Problem with automatic certificate renewal

Hello,
I have a problem when testing the automatic renewal of my certificate.
Manual creation of the certificate is not a problem but when I execute the command :
certbot-auto renew --dry-run

An error message appears :

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mydomain.net) from /etc/letsencrypt/renewal/mydomain.net.conf produced an unexpected error: Failed authorization procedure. mydomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.net/.well-known/acme-challenge/8YO8FAJ98ZDiLHqoUaof3XnemDAXNQsEXWL6cPswEq0: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.net.net/fullchain.pem (failure)

On the access.log I have a I have a code 200 from the Let’s Encrypt servers :

52.29.173.72 - - [12/Jan/2018:12:00:06 +0100] “GET /.well-known/acme-challenge/8YO8FAJ98ZDiLHqoUaof3XnemDAXNQsEXWL6cPswEq0 HTTP/1.1” 200 118 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” "-"
66.133.109.36 - - [12/Jan/2018:12:00:06 +0100] “GET /.well-known/acme-challenge/8YO8FAJ98ZDiLHqoUaof3XnemDAXNQsEXWL6cPswEq0 HTTP/1.1” 200 118 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” “-”

Could you help me ?

Best regards

Please provide the real domain name. There are a number of potential issues relating to e.g. DNS and networking that are really hard to help you with unless we know what the domain is.

Hello thank's for your answer
Unfortunately the domain is not accessible from the internet, it's a pre-production environment that I can't open to the internet.
However, I have allowed Let's Encrypt ips on the firewall.

You can’t whitelist Let’s Encrypt IPs, the pool of IPs used by the VA is not stable and will change.

In a behind-the-firewall scenario you should use the dns-01 challenge.

What IP addresses will the Let’s Encrypt servers use to validate my web server? The Let’s Encrypt CA doesn’t publish a list of IP addresses it uses to validate, because they may change at any time. In the future, it may validate from multiple IP addresses at once.

1 Like

So far I’ve only seen 3 IPs querying my servers for renewals, I’ve allowed them on the firewall and it worked for other servers.

But the dns method is available with the command the certbot-auto renew ?

It’s hard to know why a timeout is being experienced without knowing the domain. It could also be AAAA records, if they exist, but a staff member may be able to check the exact reason for you once they become available.

Certbot does have support for dns-01 auto-renewal, yes, provided that your domain has its DNS hosting with a supported provider, or you can write a manual auth hook to update the TXT record (https://certbot.eff.org/docs/using.html):

  --dns-cloudflare      Obtain certificates using a DNS TXT record (if you are
                        using Cloudflare for DNS). (default: False)
  --dns-cloudxns        Obtain certificates using a DNS TXT record (if you are
                        using CloudXNS for DNS). (default: False)
  --dns-digitalocean    Obtain certificates using a DNS TXT record (if you are
                        using DigitalOcean for DNS). (default: False)
  --dns-dnsimple        Obtain certificates using a DNS TXT record (if you are
                        using DNSimple for DNS). (default: False)
  --dns-dnsmadeeasy     Obtain certificates using a DNS TXT record (if you
                        areusing DNS Made Easy for DNS). (default: False)
  --dns-google          Obtain certificates using a DNS TXT record (if you are
                        using Google Cloud DNS). (default: False)
  --dns-luadns          Obtain certificates using a DNS TXT record (if you are
                        using LuaDNS for DNS). (default: False)
  --dns-nsone           Obtain certificates using a DNS TXT record (if you are
                        using NS1 for DNS). (default: False)
  --dns-rfc2136         Obtain certificates using a DNS TXT record (if you are
                        using BIND for DNS). (default: False)
  --dns-route53         Obtain certificates using a DNS TXT record (if you are
                        using Route53 for DNS). (default: False)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.