I Tried. I Really Did Try. SSL Renewal Failure

Hi all. I am a newb. But not that much of a newd. I am proudly leaving Windows for Linux. I learn the most by doing via my Droplet on DigitalOcean.

My issue is the failure of simply manual renewal of the SSL certificate(s) for domain "olancha.io" and "www.olancha.io".

I tried renewal various types: as dryrun, with and without UFW running. No luck.

Thank you for your help.

~Guppy

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: olancha.io

I ran this command:

sudo certbot renew --cert-name olancha.io --dry-run --debug -v

with and without ufw running.

It produced this output:

cottontail@olancha:~$ sudo certbot renew --cert-name olancha.io --dry-run --debug -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/olancha.io.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for olancha.io and www.olancha.io
Performing the following challenges:
http-01 challenge for olancha.io
http-01 challenge for www.olancha.io
Waiting for verification...
Challenge failed for domain olancha.io
Challenge failed for domain www.olancha.io
http-01 challenge for olancha.io
http-01 challenge for www.olancha.io

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: olancha.io
Type: connection
Detail: During secondary validation: 68.183.152.173: Fetching http://olancha.io/.well-known/acme-challenge/UDwk8JF3wVPRljFh2hwj8ATX7NDDqsc7c3BbGkV3C_s: Timeout during connect (likely firewall problem)

Domain: www.olancha.io
Type: connection
Detail: During secondary validation: 68.183.152.173: Fetching http://www.olancha.io/.well-known/acme-challenge/QHH--6nl-S5_hs1yfoL6AUB66597rYdPZrGynqcGdHA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate olancha.io with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/olancha.io/fullchain.pem (failure)

Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1460, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 500, in handle_renewal_request
raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
cottontail@olancha:~$ date
Thu Dec 5 11:31:25 PST 2024
cottontail@olancha:~$ date
Thu Dec 5 11:37:40 PST 2024
cottontail@olancha:~$ certbot --version
certbot 1.21.0
cottontail@olancha:~$ certbot-auto --version
certbot-auto: command not found
cottontail@olancha:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: olancha.io-0001
Serial Number: 343e869ecc8d6b60b2f769eee496bf098a1
Key Type: RSA
Domains: olancha.io
Expiry Date: 2024-11-25 01:48:37+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/olancha.io-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/olancha.io-0001/privkey.pem
Certificate Name: olancha.io
Serial Number: 44ad9c91e8f34016de7d234d8934e76017c
Key Type: RSA
Domains: olancha.io www.olancha.io
Expiry Date: 2024-09-15 23:17:54+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/olancha.io/fullchain.pem
Private Key Path: /etc/letsencrypt/live/olancha.io/privkey.pem

cottontail@olancha:~$ date
Thu Dec 5 11:41:53 PST 2024

My web server is (include version): Apache/2.4.52 (Ubuntu) (no nginx)

The operating system my web server runs on is (include version): Ubuntu 22.04.5 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes, tried using user root and cottontail who has sudo permissions.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no. only using SSH via Windows terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

cottontail@olancha:~$ certbot --version
certbot 1.21.0
cottontail@olancha:~$ certbot-auto --version
certbot-auto: command not found

Hi @Guppy818,

Let’s Debug gets https://letsdebug.net/olancha.io/2302257

Showing that Port 80 is not accessible (at least for Let’s Encrypt). And Let’s Encrypt checks from multiple geographical locations.

Is most likely correct.

OK. FYI, just a moment ago I found the http down. Rebooting the server right now (12:25 PST).

See also that I tried the renewal with and without the UFW running.

Here's normal UFW status:

cottontail@olancha:~$ sudo ufw status
Status: active

To Action From

Apache Full ALLOW Anywhere
OpenSSH ALLOW Anywhere
20,21,990/tcp ALLOW Anywhere
40000:50000/tcp ALLOW Anywhere
Apache Full (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
20,21,990/tcp (v6) ALLOW Anywhere (v6)
40000:50000/tcp (v6) ALLOW Anywhere (v6)

Any ideas?

Apache server is up now. (12:28 PST)

Still looks like most places in the world are having trouble connecting.

You first need to get your site working, and then worry about the certificate (which will probably be easy to do once the site is back up).

OK. I have another idea.
#iptables

It wasn't until I posted here that the site goes down.
I have never seen that happen until today.

Is it possible that the site went down during when you were attempting to get a certificate issued?

Nope. I stopped trying renewals after I posted here.

I have to manually restart apache2 and stuff.

I am still looking at backing up #iptables and resetting that.

What does "Broken pipe" mean on the debug website?
https://check-host.net/check-http?host=olancha.io

After backing up the iptables, clearing all iptables to basic rules, then disabling the UFW (hahahahaha) I got this output:

root@olancha:~# iptables -nvL
Chain INPUT (policy ACCEPT 841 packets, 71075 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 748 packets, 91685 bytes)
pkts bytes target prot opt in out source destination
root@olancha:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@olancha:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- xxxxxxxxxxxxxxxxx/24 anywhere
DROP all -- xxxxxxxxxxxxxxxxx/20 anywhere
DROP all -- xxxxxxxxxxxxxxxxx/19 anywhere
DROP all -- xxxxxxxxxxxxxxxxx/24 anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@olancha:~# certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/olancha.io-0001.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for olancha.io
Performing the following challenges:
http-01 challenge for olancha.io
Waiting for verification...
Cleaning up challenges

Processing /etc/letsencrypt/renewal/olancha.io.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for olancha.io and www.olancha.io
Performing the following challenges:
http-01 challenge for www.olancha.io
http-01 challenge for olancha.io
Waiting for verification...
Cleaning up challenges

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/olancha.io-0001/fullchain.pem (success)
/etc/letsencrypt/live/olancha.io/fullchain.pem (success)

root@olancha:~# certbot renew -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/olancha.io-0001.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for olancha.io
Performing the following challenges:
http-01 challenge for olancha.io
Waiting for verification...
Cleaning up challenges
Reloading apache server after certificate renewal

Processing /etc/letsencrypt/renewal/olancha.io.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for olancha.io and www.olancha.io
Performing the following challenges:
http-01 challenge for www.olancha.io
Waiting for verification...
Cleaning up challenges
Reloading apache server after certificate renewal

Congratulations, all renewals succeeded:
/etc/letsencrypt/live/olancha.io-0001/fullchain.pem (success)
/etc/letsencrypt/live/olancha.io/fullchain.pem (success)

root@olancha:~# date
Thu Dec 5 13:12:48 PST 2024
root@olancha:~#

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.