Hi,
Last june I was able to issue a certificate with certbot, but it is impossible to renew it.
I have the same problem when trying to issue a new certificate for an other domain.
I tried certbot and acme.sh.
The result is always the same :
Timeout during connect (likely firewall problem)
I have set up rules in our firewall to allow traffic between the server and acme-v02.api.letsencrypt.org.
There is outgoing traffic, but nothing comes back, which means that we don't get an answer from letsencrypt.org.
With certbot the challenge is not created on the server, but with acme.sh it is, and is accessible from outside
my domains are : glpi-test.ehess.fr, vintest-cas.ehess.fr
the commands :
certbot certonly --apache -d vintest-cas.ehess.fr [-v]
acme.sh --issue -d glpi-test.ehess.fr -w /srv/www/htdocs/dummy --server letsencrypt [--debug]
The operating system my web server runs on is : openSUSE Leap 15.3, Apache 2.4.51
We are self-hosted
I can login to a root shell on my machine.
The version of my client is :
certbot 1.30.0
acme.sh 3.0.5
certbot output :
certbot certonly --apache -d vintest-cas.ehess.fr -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for vintest-cas.ehess.fr
Performing the following challenges:
http-01 challenge for vintest-cas.ehess.fr
Waiting for verification...
Challenge failed for domain vintest-cas.ehess.fr
http-01 challenge for vintest-cas.ehess.fr
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: vintest-cas.ehess.fr
Type: connection
Detail: 193.48.45.225: Fetching http://vintest-cas.ehess.fr/.well-known/acme-challenge/gwCaPM1oCzS3qvAehvbTQJEg52yAlJWZw5OIx_X4e4E: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
acme.sh output :
acme.sh --issue -d glpi-test.ehess.fr -w /srv/www/htdocs/dummy --server letsencrypt
[lun. oct. 3 15:17:18 CEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[lun. oct. 3 15:17:18 CEST 2022] Single domain='glpi-test.ehess.fr'
[lun. oct. 3 15:17:18 CEST 2022] Getting domain auth token for each domain
[lun. oct. 3 15:17:20 CEST 2022] Getting webroot for domain='glpi-test.ehess.fr'
[lun. oct. 3 15:17:20 CEST 2022] Verifying: glpi-test.ehess.fr
[lun. oct. 3 15:17:21 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30)
[lun. oct. 3 15:17:24 CEST 2022] Pending, The CA is processing your order, please just wait. (2/30)
[lun. oct. 3 15:17:28 CEST 2022] Pending, The CA is processing your order, please just wait. (3/30)
[lun. oct. 3 15:17:31 CEST 2022] Pending, The CA is processing your order, please just wait. (4/30)
[lun. oct. 3 15:17:35 CEST 2022] glpi-test.ehess.fr:Verify error:193.48.45.166: Fetching http://glpi-test.ehess.fr/.well-known/acme-challenge/pZ3NT6-LJqGRPV9pnf6EtZUzqYO-W4nb_B_8L1HCwIg: Timeout during connec)
[lun. oct. 3 15:17:35 CEST 2022] Please add '--debug' or '--log' to check more details.
[lun. oct. 3 15:17:35 CEST 2022] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
thank you for your help
