I cant renew my certificate

bcastrillon18 · June 13, 2023, 3:57pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:servicios.poblado.alarmar.com.co

I ran this command:certbot

It produced this output:
root@servicios:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: servicios.poblado.alarmar.com.co

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for servicios.poblado.alarmar.com.co
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. servicios.poblado.alarmar.com.co (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 201.184.143.221: Fetching http://servicios.poblado.alarmar.com.co/.well-known/acme-challenge/n1tqKwZZSfQd1aaa7siVubzAO0i6XgVpdXOVqp3FRto: Error getting validation data

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: servicios.poblado.alarmar.com.co
Type: connection
Detail: 201.184.143.221: Fetching
http://servicios.poblado.alarmar.com.co/.well-known/acme-challenge/n1tqKwZZSfQd1aaa7siVubzAO0i6XgVpdXOVqp3FRto:
Error getting validation data

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I also check the firewall rules and I see that the traffic is being accepted by ports 80 and 443, but it still shows me the news
1175K 71M SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
579K 94M SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

rg305 · June 13, 2023, 4:02pm

Despite your inbound rules:

And I can't connect either:

curl -Ii http://servicios.poblado.alarmar.com.co
curl: (56) Recv failure: Connection reset by peer

curl -Ii https://servicios.poblado.alarmar.com.co
curl: (7) Failed to connect to servicios.poblado.alarmar.com.co port 443: No route to host

Notice how the two messages differ.
Is there a device doing NAT, or port forwarding, inline?

bcastrillon18 · June 13, 2023, 4:34pm

the utm that I have is zero shell, and there is a part that says Port Forwarding and Source NAT (PAT), in this section there are other rules and there is no addition related to port 80 and 443, could it be for this reason?

rg305 · June 13, 2023, 5:08pm

Yes.

bcastrillon18 · June 13, 2023, 9:04pm

I already opened the ports in that section but now another error appears:

root@servicios:~# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 141, in _new_conn
(self.host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 83, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 73, in create_connection
sock.connect(sa)
OSError: [Errno 101] Network is unreachable

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 345, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 846, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 284, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 150, in _new_conn
self, "Failed to establish a new connection: %s" % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f0021a97da0>: Failed to establish a new connection: [Errno 101] Network is unreachable

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 649, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 388, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f0021a97da0>: Failed to establish a new connection: [Errno 101] Network is unreachable',))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/acme/client.py", line 1120, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f0021a97da0>: Failed to establish a new connection: [Errno 101] Network is unreachable',))

During handling of the above exception, another exception occurred:

ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable
Please see the logfiles in /var/log/letsencrypt for more details.
root@servicios:~#
root@servicios:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/servicios.poblado.alarmar.com.co.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Attempting to renew cert (servicios.poblado.alarmar.com.co) from /etc/letsencrypt/renewal/servicios.poblado.alarmar.com.co.conf produced an unexpected error: Requesting acme-v02.api.letsencrypt.org/directory: Network is unreachable. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/servicios.poblado.alarmar.com.co/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/servicios.poblado.alarmar.com.co/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Tiene correo nuevo en /var/mail/root

Bruce5051 · June 13, 2023, 9:21pm

Both Ports 80 and 443 are not OPEN; the HTTP-01 challenge, of the Challenge Types - Let's Encrypt, requires access to Port 80. Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443 servicios.poblado.alarmar.com.co
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-13 14:18 PDT
Nmap scan report for servicios.poblado.alarmar.com.co (201.184.143.221)
Host is up.
rDNS record for 201.184.143.221: static-adsl201-184-143-221.une.net.co

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds

danb35 · June 13, 2023, 9:35pm

You have major network problems you need to fix. And you still need to open ports 80 and 443, as Bruce says.

bcastrillon18 · June 13, 2023, 9:57pm

but I already opened the ports on the router, are you talking about opening them on the server as such?

Bruce5051 · June 13, 2023, 10:12pm

Whatever it takes so the Public Internet can access them.

Using this online tool https://check-host.net/ the Permanent link to this check report shows "Connection timed out" from around the world.

And to assist with debugging there is a great place to start is Let's Debug.

rg305 · June 13, 2023, 11:53pm

This has failed:

Please switch to staging environment until testing has been completed.
You can do so by adding to each request:
--dry-run

Outbound HTTPS seems to be blocked.
This can happen for different reasons.
Please try these simple tests [and show their outputs]:
curl -v https://acme-v02.api.letsencrypt.org/
traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute -T -p 443 www.google.com

system · July 13, 2023, 11:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.