Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:ilog.adimex.sv
I ran this command:sudo certbot renew
It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Detail: 188.8.131.52: Fetching http://ilog.adimex.sv/.well-known/acme-challenge/GhqWOcRhaZ2ZGDgvcBKLmvP-ymEAZvRzio4FyzM_8LU: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Failed to renew certificate ilog.adimex.sv with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
1 renew failure(s), 0 parse failure(s)
My web server is (include version):apache/2.4.53 (Debian)
The operating system my web server runs on is (include version):vmware Debian bulleye Linux 5.10.0-14-amd64
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 2.6.0
The error message is pretty self-explanatory, isn't it? The Let's Encrypt servers need to connect to your server on port 80, and they aren't able to do that. The most likely reason, as the error message says, is a firewall problem of some sort. Find the firewall that's blocking port 80, and disable it.
Frankly, port 443 (HTTPS) is also timing out for me. But indeed, port 80 is required for the
http-01 challenge you're currently using.
Your site needs to be publicly available with your current Certbot setup, which it is not.
I have checked port 80 and 443 and both ports are available. I contacted my provider to rule out that it was a problem with them and they don't have any blocks. I also made a request to my telecom administrator to open all the network policy for that server. I also checked and my site is published, currently I can access it if I ignore the message that says that you are accessing an unsafe site.
And after this I still get the same error message. Thank you guys for yours replies
Well, maybe it works to connect to your site from where you are, but from where Let's Encrypt's servers are, from where I am, and from where the previous posters in the thread are from, we can't get to your server. Maybe it's some sort of geographic-based block?
I can see your Fortinet firewall device on port 4443.
That is a good place to look for a geographic based restriction. I couldn't reach your site from test servers in Mexico or Costa Rica either so your limit might be very narrow.
Maybe visit the Fortinet community for help on that (link here)
Thank you very much @MikeMcQ and @petercooperjr ,
It was a geographical limitation in the fortinet firewall, only 3 countries were allowed, the firewall administrator changed the policy and now I was able to update the certificate.
Thank you all very much for your answers, excellent forum.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.