Have would-be hackers blocked LetsEncrypt?

@HankM... it seems like we're still missing some crucial pieces of information that could help us troubleshoot your TLS certificate issue.

Without complete access to the necessary log files, it's challenging (understatement) to pinpoint the root cause of the problem.

We understand that troubleshooting technical issues can be frustrating, but having access to the complete log file(s) are required to identify and resolve your issue.

Would you possibly be willing to provide the relevant log files and information? It would greatly assist us in diagnosing the problem and find a solution that works for everyone involved.

We want you to succeed.

We're here to support you through this process so we can help you resolve your issue as efficiently, and quickly as possible. If there are other concerns or questions you have about providing the logs, please let us know. We're all working towards the same goal of getting things back on track."

Look @HankM ... I share your point(s) and concerns, but take a look at the screenshot I posted above above. It clearly shows Roundcube being served on your website, alongside Postfix and Dovecot.

Understanding what's running on your system is crucial for us to fix your TLS certificate issue. If you could fill us in on your setup, and provide us with the complete error log, we can get to the bottom of this and solve your issue.

Let's cut through the confusion and sort this out. If you need more info or have questions, just give me a shout. You can PM me if you wish. The volunteers here are here to help you out... But leave the personal stuff out of it." Privacy is king.
Please Advise.
RIP

You can have whatever files you want. The LetsEncrypt logfile is HUGE. that's why I gave you a portion. Are there any other logfiles on my computer that you require. I'll send you the lot if it helps!

There has never been and never will be RoundCube on any of my computers. This computer was a fresh install and someone on the Linux forums helped me to setup Postfix and Dovecot. Where that picture is coming from, I have NO idea, It isn't mine!

If you just cutoff the tail piece of the logfile to anything within a few minutes from the last entry, that sould be plenty to work with.

Hopefully this will be enough.
I searched through all three computers with locate. There is NO Roundcube on any of them.
I also see in this log, nginx server. I'm using Apache NOT nginx
LetsEncrypt logfile

