Have renewed certificate fine for years but now i can't renew it

jlgm · January 30, 2023, 6:29pm

A quick preface: I've had certbot renew manually working perfectly fine for the past 4 years, and I haven't changed anything since - our websites are still up, and it seems the certificate was unable to renew for reasons I apparently can't even begin to understand.
I have tested (due to log data) to open only the port 80, ports 80 and 443 as well, with external access ok (tested via curl), but renewal still unsuccessfully.

My domain is: w3.dmat.ufrr.br

I ran this command: /usr/local/bin/certbot -v renew

It produced this output: letsencrypt.log

2023-01-30 10:57:04,703:DEBUG:certbot._internal.main:certbot version: 2.1.0
2023-01-30 10:57:04,704:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2023-01-30 10:57:04,704:DEBUG:certbot._internal.main:Arguments: ['-v']
2023-01-30 10:57:04,704:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-01-30 10:57:04,719:DEBUG:certbot._internal.log:Root logging level set at 20
2023-01-30 10:57:04,722:DEBUG:certbot._internal.display.obj:Notifying user: Processing /usr/local/etc/letsencrypt/renewal/w3.dmat.ufrr.br.conf
2023-01-30 10:57:04,739:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x803750fd0> and installer <certbot._internal.cli.cli_utils._Default object at 0x803750fd0>
2023-01-30 10:57:04,773:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2023-01-30 10:57:05,097:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2023-01-30 10:57:05,099:DEBUG:certbot.ocsp:OCSP response for certificate /usr/local/etc/letsencrypt/archive/w3.dmat.ufrr.br/cert18.pem is signed by the certificate's issuer.
2023-01-30 10:57:05,106:DEBUG:certbot.ocsp:OCSP certificate status for /usr/local/etc/letsencrypt/archive/w3.dmat.ufrr.br/cert18.pem is: OCSPCertStatus.GOOD
2023-01-30 10:57:05,112:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2023-02-01 12:42:50 UTC.
2023-01-30 10:57:05,112:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2023-01-30 10:57:05,112:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2023-01-30 10:57:05,115:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x80380e0a0>
Prep: True
2023-01-30 10:57:05,115:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x80380e0a0> and installer None
2023-01-30 10:57:05,115:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2023-01-30 10:57:05,124:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/52352385', new_authzr_uri=None, terms_of_service=None), f78e0eb739eaea99db604e79225fce54, Meta(creation_dt=datetime.datetime(2019, 2, 27, 23, 27, 30, tzinfo=<UTC>), creation_host='w3.dmat.ufrr.br', register_to_eff=None))>
2023-01-30 10:57:05,125:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-01-30 10:57:05,126:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-01-30 10:57:05,736:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 659
2023-01-30 10:57:05,737:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:25 GMT
Content-Type: application/json
Content-Length: 659
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "Rg7Z5c7DWGY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-01-30 10:57:05,740:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for w3.dmat.ufrr.br
2023-01-30 10:57:05,802:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /usr/local/etc/letsencrypt/keys/0041_key-certbot.pem
2023-01-30 10:57:05,808:DEBUG:certbot.crypto_util:Creating CSR: /usr/local/etc/letsencrypt/csr/0041_csr-certbot.pem
2023-01-30 10:57:05,809:DEBUG:acme.client:Requesting fresh nonce
2023-01-30 10:57:05,809:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-01-30 10:57:05,983:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-01-30 10:57:05,984:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:25 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 1DFAv9DB8t1i2Xd7Fq10Er14tytuFJBO6KTaHjfAtLH1JDo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-01-30 10:57:05,985:DEBUG:acme.client:Storing nonce: 1DFAv9DB8t1i2Xd7Fq10Er14tytuFJBO6KTaHjfAtLH1JDo
2023-01-30 10:57:05,985:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "w3.dmat.ufrr.br"\n    }\n  ]\n}'
