Having difficulty renewing my certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pbfamily.net

I ran this command: /usr/libexec/nethserver/letsencrypt-certs -f is a script that calls on certbot

It produced this output:Challenge failed for domain mail.pbfamily.net
Challenge failed for domain nsdc-sektor.pbfamily.net
Challenge failed for domain sektor.pbfamily.net
Challenge failed for domain smtp.pbfamily.net
Challenge failed for domain www.pbfamily.net
Some challenges have failed.

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): Nethserver release 7.7.1908

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.3.0

/usr/libexec/nethserver/letsencrypt-certs is essentially a script that calls on certbot it is what comes with nethserver, it has been working fine for a while except I want to say the last couple of weeks.

When I go here https://check-your-website.server-daten.de/?q=pbfamily.net, I get the operation has timed out and I have confirmed that the directory is accessible.

I also tried researching on the nethserver forums.

The necessary ports needed for the certificate to be renewed are not closed, because I can get to my server from the outside and I have applied all the latest updates available.

What was the rest of Certbot’s output?

It is kind of chopped because I could only post so many lines.

/usr/libexec/nethserver/letsencrypt-certs -v -t is running this command
/usr/bin/certbot certonly --webroot --webroot-path /var/www/html/ --text --non-interactive --agree-tos --email sektor1952@gmail.com -d sektor.pbfamily.net -d nsdc-sektor.pbfamily.net -d mail.pbfamily.net -d www.pbfamily.net -d smtp.pbfamily.net --test-cert -v

Below is the whole output sorry about the editing

Root logging level set at 10
Storing nonce: 00027FUg_K5qPlrvoUEeIMlQaGJ7xKzB8faTqdh-0lzKsfU
Performing the following challenges:
http-01 challenge for mail.pbfamily.net
http-01 challenge for nsdc-sektor.pbfamily.net
http-01 challenge for sektor.pbfamily.net
http-01 challenge for smtp.pbfamily.net
http-01 challenge for www.pbfamily.net
Using the webroot path /var/www/html for all unmatched domains.
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Attempting to save validation to /var/www/html/.well-known/acme-challenge/fkxIjgbhP-HqCr4JrR33nfwD9ghnwF9vZ72b1WEZRL4
Attempting to save validation to /var/www/html/.well-known/acme-challenge/k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY
Attempting to save validation to /var/www/html/.well-known/acme-challenge/PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A
Attempting to save validation to /var/www/html/.well-known/acme-challenge/7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM
Attempting to save validation to /var/www/html/.well-known/acme-challenge/7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U
Waiting for verification…
“POST /acme/authz-v3/49955357 HTTP/1.1” 200 820
Received response:
HTTP 200
content-length: 820
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:20 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002GNP4U2SO7xYHcINV4vbc9ZSeC4w7BXOsEtKpTvMCcwg

{
“identifier”: {
“type”: “dns”,
“value”: “nsdc-sektor.pbfamily.net
},
“status”: “pending”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955357/ZNslXg”,
“token”: “k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955357/TGrGZQ”,
“token”: “k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955357/Td1j6w”,
“token”: “k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY”
}
]
}
Storing nonce: 0002GNP4U2SO7xYHcINV4vbc9ZSeC4w7BXOsEtKpTvMCcwg
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955358:
{
“protected”: “eyJub25jZSI6ICIwMDAyR05QNFUyU083eFlIY0lOVjR2YmM5WlNlQzR3N0JYT3NFdEtwVHZNQ2N3ZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM1OCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “i_Kn6_x8FFooT4pA5KGoNuksEW4tcUrAGMzojFx4YFrzt8KHjkJglPcsW62nSUoH7cmX1PDPZ6d1uJw3huVsE6ibimWPXNPhIujWP7oVY34tjYyR0m4TkNB_uJa3QH4HCmP8fextMZprOvaaxaBrpzbD1YMZ1uzCVm9P9YZHkY6I9pEp-Gy6cydbxsbsIhVf3YEv6O-uvPz4nklgrVGizyGgmmGlJWPvCiLCbC_r6f3MXABU_dt_iKTTB_THJjOBtfFWdGVr7CXkNBdv0dcCDpmaonTONO-okUuw9vzBfliiuh_lP-kTKorNa2BvBrYTC91NuggErE85KYnBs04CpA”
}
“POST /acme/authz-v3/49955358 HTTP/1.1” 200 815
Received response:
HTTP 200
content-length: 815
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:20 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001jz4xqPo-SOhOYJ9G3xBnLe0wioEVgakBio9OqKtwPTc

