Hello, I try to renew certificate for my Zimbra (7 ver) mail server (mail.benta.spb.ru), but letsencrypt-auto say that problem with authorization. I try some times and now it say that too many times with bad authorization and I cannot renew my certificate! Oh! All mail in our company is stopped… =( Where I can take off block?
3 month ago I normally renew my certificate, but now error with some authorization. Where I can to fix it?
I want ask:
How long I am blocking?
What th e problem with authorization?
I have so message from log of letsencrypt:
[root@mail letsencrypt]# ./letsencrypt-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.benta.spb.ru
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.benta.spb.ru) from /etc/letsencrypt/renewal/mail.benta.spb.ru.conf produced an unexpected error: Failed authorization procedure. mail.benta.spb.ru (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.benta.spb.ru/.well-known/acme-challenge/9-sLvAJ3qR-Qg0XWzDdWylqGvdLv1BiBogge8J9ci7s: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.benta.spb.ru/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.benta.spb.ru/fullchain.pem (failure)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
The timeout is normal because you use the standalone option. So Certbot creates a new webserver, starts and stops it. So we can't check your permanent running webserver.
But: Your port 443 is blocked.
So it looks that your colleagues had added a firewall or something else in the last three months.
All the connections timeout, I tried port 80, port 443, port 25 ... are you sure there isn't a firewall blocking the connections or a misconfigured router?.
As @JuergenAuer said, you are using standalone method to validate the lets encrypt challenge, that means that your client (letsencrypt-auto) will start a simple web server on port 80 to serve the challenge and validate that you control your domain. If there is another web server listening on port 80, letsencrypt-auto client can't bind to port 80 but you would receive a different error.
You should not use certbot, you should use letsencrypt-auto, that is the name of your client (at least you said that on your first post).
As I said previously, you should double check that you can access to your server from internet.
Hello, dear @JuergenAuer and @sahsanu!
Thank you very much for help to me!
I disabled suricata, adding new rule to NAT on firewall, where I passing 80 port and http protocol, but not any changes in answer from script.
After I remember that we adding new sftp-server to DNS resolver. This is one rule, that was added for last 3 month. I removing this rule and my letsencrypt-auto earned!
I am happy!!! =) Thank you, dear friends!!! I love you!