Location:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/Kc2y3Q
Replay-Nonce: Gy4YNW4qkEpa8IGBqYhNxnjXj-xYCcQUU-2zVveI3xc4rNAwdQM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/Kc2y3Q"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
}
2024-05-05 00:53:24,648:DEBUG:acme.client:Storing nonce:
Gy4YNW4qkEpa8IGBqYhNxnjXj-xYCcQUU-2zVveI3xc4rNAwdQM
2024-05-05 00:53:24,648:INFO:certbot._internal.auth_handler:Waiting for
verification...
2024-05-05 00:53:25,650:DEBUG:acme.client:JWS payload:
b''
2024-05-05 00:53:25,653:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/authz-v3/346744269067:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbm
NyeXB0Lm9yZy9hY21lL2FjY3QvNzE1NDE5Njg3IiwgIm5vbmNlIjogIkd5NFlOVzRxa0VwY
ThJR0JxWWhOeG5qWGoteFlDY1FVVS0yelZ2ZUkzeGM0ck5Bd2RRTSIsICJ1cmwiOiAiaHR0
cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzQ2NzQ
0MjY5MDY3In0",
"signature": "MLbCI6ks_FRxqrOCLwJkbyfnB6ek3xQ7w-
0rtvfopyEz3c8rDtRIzyt1chU7PPq2VMYUDRYspl9eTyFBSE1naSEqO9jyWOzltp8BU2ubk
KnmqZHmiFKRNuL5iD6IvAuOrRI5L3qX3KVzQISsb-
DR6gdHOc9gqhSERaj05TwExZgAkyKLM3D_wRYSn4u1ncTuHv9j7g5NYjuDa8oUN23MQcRpS
PGV9Er0zYtd5fA-nsmhACNgImdhR5nVHyeM6vi8mQ-
z834TtF2XimHGZMI5yEzkz8ba9iPJzMoH-
YshRmJnXR284xmBVaIljscctD9qmvLSYtWUqTOY11V-qtBuzg",
"payload": ""
}
2024-05-05 00:53:25,843:DEBUG:urllib3.connectionpool:
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-
v3/346744269067 HTTP/1.1" 200 820
2024-05-05 00:53:25,844:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 04 May 2024 22:53:25 GMT
Content-Type: application/json
Content-Length: 820
Connection: keep-alive
Boulder-Requester: 715419687
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: R8tUGx_ZjqXp_Ylsp4XX2Y7ep_9EnYAin91MtR4DLJR8bdAZzYQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "hermes.corp.networkingtechnology.org"
},
"status": "pending",
"expires": "2024-05-11T22:53:20Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/Kc2y3Q"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
},
{
"type": "dns-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/JweTig"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/hw6pHQ"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
}
]
}
2024-05-05 00:53:25,845:DEBUG:acme.client:Storing nonce:
R8tUGx_ZjqXp_Ylsp4XX2Y7ep_9EnYAin91MtR4DLJR8bdAZzYQ
2024-05-05 00:53:28,847:DEBUG:acme.client:JWS payload:
b''
2024-05-05 00:53:28,851:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/authz-v3/346744269067:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbm
NyeXB0Lm9yZy9hY21lL2FjY3QvNzE1NDE5Njg3IiwgIm5vbmNlIjogIlI4dFVHeF9aanFYc
F9ZbHNwNFhYMlk3ZXBfOUVuWUFpbjkxTXRSNERMSlI4YmRBWnpZUSIsICJ1cmwiOiAiaHR0
cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzQ2NzQ
0MjY5MDY3In0",
"signature":
"MubljdBoYEJv0dwvfKrFqpyep39N3XQbAw30slO49tD35Wi75BkzkWDkXntIR2sA7eozSZ
Fsqj-pnuhMo62_tOfJKBUZG8AB3rKqWKToaSN5yJRWF1r6JIwouDhmzDPKvyWh95d2-
ymkstyte-xzoSBtyY17XXjzwKB166-OxcuNueFL-vduLRJ8g30bn-0h627I-aKfguOnRVz-
l_FfMNs7hfmNTpnMyL4U491RdP1FzYDJd1HqcksHJq2gcZ42lyyaLjn-
j_DYiazHgtSU8w_aYNkFXXhwfnieKCrUstnjM26YBNwVhi6q-
g95TWKzqxF2R7lLHjBzwidnIAVY_w",
"payload": ""
}
2024-05-05 00:53:29,028:DEBUG:urllib3.connectionpool:
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-
v3/346744269067 HTTP/1.1" 200 820
2024-05-05 00:53:29,029:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 04 May 2024 22:53:28 GMT
Content-Type: application/json
Content-Length: 820
Connection: keep-alive
Boulder-Requester: 715419687
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: R8tUGx_ZbyNa-dnPgspBZwODhk9B14eueE0NVwiaT6e8IK1DeiQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "hermes.corp.networkingtechnology.org"
},
"status": "pending",
"expires": "2024-05-11T22:53:20Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/Kc2y3Q"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
},
{
"type": "dns-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/JweTig"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/hw6pHQ"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
}
]
}
2024-05-05 00:53:29,030:DEBUG:acme.client:Storing nonce: R8tUGx_ZbyNa-
dnPgspBZwODhk9B14eueE0NVwiaT6e8IK1DeiQ
2024-05-05 00:53:32,034:DEBUG:acme.client:JWS payload:
b''
2024-05-05 00:53:32,037:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/authz-v3/346744269067:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbm
NyeXB0Lm9yZy9hY21lL2FjY3QvNzE1NDE5Njg3IiwgIm5vbmNlIjogIlI4dFVHeF9aYnlOY
S1kblBnc3BCWndPRGhrOUIxNGV1ZUUwTlZ3aWFUNmU4SUsxRGVpUSIsICJ1cmwiOiAiaHR0
cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzQ2NzQ
0MjY5MDY3In0",
"signature": "UwD3mqYnqY7ngO5TYzoFU9Apyx0RumsF33V9XCd-
KTcjNlsp9ed6D8H97VgaQc0DvwAwJDeIgMPcIfX0dy-
WMwVl8VbrvJK6gB7O9duM8uqP81jc-
VdEBmMOpeeoTlD1wSZAxLB1bSiqJrv2joIeFDbRfQ17UnXtvtornU-
k1n2CgNn5OymGzz7_EEbKX_RobzV2BNc5kb0SJZp3dE1XNc97V4MffWn_kXFOSLXuZwqq5R
8d3-
HqLXzcsMuiX9w1SkEzec5RZrMg0RGUyXGqv_KiPOK_QkHfz4Zit3v0UKjX2lMRJIRuG7F3z
UDwOs3mEGflVmgADNEPHf9kABGbQQ",
"payload": ""
}
2024-05-05 00:53:32,217:DEBUG:urllib3.connectionpool:
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-
v3/346744269067 HTTP/1.1" 200 820
2024-05-05 00:53:32,218:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 04 May 2024 22:53:32 GMT
Content-Type: application/json
Content-Length: 820
Connection: keep-alive
Boulder-Requester: 715419687
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: Gy4YNW4qdoTx-uPi_3UseqccHyDboOB3fKnWk49vHPTKwK8-zkw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "hermes.corp.networkingtechnology.org"
},
"status": "pending",
"expires": "2024-05-11T22:53:20Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/Kc2y3Q"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
},
{
"type": "dns-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/JweTig"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/hw6pHQ"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE"
}
]
}
2024-05-05 00:53:32,218:DEBUG:acme.client:Storing nonce: Gy4YNW4qdoTx-
uPi_3UseqccHyDboOB3fKnWk49vHPTKwK8-zkw
2024-05-05 00:53:35,222:DEBUG:acme.client:JWS payload:
b''
2024-05-05 00:53:35,225:DEBUG:acme.client:Sending POST request to
https://acme-v02.api.letsencrypt.org/acme/authz-v3/346744269067:
{
"protected":
"eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbm
NyeXB0Lm9yZy9hY21lL2FjY3QvNzE1NDE5Njg3IiwgIm5vbmNlIjogIkd5NFlOVzRxZG9Ue
C11UGlfM1VzZXFjY0h5RGJvT0IzZktuV2s0OXZIUFRLd0s4LXprdyIsICJ1cmwiOiAiaHR0
cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzQ2NzQ
0MjY5MDY3In0",
"signature":
"ecxed9yP3Y5Bv0JDIa0kUhEHhVQgwBUA5nj7JV6RUa6uQYs_96SlSzgKbge2p_ucMTq81l
CB1U6wt_YHlBMr7mLKQ4IzHbvAp4348_KXStOpohwuk-
HIh_GpU3dMcpMeEFQceBhvtKMBkFwOWXPHTQxUCmNcaeY9LwDypPd7CDacQYC3KpGLSu-
NR1Sy2_49nmq9bAtxMFKzR4zaSN-
fNs50nP56c5UeptUJOFHs2GkYm_Fl5sD2lakollzT8YoZ9DwNdtyiDvWA8Cpa4VjJ-
8ZJ4gQdUbg8UIqL7bHRxmCGJeCFiIqgDttaZuD21CClOgtYzaqQcOwWJVemVWQqAg",
"payload": ""
}
2024-05-05 00:53:35,416:DEBUG:urllib3.connectionpool:
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-
v3/346744269067 HTTP/1.1" 200 1283
2024-05-05 00:53:35,417:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 04 May 2024 22:53:35 GMT
Content-Type: application/json
Content-Length: 1283
Connection: keep-alive
Boulder-Requester: 715419687
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: Gy4YNW4qfwTnidRrQY3vfbGtFj0-U8ZmUcVhvHmqZrd4OeXhgNk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "hermes.corp.networkingtechnology.org"
},
"status": "invalid",
"expires": "2024-05-11T22:53:20Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "During secondary validation: 79.132.230.58: Fetching
http://hermes.corp.networkingtechnology.org/.well-known/acme-
challenge/Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE: Timeout during
connect (likely firewall problem)",
"status": 400
},
"url": "
https://acme-v02.api.letsencrypt.org/acme/chall-v3/346744269067/Kc2y3Q"
,
"token": "Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE",
"validationRecord": [
{
"url": "
http://hermes.corp.networkingtechnology.org/.well-known/acme-challenge/Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE
",
"hostname": "hermes.corp.networkingtechnology.org",
"port": "80",
"addressesResolved": [
"79.132.230.58"
],
"addressUsed": "79.132.230.58",
"resolverAddrs": [
"A:10.0.12.87:22300",
"AAAA:10.0.12.84:27221"
]
}
],
"validated": "2024-05-04T22:53:24Z"
}
]
}
2024-05-05 00:53:35,417:DEBUG:acme.client:Storing nonce:
Gy4YNW4qfwTnidRrQY3vfbGtFj0-U8ZmUcVhvHmqZrd4OeXhgNk
2024-05-05 00:53:35,418:INFO:certbot._internal.auth_handler:Challenge
failed for domain hermes.corp.networkingtechnology.org
2024-05-05 00:53:35,418:INFO:certbot._internal.auth_handler:http-01
challenge for hermes.corp.networkingtechnology.org
2024-05-05 00:53:35,419:DEBUG:certbot._internal.display.obj:Notifying
user:
Certbot failed to authenticate some domains (authenticator: apache).
The Certificate Authority reported these problems:
Domain: hermes.corp.networkingtechnology.org
Type: connection
Detail: During secondary validation: 79.132.230.58: Fetching
http://hermes.corp.networkingtechnology.org/.well-known/acme-challenge/Mw146Fh3sLwANmh8NGd7QPUrjBDxTkd0Vn_mEXQnHfE
: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache
configuration changes made by Certbot. Ensure that the listed domains
point to this Apache server and that it is accessible from the
internet.