{
“identifier”: {
“type”: “dns”,
“value”: “sektor.pbfamily.net
},
“status”: “pending”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955358/FScjPA”,
“token”: “PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955358/gGcKoQ”,
“token”: “PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955358/A6uk8w”,
“token”: “PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A”
}
]
}
Storing nonce: 0001jz4xqPo-SOhOYJ9G3xBnLe0wioEVgakBio9OqKtwPTc
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955359:
{
“protected”: “eyJub25jZSI6ICIwMDAxano0eHFQby1TT2hPWUo5RzN4Qm5MZTB3aW9FVmdha0JpbzlPcUt0d1BUYyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM1OSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “GEFZe91a2z9z6X5a2aRq1Azd3X-CAH2SuvLq0rNawPVFXcrm7pPzME8sSp2BCEmJMdltdfSuqiAvQThuydOrtT7xBOMSzot429t2L6NG0KSPI19HTs-MwUKVtrt47EA13Rrrw5gg85necDjmbHQAFw_NHFaAbi7H-STp1GN1pl0p_bsxYhPNzBHK3TSYUoicNcz8bUeyhcomtpRp0bxET9565aeaZX3seqDqf4NUu09LilX7dubwxFnmmDgjg-rTfU7Xgd-ww75bXoBTZ5sPYP3xqwCKUH37SUPTs4j7BaE3I56q3CInjj23w0ry_zjS-8Q76626ThwKebbVcow7-g”
}
“POST /acme/authz-v3/49955359 HTTP/1.1” 200 813
Received response:
HTTP 200
content-length: 813
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:20 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 000281LdETLc0Sx-YzQ3vB85i4rnBvDotC3a9eEHODTcZ2w

{
“identifier”: {
“type”: “dns”,
“value”: “smtp.pbfamily.net
},
“status”: “pending”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955359/UHwIcg”,
“token”: “7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955359/XEjG4A”,
“token”: “7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955359/L9xxTA”,
“token”: “7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM”
}
]
}
Storing nonce: 000281LdETLc0Sx-YzQ3vB85i4rnBvDotC3a9eEHODTcZ2w
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955360:
{
“protected”: “eyJub25jZSI6ICIwMDAyODFMZEVUTGMwU3gtWXpRM3ZCODVpNHJuQnZEb3RDM2E5ZUVIT0RUY1oydyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM2MCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “U-zoh2nqnmHTjY0cI62FYdCCQZcjAjR1_vKBcg0C56DzIHb1jscQa6StAinM2kRxpMNQ2zt3brrupbwMTUG8MHAdiebLdt2jMW9A8dWOF0yddo8huqTDzXmr_JCklkybSq7mtvNHe8UlTQn00eDxZakedrXP39Gff_fXF8lwwUrFoLgSus89cS4-Se0WNHKT_CYESTr0IolaXe4Htk2PViOk-aPxBibRaxkffEW7JTo-8oJYAYaQivUiJyH3zZyvxYa-nudtLC6NaI1BQN7VNT9AoCM9T0IjaceD8_L0w8jc83Vjzfr-wOwa_qr24Yra0a9NxWMf33Dhu9wGml6Deg”
}
“POST /acme/authz-v3/49955360 HTTP/1.1” 200 812
Received response:
HTTP 200
content-length: 812
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:20 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001hHud28XvjHoWARZ1WyRZo7wurT0BhMi0k-g5js15vog

