Problem renewing certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vovim.hopto.org

I ran this command: certbot -c /etc/letsencrypt/cli.ini renew --standalone --preferred-challenges http-01

It produced this output: bash-4.4# certbot -c /etc/letsencrypt/cli.ini renew --standalone --preferred-challenges http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vovim.hopto.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vovim.hopto.org
Waiting for verification…
Challenge failed for domain vovim.hopto.org
http-01 challenge for vovim.hopto.org
Cleaning up challenges
Attempting to renew cert (vovim.hopto.org) from /etc/letsencrypt/renewal/vovim.hopto.org.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vovim.hopto.org/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vovim.hopto.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: vovim.hopto.org
    Type: connection
    Detail: Fetching
    http://vovim.hopto.org/.well-known/acme-challenge/_sAifYraHXKuJVQ0aV8LdHOyyz6_mTlOmDRMHMfRH_A:
    Timeout during connect (likely firewall problem)
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    bash-4.4# ls -l /var/log/letsencrypt/letsencrypt.log
    -rw-r–r-- 1 root root 28737 Oct 22 11:30 /var/log/letsencrypt/letsencrypt.log

My web server is (include version):Apache (httpd-2.4.29-x86_64-2)

The operating system my web server runs on is (include version): Linux Slackware 14.2

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

The debug log is at https://pastebin.com/wE4kT3j8

I am trying to renew my certificate that was due for renewal on 21st October. As that date has now passed do I need to get a new certificate ?

                                   Thanks.

Every renewal is actually also just a new cert.
So, in any case, yes, it will be brand new.

As for the "problem"...
It seems that there is no connecting to your system on port 80.
Is that blocked anywhere?

No, port 80 is not blocked. I have port forwarded ports 80 and 443 to my machine. And also for this test I disabled both my computer firewall and the router firewall.

And yet…

curl -Iki 86.130.222.87
curl: (7) Failed to connect to 86.130.222.87 port 80: Connection timed out

curl -Iki 86.130.222.87:443
curl: (7) Failed to connect to 86.130.222.87 port 443: Connection timed out

ping 86.130.222.87
PING 86.130.222.87 (86.130.222.87) 56(84) bytes of data.
^C
— 86.130.222.87 ping statistics —
34 packets transmitted, 0 received, 100% packet loss, time 33787ms

https://downforeveryoneorjustme.com/vovim.hopto.org
[shows DOWN too]

Sorry, we should begin at the beginning:
Can you confirm your (presumably DDNS) current IP:
Name: vovim.hopto.org
Address: 86.130.222.87

To show your current Internet IP, you can use:
curl ifconfig.me
[there are others too]

That is a bit extreme.
I would at least leave on the router firewall.

Hi, no, my external ip address is 86.130.225.5
When I do a ping of vovim.hopto.org it says (as you do) PING vovim.hopto.org (86.130.222.87).
Why are the two addresses different ?

I can only assume your are using a dynamic DNS service.
And it requires some sort of agent, or script, to run that connects to their server and updates the IP associated with your name (FQDN).

Do you recall setting up an account with anyone for that name?

Perhaps there was an email with instructions?

Yes, I am with no-ip. I will check that out.

       Thanks.
1 Like

NP.

Until then, I tried accessing the IP you gave and it shows a different connectivity problem:
curl -Iki 86.130.225.5
curl: (7) Failed to connect to 86.130.225.5 port 80: Connection refused
curl -Iki 86.130.225.5:443
curl: (7) Failed to connect to 86.130.225.5 port 443: Connection refused

Even forcing the name to your new IP returned nothing but problems:
ping vovim.hopto.org
PING vovim.hopto.org (86.130.225.5) 56(84) bytes of data.
^C
— vovim.hopto.org ping statistics —
7 packets transmitted, 0 received, 100% packet loss, time 6149ms
curl -Iki vovim.hopto.org
curl: (7) Failed to connect to vovim.hopto.org port 80: Connection refused
curl -Iki vovim.hopto.org:443
curl: (7) Failed to connect to vovim.hopto.org port 443: Connection refused

So you are going to have to deal with that problem as well.
[order doesn’t really matter and both problems can be worked concurrently]

One down:
Name: vovim.hopto.org
Address: 86.130.225.5

One to go…

Hi, I changed the ip address of my hostname at no-ip.com to the actual external ip address of my machine and reran the renew command and it has now worked O.K.

bash-4.4# certbot -c /etc/letsencrypt/cli.ini renew --standalone --preferred-challenges http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vovim.hopto.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vovim.hopto.org
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/vovim.hopto.org/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/vovim.hopto.org/fullchain.pem (success)


bash-4.4#

                        Thanks for your help.
1 Like

I’m glad to hear that you can, and have, renewed your cert.
However, I still can’t connect to your system (even via the new IP.
Not sure if that is intentional/by design or if there remains any connectivity issues…

Nevertheless, congrats and enjoy.

Well that explains it.
You don't have a full-time webserver at that IP.

Hi, no, I don’t have a web server active at the moment.

         Thanks again for your help.
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.