbidden
Server: nginx
Date: Mon, 30 Jan 2023 20:31:58 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains

Below it's ok cause there is a temporary index.html... Originally, server redirects 80 to 443... it is not doing that cause i am trying correct certbot renewal.

curl -Ii http://w3.dmat.ufrr.br/

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 20:32:46 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes

Thanks again !!
3 Likes
13

The difference between HTTP status codes 403 and 404.

2 Likes
14

I guess the server is responding HTTP 404 correctly. But Lets Debug is still responding not ok.

https://letsdebug.net/w3.dmat.ufrr.br/1355928

curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challege/kfjsadfjsdljf

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 30 Jan 2023 21:15:27 GMT
Content-Type: text/html
Content-Length: 313
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d83359-139"
Strict-Transport-Security: max-age=31536000; includeSubDomains
1 Like
15

About Lets Debug answer... the server has a valid IPv4 (200.129.159.22) physically set up on the interface, not NAT or anything else.

ifconfig

em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
	ether c6:c6:c8:59:dd:14
	inet 200.129.159.22 netmask 0xfffffff0 broadcast 200.129.159.31
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
1 Like
16

It might be working for you (from the same network perhaps?), but from (a large part of) the public internet your website seems to be down. Connecting to port 80 from my point of view results in a timeout.

4 Likes
17

nmap to find what is open

$ nmap -Pn w3.dmat.ufrr.br
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 21:35 UTC
Nmap scan report for w3.dmat.ufrr.br (200.129.159.22)
Host is up (0.21s latency).
Not shown: 939 filtered ports, 59 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

Why does this fail?

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer

And this passes, they are basically the same the failing one has added
-A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
to emulate Let's Encrypt.

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 30 Jan 2023 21:34:09 GMT
Content-Type: text/html
Content-Length: 313
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d83359-139"
Strict-Transport-Security: max-age=31536000; includeSubDomains
2 Likes
18

Hi Osiris,

Not at same network... at same city, yes.... and @Bruce5051 showed me the inconsistency of server access across the world via check-host.net. That's Ok.

My first goal is correct the server as perfect as possible to not hold it responsible for any impediment to certificate renewal, i just may solve the machine problem. As i told before, it is the first renewal problem in years.

And i guess that kind of network inconsistency is not showing up only now... and it still be happen. And i have no way to solve it.

Another question is, would the dns challenge be more effective at that scenario ??

To imagine that server running without crypto, let me shaking.

Thanks a lot guys !!!

4 Likes
19

Is there a Palo Alto firewall between your server and the Internet?

3 Likes
20

Also @jlgm Is there any GeoLocation blocking?
Potentially new GeoLocation blocking that you were not made aware of?

2 Likes