Lets encypt dry run problem

Hi,

this morning i had a email saying that my cert will expire in 20 days how ever i did have a cronjob to renew its been fine for 6 months but now all of a sudden im having a problem. i ran a dry run command and the output i get is this,

jack@mail:/etc/cron.d$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.violetdragonsnetwork.co.uk
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.violetdragonsnetwork.co.uk) from /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf produced an unexpected error: Failed authorization procedure. mail.violetdragonsnetwork.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.violetdragonsnetwork.co.uk/.well-known/acme-challenge/-f5lX2JGKan5cNf5X-tAzlgZdpE8sMsuagf2bNkaA2M: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.violetdragonsnetwork.co.uk
    Type: connection
    Detail: Fetching
    http://mail.violetdragonsnetwork.co.uk/.well-known/acme-challenge/-f5lX2JGKan5cNf5X-tAzlgZdpE8sMsuagf2bNkaA2M:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

any ideas?

Thanks.

Hi @violetdragon92

there

is your problem - timeout.

Checking your domain there is no open port 80 - https://check-your-website.server-daten.de/?q=mail.violetdragonsnetwork.co.uk

Domainname Http-Status redirect Sec. G
http://mail.violetdragonsnetwork.co.uk/
81.150.180.216 -14 10.030 T
Timeout - The operation has timed out
https://mail.violetdragonsnetwork.co.uk/
81.150.180.216 200 3.724 B
small content:
http://mail.violetdragonsnetwork.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
81.150.180.216 -14 10.007 T
Timeout - The operation has timed out

Port 80 must be open, the webserver must answer.

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge.

1 Like

Hi thanks for your reply. I have a business line. Port 80 is open and not blocked. I only have lets encrypt for my mail.violetdragonsnetwork.co.uk which has roundcube open. I use Roundcube for my mail server. What should i do? My name servers are on DO pointing to my static IP then port forwarding my mail server for 587 and port 25 is open. Port 80 is also port forwarded for RoundCube.

Thanks for your reply

Something's blocking it, if indeed there's any process listening there in the first place. Port 443 answers, but port 80 does not.

Ok thanks guy. I will check port forwarding on my pfsense firewall.

If your port 80 is open, the online tool must be able to connect your website.

An internal connect isn't relevant.

1 Like

Screenshot%20from%202019-09-05%2015-26-59

I am defiantly port forwarding so what else could be the problem?

Update. i had to change /etc/network/interfaces. Can you check now?

@violetdragon92 https://mail.violetdragonsnetwork.co.uk/mail/ has a shiny new certificate! Looks good from here!

How can you tell? im still getting this error tho, its wierd how it was working but now its not.

My mistake. Sorry. I may have read over your actual issue. However, https://mail.violetdragonsnetwork.co.uk/mail/ is accessible from my location and the certificate is valid until September 24, 2019. (dry-run issue not withstanding)

i know. But the problem is i cant renew the certificate and i had a email this morning saying that its due to expire. i dunno what to do as i cant renew it.

Fix your firewall, or your ISP's firewall. Something is blocking port 80, and until you identify and resolve that, you won't be able to obtain a cert this way.

thats the thing all ports are open on my firewall ive also verified that port 80 is also open on my mail server there is something else that is causing this.

The possibilities are limited:

  • Your ISP is blocking port 80
  • Your router/firewall is blocking port 80
  • A firewall on your server is blocking port 80

I think that's an exhaustive list. The fact remains that port 80 on your server isn't responding to external queries--not for me, not for @JuergenAuer's web tool, and not for the Let's Encrypt servers. This can only be a problem with your network. Until you find it and fix it, you won't be able to use HTTP validation to obtain (or renew) a cert.

2 Likes

That's the reason I've created the "check-your-website" tool. It's required to use online tools to check such things, not only local checks.

And as @danb35 wrote: If the online tool can't connect your port 80, Letsencrypt can't connect your server -> you can't create a certificate via http validation.

PS: You can always use --manual and dns-validation, if you are able to create own TXT entries. So you can create a certificate. But if you want to automate it, then http validation is the easiest version -> a working port 80 is required.

Port 80 is not working on the Server. im not sure where to go from here.

Then create a vHost.

Nginx -> there is a standard documentation + template you can use.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.