{
“identifier”: {
“type”: “dns”,
“value”: “www.pbfamily.net
},
“status”: “pending”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955360/p1vSUA”,
“token”: “7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955360/JLVNLg”,
“token”: “7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955360/gZAb-A”,
“token”: “7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U”
}
]
}
Storing nonce: 0001hHud28XvjHoWARZ1WyRZo7wurT0BhMi0k-g5js15vog
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955356:
{
“protected”: “eyJub25jZSI6ICIwMDAxaEh1ZDI4WHZqSG9XQVJaMVd5UlpvN3d1clQwQmhNaTBrLWc1anMxNXZvZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “oY3JaXfn4nWofvsLUawJ1qyYIkSIeMV6SV_Rd_LqYJAps0el2NjhsogMpaTyEVuf5A0U8yyY8Z9JOsmvvSHDVShWGeHjTvBE49DGaTv4CKnDnyY5RoH_XYZdrIOtm6Za5203-FRJsRn4Nl_D-DLinDJINGcrE-bpTVmnMuwe8hx9BN2rnnGmIYo7m2z6wfhzaG3DO0lXp6tcL44CxbKf__V0XsNrDUv4UpvvGGzlEvp2e5OfxOMVV2Pe2lUyWqqvjwXcM0EdexMzPDckZAu9AhYHtPgDzu12Cms6MRcIzKfTquuegyNTnydghvwgihEyg5uz1x7LuuGgMx6FMoee0w”
}
“POST /acme/authz-v3/49955356 HTTP/1.1” 200 1039
Received response:
HTTP 200
content-length: 1039
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:23 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002Fo9OEHFrH5UA5tWCaGzZV4CY3KQnQE9y-ekARVN_YuA

{
“identifier”: {
“type”: “dns”,
“value”: “mail.pbfamily.net
},
“status”: “invalid”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://mail.pbfamily.net/.well-known/acme-challenge/fkxIjgbhP-HqCr4JrR33nfwD9ghnwF9vZ72b1WEZRL4: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955356/P01yGw”,
“token”: “fkxIjgbhP-HqCr4JrR33nfwD9ghnwF9vZ72b1WEZRL4”,
“validationRecord”: [
{
“url”: “http://mail.pbfamily.net/.well-known/acme-challenge/fkxIjgbhP-HqCr4JrR33nfwD9ghnwF9vZ72b1WEZRL4”,
“hostname”: “mail.pbfamily.net”,
“port”: “80”,
“addressesResolved”: [
“50.88.60.163”
],
“addressUsed”: “50.88.60.163”
}
]
}
]
}
Storing nonce: 0002Fo9OEHFrH5UA5tWCaGzZV4CY3KQnQE9y-ekARVN_YuA
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955357:
{
“protected”: “eyJub25jZSI6ICIwMDAyRm85T0VIRnJINVVBNXRXQ2FHelpWNENZM0tRblFFOXktZWtBUlZOX1l1QSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM1NyIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “n7kgejWpGRuKDVKn1eeEJsuJy-NCdT6GHcHFhiu_MhaCUeZt3BGaGvDsDVb154Iog9hBJstALJw1h4FOxaVvOfno3meLlM9BJN_3szHJpBWHS0s6hC50iNRp2sgBi4_TTEnxLFuqWQv1HGodr7xW1BplCnJs7JJdWwcVRndPiuDQvEH2U4Zj77RziUKt938tVgfyk4ccgR2W9Lnj2MtJZdU97iR8QmLtMwpTHuDAp2e71G2S_aZUGQeyIrnjV3JqSQAWrCRzoXGXzOWKWMZv1n49VKdr3XVqa-dj8KlRce8GacImaefGDkXx55ERF68u6yBd_2z-f53jzA7HoJ2H0A”
}
“POST /acme/authz-v3/49955357 HTTP/1.1” 200 1067
Received response:
HTTP 200
content-length: 1067
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:23 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001kSfOvvvBnTsTySHFYlNIIik5IWHrAe_FeFxmSky5jls

