I cant renew my certificate [combined]

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:servicios.poblado.alarmar.com.co

I ran this command:certbot

It produced this output:
1: servicios.poblado.alarmar.com.co

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for servicios.poblado.alarmar.com.co
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. servicios.poblado.alarmar.com.co (http-01): urn: ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 201.184.143.221: Fetching http://servicios.poblado.alarm ar.com.co/.well-known/acme-challenge/VFwjmU9QdkjPQRcUYt8Og4Qa4RGI8ORRW134M4dUqDk : Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: servicios.poblado.alarmar.com.co
    Type: connection
    Detail: 201.184.143.221: Fetching
    http://servicios.poblado.alarmar.com.co/.well-known/acme-challenge/VFwjmU9Qdk jPQRcUYt8Og4Qa4RGI8ORRW134M4dUqDk:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I can login to a root shell on my machine (yes or no, or I don't know):yes

2

Hello @bcastrillon18, welcome to the Let's Encrypt community. :slightly_smiling_face:

You are using the HTTP-01 challenge fo the Challenge Types - Let's Encrypt; that require Port 80 to be Open, but is presently filtered.

Best Practice - Keep Port 80 Open

And to assist with debugging there is a great place to start is Let's Debug.
Yielding these results https://letsdebug.net/servicios.poblado.alarmar.com.co/1507045

$ nmap -Pn -p80,443 servicios.poblado.alarmar.com.co
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 08:07 PDT
Nmap scan report for servicios.poblado.alarmar.com.co (201.184.143.221)
Host is up.
rDNS record for 201.184.143.221: static-adsl201-184-143-221.une.net.co

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds

Also, for some unknown reason to me, there is a space in the domain name here

2 Likes
3

In the rules of my UTM I have the following, at the price I have these,

SYS_HTTPS tcp -- anywhere anywhere tcp dpt:http
SYS_HTTPS tcp -- anywhere anywhere tcp dpt:https
SYS_SSH tcp -- anywhere anywhere tcp dpt:ssh

but then these two are defined

DROP tcp -- anywhere anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:https

This could be what doesn't let you renew the certificate?

4

Yes this would be an issue.

1 Like
5

That seems insecure/problematic... but this is not the forum for such security issues.

Both rules use the same name "SYS_HTTPS tcp"?

2 Likes
6

yes, both rules use the same name

1161K 70M SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
506K 81M SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

9

Well I still think there is an issue with some firewall not permitting Ports 80 & 443 from the Internet in.

$ nmap -Pn -p80,443 servicios.poblado.alarmar.com.co
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 09:36 PDT
Nmap scan report for servicios.poblado.alarmar.com.co (201.184.143.221)
Host is up.
rDNS record for 201.184.143.221: static-adsl201-184-143-221.une.net.co

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds
1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.