Guys (@Bruce5051 + rg305), first of all, thanks !!
I got the nginx response 403 (forbidden) in non-existing server struture. Don't know, if that different of 404 error implies certbot to not working.
I have doubts that TI people has made any change in firewall... My big doubt is why that stops working suddenly. It is my first problem of renewall since 2019.
curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/
HTTP/1.1 403 Forbidden
Server: nginx
Date: Mon, 30 Jan 2023 20:31:58 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
Below it's ok cause there is a temporary index.html... Originally, server redirects 80 to 443... it is not doing that cause i am trying correct certbot renewal.
It might be working for you (from the same network perhaps?), but from (a large part of) the public internet your website seems to be down. Connecting to port 80 from my point of view results in a timeout.
$ nmap -Pn w3.dmat.ufrr.br
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 21:35 UTC
Nmap scan report for w3.dmat.ufrr.br (200.129.159.22)
Host is up (0.21s latency).
Not shown: 939 filtered ports, 59 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds
Why does this fail?
$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer
And this passes, they are basically the same the failing one has added
-A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
to emulate Let's Encrypt.
Not at same network... at same city, yes.... and @Bruce5051 showed me the inconsistency of server access across the world via check-host.net. That's Ok.
My first goal is correct the server as perfect as possible to not hold it responsible for any impediment to certificate renewal, i just may solve the machine problem. As i told before, it is the first renewal problem in years.
And i guess that kind of network inconsistency is not showing up only now... and it still be happen. And i have no way to solve it.
Another question is, would the dns challenge be more effective at that scenario ??
To imagine that server running without crypto, let me shaking.
@jlgm You are almost certainly affected by a Palo Alto brand firewall. You have the same symptoms as we often saw earlier in 2022. See (this link) for more info
You should talk to your network admins and have them change the Application Rule for "ACME protocol".
The tests described by my link above for your domain are this:
(test gets expected 404 with test file)
curl -I http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx
(test fails when using a user-agent the same as Let's Encrypt servers)
curl -I http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer
It can be easy.
But it can also be impossible [to automate].
It depends mostly on the DSP [DNS Service Provider] in use and then also your willingness to meet whatever requirements remain unmet.