Hello, problem with certificate update again

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
lkmpikt.org

I ran this command:
sudo certbot certonly --manual --agree-tos --email my-email --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenge=dns -d lkmpikt.org -d *.lkmpikt.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/lkmpikt.org.conf)

It contains these names: lkmpikt.org

You requested these names for the new certificate: lkmpikt.org, *.lkmpikt.org.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for lkmpikt.org
dns-01 challenge for lkmpikt.org

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: Y

Please deploy a DNS TXT record under the name
_acme-challenge.lkmpikt.org with the following value:

TJv8TT7pzFXr2lgE2_uuW5iKmqJ5ZrEMFqz4163NUlI

Before continuing, verify the record is deployed.

Press Enter to Continue

Please deploy a DNS TXT record under the name
_acme-challenge.lkmpikt.org with the following value:

4yzfSPQmPsK3Z14VlPMch1bIuA5SI5Lg6mnAKDBDiN0

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

Press Enter to Continue
Waiting for verification...
Challenge failed for domain lkmpikt.org
Challenge failed for domain lkmpikt.org
dns-01 challenge for lkmpikt.org
dns-01 challenge for lkmpikt.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: lkmpikt.org
    Type: unauthorized
    Detail: Incorrect TXT record
    "CXP9_wwvPfqCrwga477T9uUwUF6Y5x4V_Rz3zOkyI8U" (and 1 more) found at
    _acme-challenge.lkmpikt.org

    Domain: lkmpikt.org
    Type: unauthorized
    Detail: Incorrect TXT record
    "CXP9_wwvPfqCrwga477T9uUwUF6Y5x4V_Rz3zOkyI8U" (and 1 more) found at
    _acme-challenge.lkmpikt.org

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 0.40.0

2

When using manual DNS challenges you should wait a few minutes after applying your TXT record change so that all of your DNS providers nameservers can sync with the same answer. Some good DNS providers take less than a minute to sync, some others can take 5 minutes or more (I've heard of up to 15 minutes being required on some services).

You are using a version of certbot from 2016. You should try to update that.

1 Like
3

I also forgot to add this version of the system:
cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="Bugs : Ubuntu"
PRIVACY_POLICY_URL="Data privacy | Ubuntu and Canonical Legal | Ubuntu"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

I also tried entering this command. The problem is the same: certbot doesn't update the certificate.

sudo certbot renew --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/lkmpikt.org.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lkmpikt.org
Waiting for verification...
Challenge failed for domain lkmpikt.org
http-01 challenge for lkmpikt.org
Cleaning up challenges
Attempting to renew cert (lkmpikt.org) from /etc/letsencrypt/renewal/lkmpikt.org.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lkmpikt.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lkmpikt.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: lkmpikt.org
    Type: connection
    Detail: 194.31.153.37: Fetching
    http://lkmpikt.org/.well-known/acme-challenge/JTYSqpFfZC7IGUkgywpFCMVaEkkEYRvtVHbHayKU2G4:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

4

If yo use HTTP domain validation Let's Encrupt wil try o to check your site using http, this requires that your server responds to http requests on TCP port 80. This error says they tried to connect and it didn't work. If you are geoblocking http turn that off.

1 Like
5

I don't have geo-blocking enabled. It's possible that my provider has it enabled. I've had this issue before, but I haven't done anything specific about it. One day, I came to work and noticed that the certificate had updated itself. In my nginx settings, I have automatic redirection to port 443. I have two ports open on my firewall, both 80 and 443.

In general, this is not a firewall problem.

6

Cool, but if curl http://lkmpikt.org fails for yours website (i.e. it never reaches the https redirect) then http domain validation probably won't work. It just hangs for me and I'm in Australia.

1 Like
7

And what should I do then? I have this command, which shows the following result:

curl http://lkmpikt.org
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
8

Let's Encrypt are accessing your domain publicly from outside your own country, from several geographic locations, If it doesn't work for most of them then http domain validation will fail. Did you try your curl test from outside your own network?

1 Like
9

Yeah... I just tried running this command through a different provider, and this is what happened:

curl http://lkmpikt.org
curl: (7) Failed to connect to lkmpikt.org port 80 after 3060 ms: Could not connect to server

And what should I do now? At the same time, the internet itself is there... I don't understand... what's happening...

I restarted the router, but it didn't help...

10

HTTPS requests on port 443 work. But, HTTP on port 80 fail.

