Only one domain on multiple virtualhosts doesnt issue / status pendind

My domain is: bip.pawlowice.pl

I ran this command: certbot -d bip.pawlowice.pl -d www.bip.pawlowice.pl --no-redirect

It produced this output: bip.pawlowice.pl - Pastebin.com

My web server is (include version): Apache/2.4.37 (Oracle Linux)

The operating system my web server runs on is (include version): Oracle Linux 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

On the server where we host services for clients, Certbot is running for almost 200 domains. All of them renew without any issues—except for this one. All domains are configured using CNAME records. When I tested on my own domain by adding the appropriate CNAME record, the certificate was generated without any problems. However, for the domain bip.pawlowice.pl, it doesn't work.

I did a simple debug using the -vv option, and it turns out that for the domain bip.pawlowice.pl, the status stays on "pending" the whole time. Unfortunately, I don’t know why this happens and I haven’t been able to solve it. I would appreciate your help.

Is it possible from old certbot client?

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: bip.pawlowice.pl
  Type:   connection
  Detail: During secondary validation: 194.24.181.47: Fetching http://bip.pawlowice.pl/.well-known/acme-challenge/xygvf_bk49icvLX4XzjsdhmyIZos8Jva8wLlE8wEp7I: Timeout during connect (likely firewall problem)

Your error shows that the failure is during "secondary" validation, so the initial validation check works but when Let's Encypt try the check from another geographic location it fails, so make sure you're not using IP or geographic filtering.

You were right. We have automated script on mikrotik that generates block list from some internet sources. When I disabled it everything goes right. Thanks a lot!