Letsencrypt stopped auto-renewing, now expired, cannot renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fe-cloud.dyndns.biz

I ran this command: 1. sudo letsencrypt renew

It produced this output: Failed to renew certificate fe-cloud.dyndns.biz with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed /etc/letsencrypt/live/fe-cloud.dyndns.biz/fullchain.pem(failure)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux 22.04 (nextcloud)

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot) 1.21.0

Additional notes:
Letsencrypt has worked great for years, for some reason I got an email saying letsencrypt was going to expire. I attempted to renew manually and by creating a CRON job (which was already running prior). Could not renew, and this evening the cert expired. I have no idea how to fix this now.

Hi @jbrescher1, and welcome to the LE community forum

It seems that (your ISP has or) you have blocked port 80 since your last renewal.
OR you have disabled port 80 in Apache.
Note: Port 80 is required to pass the HTTP-01 authentication challenge.

HTTP access fails:

curl -Ii http://fe-cloud.dyndns.biz/
curl: (56) Recv failure: Connection reset by peer

HTTPS access succeeds:

curl -Iik https://fe-cloud.dyndns.biz
HTTP/2 302
content-security-policy: default-src 'self'; script-src 'self' 'nonce-TTFFayt4ZFJTejFrWlFKSytyMFBxdk43WXBOWWtBcmJTZm9wZldMK21oOD06Y0N0R3RVSVpFMTRoREROenNQbzdrb1VUVGZ0aDVWL29ISkpMQ3dHZjQzND0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
...
location: https://fe-cloud.dyndns.biz/index.php/login
content-type: text/html; charset=UTF-8
date: Fri, 31 Mar 2023 05:04:18 GMT
server: Apache/2.4.52 (Ubuntu)

Thanks for the reply.
I'm not sure what or when port 80 would have been blocked along the way so I'll have to work to figure that out.
I don't think my ISP has blocked it, nor have I changed any firewall rules so I don't think my firewall is blocking it.
I'm suspecting it somehow has happened through apache. I'll have to google around and see how or what the process behind block/unblock in apache as I'm not to familiar with that.

Try:
netstat -pant | grep '\:80'

Did you change anything? Because HTTP works fine for me now

curl -I http://fe-cloud.dyndns.biz/

HTTP/1.1 301 Moved Permanently
Date: Fri, 31 Mar 2023 13:23:10 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://fe-cloud.dyndns.biz/

for me too

Yes. It appears a firmware update done on my firewall at some point blocked port 80 and I was unaware.

Now that Ive fixed that I’m about to try to renew. Will simply renewing work as it’s expired already? Never had a cert expire.

Yes. Just found a firmware update disabled port 80. About to try to renew cert again.

Yes. The validity of the cert is not checked it can even be a self signed cert.

Now that's a new one for me - using ACME client to renew a self-signed cert?!?!?!
[something was taken out-of-context]

Please show:
sudo certbot certificates

No, of course not That was poorly stated. I was just trying to say the kind of cert you have installed on your server when getting a new cert doesn't matter. If the HTTP challenge is handled in the HTTP VirtualHost the Let's Encrypt server never sees any cert.

And, if their HTTP challenge was redirected to HTTPS and serving an expired cert it would still work fine as the Let's Encrypt servers do not validate the cert. In fact, even if the LE servers see a self-signed cert that is fine too. Or even one with a different domain name.

Just got it renewed. Seems port 80 block was the root cause. Once that was fixed I was able to manually renew. I checked the cron job and it should continue to renew with no more issues.
Thanks for the quick help in getting it figured out.

I'll have to monitor this further to ensure that future FW updates do not block port 80. Not sure why that occurred.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.