Problem renewing, challenge failed

My domain is:
cloud.prsc.org.uk

I ran this command:
/root/certbot-auto --apache -d cloud.prsc.org.uk -w /var/www/html/

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.prsc.org.uk
Waiting for verification…
Challenge failed for domain cloud.prsc.org.uk
http-01 challenge for cloud.prsc.org.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloud.prsc.org.uk
    Type: connection
    Detail: Fetching
    http://cloud.prsc.org.uk/.well-known/acme-challenge/_OZuushaj7c-_nCHKM9dpm3gUpZJaqSXG33x-4YPsG4:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.6

I can login to a root shell on my machine (yes or no, or I don’t know):yes

The version of my client is: 0 .34.0

Been asked to look into renewing the cert for this domain. Getting the above error:
** Timeout during connect (likely firewall problem)**

But ‘ufw status’ returns 'inactive’

Not sure what to try next?

also

root@sun:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp – anywhere anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Hi @funkytwig

your port 80 doesn’t answer or isn’t confgured ( https://check-your-website.server-daten.de/?q=cloud.prsc.org.uk ):

Domainname Http-Status redirect Sec. G
http://cloud.prsc.org.uk/
81.150.182.105 -14 10.033 T
Timeout - The operation has timed out
https://cloud.prsc.org.uk/
81.150.182.105 200 0.800 N
Certificate error: RemoteCertificateChainErrors
http://cloud.prsc.org.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
81.150.182.105 -14 10.026 T
Timeout - The operation has timed out

So http-01 validation can’t work.

You have a lot of old certificates (first 2017-12-07). Perhaps you have used tls-sni-01 validation via port 443, that’s not longer supported.

Is this a home server? So your ISP blocks port 80?

Perhaps check

to use another challenge type.

Thanks for that, so I can do challenge through 443/TLS-ALPN-01 (for now). How do I do this? Not onsite so cant sort 80 today. Or is there another way of doing a challenge with certbot-auto over 443.

Read the doc but cant work out how to set challenge type in certbot-auto

Certbot doesn’t support tls-alpn-01. acme.sh does.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.