2024-05-05
00:53:35,419:DEBUG:certbot._internal.error_handler:Encountered
exception:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-
packages/certbot/_internal/auth_handler.py", line 105, in
handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3.6/site-
packages/certbot/_internal/auth_handler.py", line 205, in
_poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-05-05 00:53:35,420:DEBUG:certbot._internal.error_handler:Calling
registered functions
2024-05-05 00:53:35,420:INFO:certbot._internal.auth_handler:Cleaning up
challenges
2024-05-05 00:53:35,743:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==1.22.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 19, in
main
return internal_main.main(cli_args)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py",
line 1632, in main
return config.func(config, plugins)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py",
line 1342, in run
certname, lineage)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py",
line 127, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3.6/site-packages/certbot/_internal/renewal.py",
line 345, in renew_cert
new_cert, new_chain, new_key, _ =
le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3.6/site-packages/certbot/_internal/client.py",
line 424, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data,
self.config.allow_subset_of_names)
File "/usr/lib/python3.6/site-packages/certbot/_internal/client.py",
line 476, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr,
self.config, best_effort)
File "/usr/lib/python3.6/site-
packages/certbot/_internal/auth_handler.py", line 105, in
handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3.6/site-
packages/certbot/_internal/auth_handler.py", line 205, in
_poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-05-05 00:53:35,746:ERROR:certbot._internal.log:Some challenges
have failed.