2023-01-30 10:57:05,989:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiMURGQXY5REI4dDFpMlhkN0ZxMTBFcjE0dHl0dUZKQk82S1RhSGpmQXRMSDFKRG8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "Ax-0-zRiperYY7HWSzc6fTW-QBLiKrRIIXvcb2Nu4xUMUm26_ED76toBxUCv8sjJJJGJr5Uxk1nREQVQYp1rqjhSEhz57BHwoF2k8oP7SWLkzlt6o5PWyHJ_53da0hxjcJ0p6slSTj8Bq19OfaJ9u9BFcGgHO_9WiEHzcrcpycQgVEi7mrV1cHbnG6RdPUSbc_YnD-dSBwHKeQDfoI6m-adjWU1tH63y3uQQIQKtErS8EU8vA7NjIYaeYbU5C4CF7CITprJ_y1q4TbFS_zRM7K7pvo-iR4Wb_w_0m1KUIHofrp-s5LF6sIcpCrOkO0AZPQjaA8IDAic21iO-UmV5Dw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInczLmRtYXQudWZyci5iciIKICAgIH0KICBdCn0"
}
2023-01-30 10:57:06,362:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339
2023-01-30 10:57:06,364:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 30 Jan 2023 14:58:26 GMT
Content-Type: application/json
Content-Length: 339
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/52352385/161887272967
Replay-Nonce: C878779yrcD_7uSpYlqkE8Is9JAg_mWluNZaZ4jz_ivvYz0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-02-06T14:58:26Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "w3.dmat.ufrr.br"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/52352385/161887272967"
}
2023-01-30 10:57:06,364:DEBUG:acme.client:Storing nonce: C878779yrcD_7uSpYlqkE8Is9JAg_mWluNZaZ4jz_ivvYz0
2023-01-30 10:57:06,365:DEBUG:acme.client:JWS payload:
b''
2023-01-30 10:57:06,368:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiQzg3ODc3OXlyY0RfN3VTcFlscWtFOElzOUpBZ19tV2x1TlphWjRqel9pdnZZejAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE5OTQ0Njk0NDQwNyJ9",
  "signature": "mGbHZmQjpp-4uo3yYZQUNfIVZmZV0Wrq2muBw2RMRNnbr1nRh2iZ-lCV1KndqcagDhRVNZvzGs5Z0ebKIM7a9LFsfwaP4LqR4-R234KvqV4CTULBxO_J3e8iKNYouEkaKOVrqNaIDsMFdn7tVo2kIwCbUC1a9lc8R0sajGb3-siXZnp6kxrk77WrE9RBSmoPe6kbfr-Q3ORImZabLliF9uqpC5UACa6tZyaqouuU_p3TwOy2pweappSic7mEEJ3fiSI41j7g94IsJJeQ0kIAU8_xA-tPZ21zKQW26UrEOTqwLLO1IA1ETZxrXgfgA9Btawx_uRnt7h5o5tbirbxqng",
  "payload": ""
}
2023-01-30 10:57:06,558:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/199446944407 HTTP/1.1" 200 799
2023-01-30 10:57:06,559:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:26 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 1DFAF68H6AMbTtCgDWePXYD7uCnZ-_uXaGRHXm3b_1MG0Lk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "w3.dmat.ufrr.br"
  },
  "status": "pending",
  "expires": "2023-02-06T14:58:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/-f0Rcg",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/7Zhh2Q",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    }
  ]
}
2023-01-30 10:57:06,560:DEBUG:acme.client:Storing nonce: 1DFAF68H6AMbTtCgDWePXYD7uCnZ-_uXaGRHXm3b_1MG0Lk
2023-01-30 10:57:06,561:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-01-30 10:57:06,561:INFO:certbot._internal.auth_handler:http-01 challenge for w3.dmat.ufrr.br
2023-01-30 10:57:06,564:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2023-01-30 10:57:06,564:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2023-01-30 10:57:06,569:DEBUG:acme.client:JWS payload:
b'{}'
2023-01-30 10:57:06,571:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiMURGQUY2OEg2QU1iVHRDZ0RXZVBYWUQ3dUNuWi1fdVhhR1JIWG0zYl8xTUcwTGsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzE5OTQ0Njk0NDQwNy9ha0dfbncifQ",
  "signature": "FmW4xEpy4MS4BYaoDKmtuDCokkzWOzjk-qfSrS9tfET1ULCbZ-bZdBuDlvNUJkkdv4i4lMo2dKg1dVFIkeydGu7EGUCqQvQ09klQXA167VwCGuA9UGVG9VV6nFUnA5buQfssYJi-37TWMxBZZ9c-oFIjDShRAuW8c7K4nMEGsfg1MquOeITGAMSzJOb1OUkCa2XaCmUw3lX36xmeES0xt0S15kXmxr2grvhAEbwF0WDOmYUinely_99R0o_50EfpTX2mszVwbz9Dg727zf1avOVUgJ3bkST9vyMXyzclh9fb_2BQut9kZfPZqkp_Np-K-mfD2No0SianH1ZuwT3rCw",
  "payload": "e30"
}
2023-01-30 10:57:06,777:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/199446944407/akG_nw HTTP/1.1" 200 187
2023-01-30 10:57:06,778:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:26 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw
Replay-Nonce: 1DFA3V2Q4poKA_bZsUxyR9p19BJYpGOKDfcLiSGwmpfLBDo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
