Hello,
I have a problem when testing the automatic renewal of my certificate.
Manual creation of the certificate is not a problem but when I execute the command :
certbot-auto renew --dry-run
An error message appears :
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mydomain.net) from /etc/letsencrypt/renewal/mydomain.net.conf produced an unexpected error: Failed authorization procedure. mydomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.net/.well-known/acme-challenge/8YO8FAJ98ZDiLHqoUaof3XnemDAXNQsEXWL6cPswEq0: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.net.net/fullchain.pem (failure)
On the access.log I have a I have a code 200 from the Let’s Encrypt servers :
Please provide the real domain name. There are a number of potential issues relating to e.g. DNS and networking that are really hard to help you with unless we know what the domain is.
Hello thank's for your answer
Unfortunately the domain is not accessible from the internet, it's a pre-production environment that I can't open to the internet.
However, I have allowed Let's Encrypt ips on the firewall.
You can't whitelist Let's Encrypt IPs, the pool of IPs used by the VA is not stable and will change.
In a behind-the-firewall scenario you should use the dns-01 challenge.
What IP addresses will the Let's Encrypt servers use to validate my web server? The Let's Encrypt CA doesn't publish a list of IP addresses it uses to validate, because they may change at any time. In the future, it may validate from multiple IP addresses at once.
It’s hard to know why a timeout is being experienced without knowing the domain. It could also be AAAA records, if they exist, but a staff member may be able to check the exact reason for you once they become available.
Certbot does have support for dns-01 auto-renewal, yes, provided that your domain has its DNS hosting with a supported provider, or you can write a manual auth hook to update the TXT record (https://certbot.eff.org/docs/using.html):
--dns-cloudflare Obtain certificates using a DNS TXT record (if you are
using Cloudflare for DNS). (default: False)
--dns-cloudxns Obtain certificates using a DNS TXT record (if you are
using CloudXNS for DNS). (default: False)
--dns-digitalocean Obtain certificates using a DNS TXT record (if you are
using DigitalOcean for DNS). (default: False)
--dns-dnsimple Obtain certificates using a DNS TXT record (if you are
using DNSimple for DNS). (default: False)
--dns-dnsmadeeasy Obtain certificates using a DNS TXT record (if you
areusing DNS Made Easy for DNS). (default: False)
--dns-google Obtain certificates using a DNS TXT record (if you are
using Google Cloud DNS). (default: False)
--dns-luadns Obtain certificates using a DNS TXT record (if you are
using LuaDNS for DNS). (default: False)
--dns-nsone Obtain certificates using a DNS TXT record (if you are
using NS1 for DNS). (default: False)
--dns-rfc2136 Obtain certificates using a DNS TXT record (if you are
using BIND for DNS). (default: False)
--dns-route53 Obtain certificates using a DNS TXT record (if you are
using Route53 for DNS). (default: False)