It produced this output: Failed to renew certificate <whatever-domain.com> with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x04998D48>: Failed to establish a new connection: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions'))
My web server is (include version): Apache 2.4.54
The operating system my web server runs on is (include version): WS 2016
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.24.0
I followed recommendations found in a couple of posts here, to drill a hole in the firewall on this host. I added a rule for C:\Program Files(x86)\Certbot\bin\certbot.exe, to allow any outbound TCP connections on port 443. The error persisted. I allowed connections over any protocol. Same error. Only when I lift the firewall for outbound certbot connects.
I need the information on which specific settings are required for certbot, in Windows firewall, because I cannot allow outbound connections for anything to anything.
Doesn't your firewall show the attempts it blocked? Then you could see exactly what is needed.
You could also look in the certbot log file for all of the connections it tries. It mostly uses a POST request but I believe just one GET request. Mostly on HTTPS (to the acme-v02 api endpoints) but at least one on HTTP (to r3.o.lencr.org for revocation check).
I don't use that firewall myself so if this is not helpful you'll have to wait for someone else to answer.
Doesn't the firewall have a log showing the thing blocked? Maybe like this
Doesn't the Let's Encrypt log show where it stopped? Try adding -vv on the certbot command might help to see details. Compare a failing one to the one that worked if need be.
I'm just suggesting ways you can discover the exact failing item yourself.
What are the contents of the certbot renewal conf file for that domain? Mostly just interested in the authenticator and installer values (if any).
It has, it does, but it does not help. Both URLs found in the logs are allowed on the FW, like I said in the OP, but it still does not work. The problem may be in the EXE name or in something else, I have no idea.
Re-enable windows firewall as normal, ensure you are allowing outgoing https (TCP port 443), don't attempt to limit it based on IP. If you then can't browse to https://acme-v02.api.letsencrypt.org/directory using the server web browser, reboot the machine. Windows Firewall is sometimes quite "sticky" and doesn't always immediately do what you tell it.
I must limit by the EXE. I had used that which you wrote, for C:\Program Files(x86)\Certbot\bin\certbot.exe and got the error. Is it the wrong EXE? Does certbot.exe shell out to some other EXE, for its HTTPS connection to your servers?
That's a good question, I don't know.- I develop https://certifytheweb.com which is a very different client for windows, so I'm not that familiar with the certbot internals. I do know it's a python, so have a look in C:\Program Files (x86)\Certbot\Python - you probably have to allow those exes as well.
Note that the latest release of certbot on windows is the 64-bit version: Releases · certbot/certbot · GitHub not sure why the instructions still point to the old 32 bit one.