Check your configuration for port 80. Things like port forwarding or NAT or any firewall settings related just to HTTP port 80. These are the most common reasons

And, Ubuntu easily supports the snap install for Certbot. Your version 0.40 is very old. The current version is 4.1. Upgrading won't fix this problem but is a good idea anyway. Follow the install instructions closely: https://certbot.eff.org

Test for HTTPS (port 443):

curl -Ik https://lkmpikt.org
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 05 Aug 2025 12:29:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: bIcDiChvFSgzZd=ne.uPgz9TG5k; expires=Wed, 06-Aug-2025 12:29:13 GMT; Max-Age=86400; path=/; secure
Set-Cookie: FlsRHUEiYS=8%2At%5BYIM9; expires=Wed, 06-Aug-2025 12:29:13 GMT; Max-Age=86400; path=/; secure
Link: <https://lkmpikt.org/index.php?rest_route=/>; rel="https://api.w.org/"
2 Likes
11

This website https://certbot.eff.org doesn't open the instructions for me. Or I don't see anything...

Also, why install snap when certbot is already in the repository?

I repeated the command from another provider to check 443, and I got the same error as on port 80. I don't understand anything.

curl -Ik https://lkmpikt.org
curl: (7) Failed to connect to lkmpikt.org port 4
43 after 3087 ms: Could not connect to server

I just removed the certbot that I installed from the repository. I installed it from snap, and the result is the same.

certbot --version
scertbot 4.1.1

Version 1

sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lkmpikt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named lkmpikt.org already exists. Do you want to update its
key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for lkmpikt.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: lkmpikt.org
  Type:   connection
  Detail: 194.31.153.37: Fetching http://lkmpikt.org/.well-known/acme-challenge/KIiVr1FSBrJ7Er-3w89_Cvk9bZNJLYX4S8EM4wV9DBw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Version 2

sudo certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lkmpikt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named lkmpikt.org already exists. Do you want to update its
key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for lkmpikt.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: lkmpikt.org
  Type:   connection
  Detail: 194.31.153.37: Fetching http://lkmpikt.org/.well-known/acme-challenge/OlxoLWG0K7Fcqvp5SGgpGeaMK_C7rGSy1HNO36oV4-g: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Version 3

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lkmpikt.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for lkmpikt.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: lkmpikt.org
  Type:   connection
  Detail: 194.31.153.37: Fetching http://lkmpikt.org/.well-known/acme-challenge/brqttqXLmPQhHRTIWWolo3F3jVUwBPCjzpRlIaMPR-w: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate lkmpikt.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/lkmpikt.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
12

Because the repository is not being kept up to date. v0.40 is over 5 years old. The snap install will stay current automatically and is what the EFF recommends for Certbot.

On that install page did you choose nginx as your server and "Linux (snap)"? Because you should have seen the instructions then.

image
image3150×228 25.7 KB

As for your comms problem, I can't explain that. Your domain can be reached using HTTPS port 443 from various tools. Although not using HTTP port 80. For example: Check website performance and response : Check host - online website monitoring

2 Likes
13

Yes, I said it would not fix this comms problem but was the recommended practice. The new version has many improvements.

2 Likes
14

yeah... but nothing has changed.... I don't understand anything... maybe I should really call the provider tomorrow?

15

Well, something must have changed. Does your ISP allow incoming connections on port 80?

1 Like
16

I don't know. In any case, you'll need to call your provider.

17

??? You must resolve your communications problem. There is no one for me (or us) to call about that.

2 Likes
18

Or revert back to your first approach of using DNS challenges, but this time check your DNS has updated before proceeding with your certificate renewal. You can use dig to check the responses from each of your DNS name servers (or just wait 15 mins before proceeding).

1 Like
19

In general, I don't understand anything. I checked the ports inside the network, and the result was as follows:

nmap 194.31.153.37
Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-06 08:51 MSK
Nmap scan report for pool.luganet.ru (194.31.153.37)
Host is up (0.0085s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Switching to another provider gives the following result:

nmap 194.31.153.37
Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-06 08:52 MSK
Nmap scan report for pool.luganet.ru (194.31.153.37)
Host is up (0.038s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
443/tcp open https

At the same time, port 80 and port 443 are open on the router. I have restarted the router and opened and closed both of these ports, but nothing is working. It only shows one open port, which is 443.

Screenshot_20250806_090314
I even took a screenshot of both ports 80 and 443 being open.

20

Could be ISP is blocking port 80 but is port 80 forwarded to the server IP at the router?

There will be a NAT feature or similar which lets you say where each port should be forwarded to on the internal network, so you can host multiple services on multiple machines optionally all on different ports.

1 Like