{
“identifier”: {
“type”: “dns”,
“value”: “nsdc-sektor.pbfamily.net
},
“status”: “invalid”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://nsdc-sektor.pbfamily.net/.well-known/acme-challenge/k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955357/ZNslXg”,
“token”: “k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY”,
“validationRecord”: [
{
“url”: “http://nsdc-sektor.pbfamily.net/.well-known/acme-challenge/k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY”,
“hostname”: “nsdc-sektor.pbfamily.net”,
“port”: “80”,
“addressesResolved”: [
“50.88.60.163”
],
“addressUsed”: “50.88.60.163”
}
]
}
]
}
Storing nonce: 0001kSfOvvvBnTsTySHFYlNIIik5IWHrAe_FeFxmSky5jls
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955358:
{
“protected”: “eyJub25jZSI6ICIwMDAxa1NmT3Z2dkJuVHNUeVNIRllsTklJaWs1SVdIckFlX0ZlRnhtU2t5NWpscyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM1OCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “Yjs_eB9oc5ks0En7IiOIvgdWNS9aUrGVcrCg7u3KKeekStXitvOo2RK2qE3KR0mfcSfVJbd6Bgf__AbMw5hM4oKAKoSnO6LXF-8aIdtGdCw4CMoQP_OUdCfGCf6TVUeY6WIu2AQ25RPTXad59st5ao74B1DZf707ii6bq5Z9tbg-WMUwPs0Bf0tasQdVKJ4lVyKp1Mm7RKZAhQZqSnzSmYB6TsAkbTtckF3iqeob3_Vj3YhN6fk0lRz3e8DcEIsj795qgHD2JvQiklaBjY5CLqyo4pwsumYOHM8mk-FSJao9fTrfA_cnxUBOKuwFVKK1lb6FDbpOWZC6HOjbvBr_sg”
}
“POST /acme/authz-v3/49955358 HTTP/1.1” 200 1047
Received response:
HTTP 200
content-length: 1047
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:23 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001kvV6mGGpklrO_8H9z_U1snJBaenoHrhPKo37MKVbtBU

{
“identifier”: {
“type”: “dns”,
“value”: “sektor.pbfamily.net
},
“status”: “invalid”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://sektor.pbfamily.net/.well-known/acme-challenge/PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955358/FScjPA”,
“token”: “PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A”,
“validationRecord”: [
{
“url”: “http://sektor.pbfamily.net/.well-known/acme-challenge/PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A”,
“hostname”: “sektor.pbfamily.net”,
“port”: “80”,
“addressesResolved”: [
“50.88.60.163”
],
“addressUsed”: “50.88.60.163”
}
]
}
]
}
Storing nonce: 0001kvV6mGGpklrO_8H9z_U1snJBaenoHrhPKo37MKVbtBU
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955359:
{
“protected”: “eyJub25jZSI6ICIwMDAxa3ZWNm1HR3BrbHJPXzhIOXpfVTFzbkpCYWVub0hyaFBLbzM3TUtWYnRCVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM1OSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “ctjPT117rXAQjuevEaWloU4XELVIBqAvcXb9jxD5mhRgZXjoslab8xJVy0etobPkLI4JkkEgVh6gJlCgha1Ypis4BiPDTFQ_S4d2MwxNaOm0O86G9IIOPJ2XjV49PYdaJ3TqBK82JdFfCOGm81QFPg2bgxN65WVwzKbaP0B61_7X4TF8LJYBEyWVw4Dw-cGk2qYb0tJVLLjyp52ua6GDdCjp0oG19LfiICJMq1iqUzbGYiOTl9HbhOr8O-1Mfw1k9DG7EDxcRypQLwUeGjSne63PfObrUyq8G1gr5fRu3diZUnSnMiZ72JwaMlX0j53MlbY7y-zKL4OhBGVJCtodMA”
}
“POST /acme/authz-v3/49955359 HTTP/1.1” 200 1039
Received response:
HTTP 200
content-length: 1039
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:23 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002YBJ8HmrDqIMfdBdzBd6XAWMOI0Qgmfqr7qK1PUhMQRk