  "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
}
2023-01-30 10:57:06,779:DEBUG:acme.client:Storing nonce: 1DFA3V2Q4poKA_bZsUxyR9p19BJYpGOKDfcLiSGwmpfLBDo
2023-01-30 10:57:06,779:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-01-30 10:57:07,817:DEBUG:acme.client:JWS payload:
b''
2023-01-30 10:57:07,820:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiMURGQTNWMlE0cG9LQV9iWnNVeHlSOXAxOUJKWXBHT0tEZmNMaVNHd21wZkxCRG8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE5OTQ0Njk0NDQwNyJ9",
  "signature": "khTCsDXLtaukA45Zlqfj-CFs2PZujsXPi7Pck4FkdF0FMVBMEpq7oGNcWw9iSd0LyKusLT3oargLPafX405knSlkIGqtP_aJ4o-OSHDiTL_pPPt45csNJ0Q6IwEuA-_5Jvz5nNKKI13ll8t-iGtLmxZbanT7uDKU-4LilsfxyGnxAKECtXKLVzAayuO_IJh72y1yoLzYKv35bq0oTvkJB2PD1GSoRH-OIXYpfe2qqRwYEcf3TLT7qroWKUn5VJUjfpLuTXxArMNWDTjuLCtJFhGcd5qcSTAsmFniNaB9chAisRjzgHuJrqtiojaicb5DQ7YxZZSI_B3QZ-TTGKld3g",
  "payload": ""
}
2023-01-30 10:57:08,008:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/199446944407 HTTP/1.1" 200 799
2023-01-30 10:57:08,010:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:27 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA2UFb7Tg0oiluZkQ8uX-QWeXKrcK_OCWcGVQtUZ13oc4E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "w3.dmat.ufrr.br"
  },
  "status": "pending",
  "expires": "2023-02-06T14:58:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/-f0Rcg",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/7Zhh2Q",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs"
    }
  ]
}
2023-01-30 10:57:08,010:DEBUG:acme.client:Storing nonce: 5CA2UFb7Tg0oiluZkQ8uX-QWeXKrcK_OCWcGVQtUZ13oc4E
2023-01-30 10:57:11,112:DEBUG:acme.client:JWS payload:
b''
2023-01-30 10:57:11,116:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/199446944407:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIzNTIzODUiLCAibm9uY2UiOiAiNUNBMlVGYjdUZzBvaWx1WmtROHVYLVFXZVhLcmNLX09DV2NHVlF0VVoxM29jNEUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE5OTQ0Njk0NDQwNyJ9",
  "signature": "Bqv0KqoUHsLCLrtrN-QjuQoPWNFT1holNDVVJtPQ6KQ2gAGiFQ53rAsC1CAVt6ktE5fju9lSkq6Zfvso_b6N3SUvtzN2DN8XAh-YivZpec7i-eDgfK0P8caGsyI7ale4v29plLsvmoIfigm-eb9arjjxrdqlOGs8XvEIlcTs5bWJBAd_YavxTKNRUG2ZppofCze_TObY1pLY3Pja-Q6KnDbOZhbRBjQWamcE7A4_jL-kmyMVwdt3Frmox9XQWYgWShptfnHN5KNFrgZ9xegWeFPJCb4NO1_88GS_MEir504Juj1BGeSJNm3XBDEE8PwTiwvnJFvcJg2Y3JLM4mvD8Q",
  "payload": ""
}
2023-01-30 10:57:11,296:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/199446944407 HTTP/1.1" 200 1037
2023-01-30 10:57:11,297:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 30 Jan 2023 14:58:31 GMT
Content-Type: application/json
Content-Length: 1037
Connection: keep-alive
Boulder-Requester: 52352385
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA26ceWPB9JzYc_NGaF04rlWQVqx7M7WJSKM1qKHvrW2RY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "w3.dmat.ufrr.br"
  },
  "status": "invalid",
  "expires": "2023-02-06T14:58:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "200.129.159.22: Fetching http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs: Connection reset by peer",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/199446944407/akG_nw",
      "token": "oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs",
      "validationRecord": [
        {
          "url": "http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs",
          "hostname": "w3.dmat.ufrr.br",
          "port": "80",
          "addressesResolved": [
            "200.129.159.22"
          ],
          "addressUsed": "200.129.159.22"
        }
      ],
      "validated": "2023-01-30T14:58:26Z"
    }
  ]
}
2023-01-30 10:57:11,298:DEBUG:acme.client:Storing nonce: 5CA26ceWPB9JzYc_NGaF04rlWQVqx7M7WJSKM1qKHvrW2RY
2023-01-30 10:57:11,298:INFO:certbot._internal.auth_handler:Challenge failed for domain w3.dmat.ufrr.br
2023-01-30 10:57:11,299:INFO:certbot._internal.auth_handler:http-01 challenge for w3.dmat.ufrr.br
2023-01-30 10:57:11,299:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: w3.dmat.ufrr.br
  Type:   connection
  Detail: 200.129.159.22: Fetching http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs: Connection reset by peer

