Keep getting unknown error and then exceeding retry limits

Help
1

When running renew I get “Attempting to renew cert (docs…com) from /etc/letsencrypt/renewal/docs…com.conf produced an unexpected error: Some challenges have failed… Skipping”, followed a little while later by “Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer none.”. Even running with -vvv just produces the same text.

Everything I try fails and then I end up exceeding the max number of attempts and I’m locked out.

This happened after the recent updates that require Python 3. I’ve downloaded the latest letsencrypt and am using that.

Any help would be most appreciated.

Thanks,

2

In the log file I also see:

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: docs…com
    Type: connection
    Detail: Fetching
    http://docs…com/.well-known/acme-challenge/WvS_8GAofAfAULoWFoSt8H4xVIqGiMp2TT4zdwzlx5U:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

HTTP doesn’t work on this server and the router box doesn’t pass port 80 requests through. Can it be made to try HTTPS?
The directory .well-known/acme-challenge doesn’t exists in the server root and creating them by hand makes no difference.

3

Hi @IGIT

short answer. No. If you want to use http-01 validation, an open port 80 is required.

If this isn't possible, why? If it is a normal website, it is not only possible, it's required.

Otherwise check

4

Thanks for the quick response. I’m a bit of a novice so I’m learning. The web server seems to use HSTS and won’t respond to port 80 requests. I guess http-01 validation is not the one to use. Is there one that supports HTTPS / HSTS and, if so, how do I switch to it?

5

That's wrong.

Every regular website should have an open and working port 80.

And you can and should create a redirect http -> https.

My own domains are preloaded, so browsers use only https without the first connect is via http.

Check

And check some (already checked) domain results of my tool - https://check-your-website.server-daten.de/ - then you see: Grade A+, preload and open port 80 with correct redirects.

Check domains via https://hstspreload.org/ - then you see if a domain is preloaded.

Only ~~65.000 domains are preloaded.

1 Like
6

The server does appear to be redirecting HTTP to HTTPS, however, I don’t think our router is forwarding requests on port 80. It forwards port 443 but not port 80. I currently have a support request for help setting up the router. MikroTik may be feature rich but configuring it is arcane!

7

Sorted it! Managed to get port 80 through the router and now LetsEncrypt happy.

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.