One other point. Why for all that's holy do I have 1000 (ONE THOUSAND) Letsencrypt logfiles on my computer?

Finally. All that runs on Hermes (that isn't part of the OS) is Postfix, Dovecot and MySQL

there are obesrvation point outside of USA: one in europe and one in SJ IIRC. your site looks like it's blocking outside of USA: at least I can't in south korea
During secondary validation

If you can, consider just allowing http requests to /.well-known/acme-challenge/, that way you don't have to allow general http requests for everyone. Most web application firewalls (content/context aware firewalls) can do this.

[You can also switch to using DNS domain validation instead of http challenges, that way you don't have to allow any incoming traffic at all]

I'm using OPNSense for a firewall with several Blocklists of IP addresses. Nothing else fancy.

If I could somehow whitelist the above I would be happy to do so, but someone will have to tell me how. (I know how to whitelist IP addresses, but not URL's)

No offense intended...
It seems that you may have removed it after my post from yesterday. The screenshot says it all. Apparently, it was online long enough.

roundcube1300×669 75.1 KB

I haven't remove anythin. It was never installed, never even thought about. I have noticed with a person we built a website for I went to look at it some days later and it had been hijacked (it appeared) by someone else. I told him about it, he complained to his ISP and it came back again.

These servers are in my office, so no ISP involved and I object to being called a liar.

I just created an OPNSense rule.
Action - Pass
Interface - WAN
Direction - In
TCP Version - IPV4
Protocol - TCP
Source - any
Destination - Single Host - 72.xx.xxx.xxx The public IP of the mail server /32
Destination Port Range 80 to 443 (or do I need one for each?)
Gateway - ?? Default (or should it be) My internal or Wan-ppoe?

Something is wrong I put it right at the top of the list before blocked countries. It's still the same problem, so it doesn't work!

Respectfully, this is a question that is out of scope for this forum. Please refer to:

for assistance with your firewall.