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2023-01-30 10:57:11,300:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-01-30 10:57:11,300:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-01-30 10:57:11,301:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-01-30 10:57:11,301:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2023-01-30 10:57:11,393:ERROR:certbot._internal.renewal:Failed to renew certificate w3.dmat.ufrr.br with error: Some challenges have failed.
2023-01-30 10:57:11,396:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 524, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 1540, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 126, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 387, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-01-30 10:57:11,399:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-01-30 10:57:11,399:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2023-01-30 10:57:11,399:ERROR:certbot._internal.renewal:  /usr/local/etc/letsencrypt/live/w3.dmat.ufrr.br/fullchain.pem (failure)
2023-01-30 10:57:11,399:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-01-30 10:57:11,400:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
  File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 1736, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 1629, in renew
    renewal.handle_renewal_request(config)
  File "/usr/local/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 550, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2023-01-30 10:57:11,401:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx 1.22.1_2,3

The operating system my web server runs on is (include version): FreeBSD 13.1-RELEASE (-kr p3, -u p5)

My hosting provider, if applicable, is: Federal University of Roraima - UFRR

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel. Direct access to the machine.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0 (certbot-3.9)

Bruce5051 · January 30, 2023, 6:34pm

Hello @jlgm, welcome to the Let's Encrypt community.

Well is looks like Port 80 isn't responding.

$ curl -Ii  http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs
curl: (7) Failed to connect to w3.dmat.ufrr.br port 80 after 621 ms: Connection refused

Also Let's Debug is reporting the same issue https://letsdebug.net/w3.dmat.ufrr.br/1355749

Best Practice - Keep Port 80 Open

Bruce5051 · January 30, 2023, 6:40pm

nmap is showing only port 443 from my location (Portland, OR, USA metro area)

$ nmap -Pn w3.dmat.ufrr.br
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 18:38 UTC
Nmap scan report for w3.dmat.ufrr.br (200.129.159.22)
Host is up (0.21s latency).
Not shown: 939 filtered ports, 60 closed ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 10.13 seconds

jlgm · January 30, 2023, 6:44pm

Sorry @Bruce5051, so many testing... now port 80 is opened

curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 18:41:40 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes

Bruce5051 · January 30, 2023, 6:52pm

https://letsdebug.net/w3.dmat.ufrr.br/1355771 still isn't happy.
I see with curl

~$ curl -Ii  http://w3.dmat.ufrr.br/.well-known/acme-challenge/oYlzMWYE7TU0QbmvcDR4ybAzLQREeoNYt515x9uvOUs
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 18:51:00 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes

I see with nmap

$ nmap -Pn w3.dmat.ufrr.br
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 18:46 UTC
Nmap scan report for w3.dmat.ufrr.br (200.129.159.22)
Host is up (0.21s latency).
Not shown: 939 filtered ports, 59 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 8.94 seconds

jlgm · January 30, 2023, 6:59pm

There is nothing in .well-known/acme-challenge. I put an index.html there to test the access.

curl Departamento de Matemática

Departamento de Matemática

Teste ACME - LetsEncrypt

So, i have an external access to .well-known/acme-challenge.

I've tried change to dns-01 challenge without success too.

jlgm · January 30, 2023, 7:01pm

Sorry.

curl http://w3.dmat.ufrr.br/.well-known/acme-challenge/

<!DOCTYPE html>
<html>
  <head>
    <title>Departamento de Matem&aacute;tica</title>
    <meta charset="UTF-8">
  </head>
  <body>
    <p>Teste ACME - LetsEncrypt</p>
  </body>
</html>

Bruce5051 · January 30, 2023, 7:10pm

I am seeing inconsistent connectivity from around the world Check website performance and response: Check host - online website monitoring some succeed some do not.

The reason I have concern with those results is Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt.

Bruce5051 · January 30, 2023, 7:30pm

I would expect this to return file not found, not 200 OK.

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2023 19:25:45 GMT
Content-Type: text/html
Content-Length: 354
Last-Modified: Mon, 30 Jan 2023 14:51:12 GMT
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d7d960-162"
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes

Topic		Replies	Views
All renewal attempts failed. The following certs could not be renewed Help	5	1980	April 17, 2019
No renewals were attempted Help	10	6486	September 29, 2017
Cannot renew certbot Help	4	183	August 8, 2024
Renew certificate Help	3	2710	August 18, 2019
I can't renew my certificate with certbot renew command Help	3	252	March 19, 2024

Have renewed certificate fine for years but now i can't renew it

Related topics