On my clients site i have replaced border router Mikrotik with Sophos XG firewall and make nesessry changes to clients cPanel. I have added additional A record so now i have two A records for same IP address:
museo.muzejvojvodine.org.rs
xg.muzejvojvodine.org.rs
This was done becouse mailserver (Postfix) had hostname the same as A record. New firewall is used for mail protection (beside others) and it act as mailserver himself (built in) and after checking mail it forward mails to existing Postfix. So now mails are accepted by xg.muzejvojvodine.org.rs, checked and forwarded to museo.muzejvojvodine.org.rs
On firewall i have open port 80 temporarily and pointed to Postfix so now i can access to Postfix server nginx on port 80 from outside.
Now when existing mail certificate has expired i was trying to renew cert but when i execute command:
certbot renew
i get error message:
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (museo.muzejvojvodine.org.rs) from /etc/letsencrypt/renewal/museo.muzejvojvodine.org.rs.conf produced an unexpected error: Failed authorization procedure. museo.muzejvojvodine.org.rs (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://museo.muzejvojvodine.org.rs/.well-known/acme-challenge/FApiEpcqWTKFOxcZI25ycIubp0vGUGEJUJXilppkHCs [94.247.203.234]: "\n\n503 Service Unavailable... Service". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/museo.muzejvojvodine.org.rs/fullchain.pem (failure)
Note that certbot can temporarily set up a build-in webserver just for this purpose. So there strictly isn't a reason to require a webserver such as Apache or nginx.
Agreed, certbot could satisfy part of that functionality.
Having port 80 accessible is another part - that is completely out of certbot control.
The "functional HTTP webserver" is mentioned that way so as to include all the necessary parts.
[but I have been accused of using too few words - and also for having used too many words]
OK, first of all, sorry Rudy ... i have blocked port 80 on the end of the day ... it's open now
Additional info: it is ISPconfig instalation with nginx as web server. This server is running for more than a year and everything was OK until firewall implementation. So i guess that server site configuration should be OK. What went wrong is to be found
There is good reason why you should not start anything on friday.
Rudy, it was strange when i have read that you can see Apache instead nginx on port 80! I have doublechecked forward rule and i found that i have selected wrong destination
Well, when i fixed forward rule certbot renew command has ended successfuly and after i restarted web and mail services everything was just fine.
So, once again, it was a human error. Thanks Rudy for valuable info that pointed me in right direction