I forget to mention earlier. This server was installed in 2021 and you are trying to tell me that it's been running Roundcube (as per your screenshot) for THREE YEARS? and it's only in the past 3 weeks I've been inudated with bots 24 x 7.
I've had these 'inocuous - not even worth mentioning' script kiddiis tryin to get into my mail server since 06:00 this morning. Not Roundcube (because it doesn't exist). Dovecot andf Postfix.
Just a few - all perfectly harmless of course

May 5 08:15:16 hermes auth[45625]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=kmartin
rhost=82.66.146.5 user=kmartin
May 5 10:14:27 hermes auth[58668]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=hmartin
rhost=188.164.194.249 user=hmartin
May 5 10:49:34 hermes auth[62093]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=hmartin
rhost=83.211.85.74 user=hmartin
May 5 11:07:19 hermes auth[63677]: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=hmartin
rhost=134.195.220.251 user=hmartin

109.247.168.26
35.130.111.146
134.195.221.72
192.237.187.233
38.53.178.200
69.69.172.25
47.184.199.158
71.80.246.236
109.228.39.153
35.238.131.59
72.43.254.226
12.153.164.83
47.185.65.154
206.192.253.104
35.130.111.146
134.195.221.57
69.1.101.148
188.74.32.54
192.159.94.146
213.124.221.2
159.66.236.51
23.94.223.22
193.116.108.158
38.53.146.202
74.90.174.9
73.47.185.238
34.29.120.92
68.108.255.180
74.95.13.185
216.70.104.4
23.94.223.22
188.143.130.79
208.77.181.165
65.39.124.135
47.254.169.62
139.60.56.241
99.105.209.147
76.101.131.12
38.53.131.130
14.202.183.183
38.53.131.130
192.151.151.226
149.71.208.177
82.66.146.5
82.66.146.5
38.53.128.36
188.164.194.249
196.212.14.18
83.211.85.74
134.195.220.251
46.24.46.230
50.5.78.201
97.77.108.13
132.145.185.47

All perfectly harmless and nothing at all to worry about. I've reduced Fail2ban to ONE failed attempt. Without fail2ban there are thousands of attempts.

@HankM ... Let's Address the Core Issue ...

I, for one, appreciate your persistence in seeking a resolution to the problem you're experiencing. But, it's clear that we're facing roadblocks in our attempts to help you due to unresolved issues concerning your firewall configuration.

Based on the log you provided and discussions thus far, your firewall is a prime suspect standing in the way of the validation process. It should be the first thing to closely scrutinize.

We all have concerns about security and Industry "Best Practices" to safeguard servers, in general. But it is vital to make sure that your firewall configuration isn't inadvertently configured to block essential processes.

We all have tried to give suggestions to help pinpoint and address the root cause of your issue. However, it's been challenging to make progress when certain aspects, such as your firewall configuration, are unexplored, and our suggestions seem to be blindly rejected out of hand.

We all know you've implemented measures to BLOCK SPECIFIC IP ADDRESSES and COUNTRIES for security reasons, but it's critical to make certain these measures aren't conflicting with the validation process.

I understand that troubleshooting technical issues can be frustrating, especially when there's a lack of focus or agreement on the best course of action. However, to make progress and find a solution, we need to address the core issue head-on.

Moving forward, I urge you to consider reviewing your firewall configuration in collaboration with the appropriate community. By doing so, we can focus on identifying and resolving the root cause of the problem.

If it's demonstrated that validation servers aren't blocked and other potential issues are ruled out, we can move on and consider alternative solutions to address challenges that remain.

As stated earlier, this is not a "Firewall Forum" (there is a link above) but I will provide you with this hint:
I don't recommend blocking Countries in most cases. I suggest rejecting bad behavior and bad reputation. ;@)

Additionally, this is not a Fail2Ban forum either. But I would suggest looking up every IP being blocked by your systems to guarantee any LE validation server is not being prevented from doing it's job.

I meant what I said earlier, "We all want to see you to succeed".

Your cooperation is required for us to move forward effectively. We're here to support you. If we can stay focused on your "core issue" we will find a working solution to renew your certificate.

My 2 Cents.. Spend it wisely.

"Have would-be hackers blocked LetsEncrypt?"
No; No hackers have blocked LE from completing their mission.