{
“identifier”: {
“type”: “dns”,
“value”: “smtp.pbfamily.net
},
“status”: “invalid”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://smtp.pbfamily.net/.well-known/acme-challenge/7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955359/UHwIcg”,
“token”: “7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM”,
“validationRecord”: [
{
“url”: “http://smtp.pbfamily.net/.well-known/acme-challenge/7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM”,
“hostname”: “smtp.pbfamily.net”,
“port”: “80”,
“addressesResolved”: [
“50.88.60.163”
],
“addressUsed”: “50.88.60.163”
}
]
}
]
}
Storing nonce: 0002YBJ8HmrDqIMfdBdzBd6XAWMOI0Qgmfqr7qK1PUhMQRk
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/49955360:
{
“protected”: “eyJub25jZSI6ICIwMDAyWUJKOEhtckRxSU1mZEJkekJkNlhBV01PSTBRZ21mcXI3cUsxUFVoTVFSayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80OTk1NTM2MCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEzMTk0NTQxIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “”,
“signature”: “iLzxzKQS__qpgWDIsqN2i_BXX0Xn2wKp8voJiaKNsaqulEtuUOor_7U4xLLTSF8iYIgDNJNj_ST87cUsbpBBWCk_s7XqTizmaK_srm4zXA7_eWr6T2BzekaczXkX4oEYrnjg4yWd00T_bTAl88yl9EKbnyD-Ugjhr1mtIVXEUncYdQ_F9sKjLlo0TNIRDDa4Jmq6Lvh1Z7eXbMGhBp81cVGmYAWwUoNCkB_RS1tqxNUdm0ydYiBfWY6t1WmQRmjn9Il7RIirk0JNc7Q47vJUC_STkxOZRtGIoX8NlrbATXivGuwlteTM5eTHWQ_PWd56cboNJCqxpZFF853wIfRPCg”
}
“POST /acme/authz-v3/49955360 HTTP/1.1” 200 1035
Received response:
HTTP 200
content-length: 1035
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13194541
date: Sat, 18 Apr 2020 02:35:23 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002EXNScBdNtAlTyjhtXo24k7BoHqLsWU5PRDc6drOkJA0

{
“identifier”: {
“type”: “dns”,
“value”: “www.pbfamily.net
},
“status”: “invalid”,
“expires”: “2020-04-25T02:35:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://www.pbfamily.net/.well-known/acme-challenge/7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/49955360/p1vSUA”,
“token”: “7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U”,
“validationRecord”: [
{
“url”: “http://www.pbfamily.net/.well-known/acme-challenge/7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U”,
“hostname”: “www.pbfamily.net”,
“port”: “80”,
“addressesResolved”: [
“50.88.60.163”
],
“addressUsed”: “50.88.60.163”
}
]
}
]
}
Storing nonce: 0002EXNScBdNtAlTyjhtXo24k7BoHqLsWU5PRDc6drOkJA0
Challenge failed for domain mail.pbfamily.net
Challenge failed for domain nsdc-sektor.pbfamily.net
Challenge failed for domain sektor.pbfamily.net
Challenge failed for domain smtp.pbfamily.net
Challenge failed for domain www.pbfamily.net
http-01 challenge for mail.pbfamily.net
http-01 challenge for nsdc-sektor.pbfamily.net
http-01 challenge for sektor.pbfamily.net
http-01 challenge for smtp.pbfamily.net
http-01 challenge for www.pbfamily.net
Reporting to user: The following errors were reported by the server:

Domain: mail.pbfamily.net
Type: connection
Detail: During secondary validation: Fetching http://mail.pbfamily.net/.well-known/acme-challenge/fkxIjgbhP-HqCr4JrR33nfwD9ghnwF9vZ72b1WEZRL4: Timeout during connect (likely firewall problem)

Domain: nsdc-sektor.pbfamily.net
Type: connection
Detail: During secondary validation: Fetching http://nsdc-sektor.pbfamily.net/.well-known/acme-challenge/k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY: Timeout during connect (likely firewall problem)

Domain: sektor.pbfamily.net
Type: connection
Detail: During secondary validation: Fetching http://sektor.pbfamily.net/.well-known/acme-challenge/PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A: Timeout during connect (likely firewall problem)

Domain: smtp.pbfamily.net
Type: connection
Detail: During secondary validation: Fetching http://smtp.pbfamily.net/.well-known/acme-challenge/7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM: Timeout during connect (likely firewall problem)

Domain: www.pbfamily.net
Type: connection
Detail: During secondary validation: Fetching http://www.pbfamily.net/.well-known/acme-challenge/7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Removing /var/www/html/.well-known/acme-challenge/fkxIjgbhP-HqCr4JrR33nfwD9ghnwF9vZ72b1WEZRL4
Removing /var/www/html/.well-known/acme-challenge/k6ML33wVhqWMbPUGV74BXbCAG7bZaAxSMV0ue-UqWeY
Removing /var/www/html/.well-known/acme-challenge/PyYJ8HMTnslmLg5PovLI7EYIryf1MNLsF72vxoBNf2A
Removing /var/www/html/.well-known/acme-challenge/7_kUZvFc9aOAyTHKu88X-LA3aIpKv4tHxzPiOP2tmRM
Removing /var/www/html/.well-known/acme-challenge/7kRBbxezeBFW7eWMSpTot9gwKZiqW2_VYKSyAZ3iq_U
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.3.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 391, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:

I can access your site from one location, but it times out when I try to access it from a second one (one of the AWS regions Let’s Encrypt currently uses for secondary validation).

Are you blocking lots of IPs? Is your ISP having issues?

Edit: I tried two other locations and they timed out too.

I am blocking a lot of ip’s, but I was trying to put exceptions in for let’s encrypt. It could be possible I am missing something and I understand that the letsencrypt ip’s can’t be published but it would be nice to a cidr block if possible.

Trying to minimize the amount of intrusion attempts.

Intrusion attempts will come from all networks, excluding the “obvious” ones only minimizes the problem. That still leaves a smaller version of that same “problem” - only one needs to succeed for you to fail.
You should be less concerned with blocking than with what you do with what you allow.
As something will always be allowed, then all that is allowed should be handled with caution.
That said, you can allow all IPs to access HTTP only.
Direct that to a dedicated system that merely redirects all HTTP to HTTPS - with one exception:
Allow HTTP for /.well-known/acme-challenge/ connections.
You can proxy those to your actual internal system that is making those certificate requests.

That is just one idea; there a others, plenty out there.
The gist is allow HTTP from all and handle that accordingly.
[HTTPS is a completely different issue - that you can secure any way you feel comfortable with]

Good point, I believe I can block only certain protocols to those ip’s instead of blocking everything. I will try to reconfigure my firewall, I do have other protections in place and not really running anything much on the http server.

Above and beyond IPS and the likes, I like using proxies and “filtering”.
Like catch and error out anything with “strange” characters in the URL.
Cross-site scripting | directory traversal | UU encoding | etc.
From those “catches” you can build a block list and begin to stop those particular IPs [even if they later make more seemingly innocent requests].
But all that is way off topic for this forum.

Well I also use fail2ban on my server so from there I build my block lists, but I build it for certain blocks. Tweaking my ban subnet rules did the trick, I honestly did not think of that. Thanks

I actually think I might have had 2 problems the other one was that you couldn’t get to acme-challenge folder.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.