Move from certbot-auto to just certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: stonecloud.biz

I ran this command: certbot renew --dry-run

It produced this output:


Processing /etc/letsencrypt/renewal/stonecloud.biz.conf


Account registered.
Simulating renewal of an existing certificate for stonecloud.biz and www.stonecloud.biz

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.stonecloud.biz
Type: connection
Detail: Fetching http://www.stonecloud.biz/.well-known/acme-challenge/MVADew7gaK7-U-_2rRPhg98xP71kZGcXegbnAc9eNPw: Error getting validation data

Domain: stonecloud.biz
Type: connection
Detail: Fetching http://stonecloud.biz/.well-known/acme-challenge/-ovbttRnJd0gkcZfU6zrHUNRRpKIfaL8ucgtQET5C3I: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate stonecloud.biz with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/stonecloud.biz/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache version 2.4.29

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Google Fiber

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

This seems to be a port 80 issue. I had redirects in my setup to force everything to https. I have attempted to remove these but testing for port 80 being open still says it's closed. I don't know if google fiber is blocking port 80 I can't find anything for sure on this. If this is the case is there a way to use a different port to get the challenge to work?

Hi @kwarden Welcome to the community!

You are correct about port 80:

I don't know googles' policy on port access, but that is something that needs to be verified and corrected in order for the "challenge" to work for you.

To address the thread title "Move from certbot-auto to just certbot"

(Pretty current)
Im wondering if you have certbot-auto installed along side certbot...

4 Likes

I have done some additional investigating. I can hit the server on port 80 on my local network. That tells me the server is working and responding to port 80 requests. When I try to connect to my IP address from the outside world it works on 443 but not on 80. This is looking more and more like it's being blocked somewhere along the way. I have checked all my port forwards and they look correct.

I found a the manual DNS verification method and got my cert updated. I would still like to know if there is a way to automate this. AS the DNS method appears to be a manual only option.

1 Like

I removed the certbot-auto per the instructions

2 Likes

OK great!
So then it's time to look at:

80/tcp  filtered http

and open it up!
I don't know if it will help but here's what google support has to say about it
https://support.google.com/fiber/answer/6004732?hl=en

4 Likes

Not exactly; you will need to use a DSP that supports API updates and an ACME client with a plug-in that covers that DSP.
I see that you are using NO-IP; I think they do support API updates:

nslookup -q=ns stonecloud.biz
stonecloud.biz  nameserver = ns1.no-ip.com
stonecloud.biz  nameserver = ns2.no-ip.com
stonecloud.biz  nameserver = ns3.no-ip.com
stonecloud.biz  nameserver = ns4.no-ip.com
stonecloud.biz  nameserver = ns5.no-ip.com
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.