Problem with certificate renew in AWS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.privacyaudit.me

I ran this command:
/usr/bin/certbot-auto renew --deploy-hook ‘docker restart nginx’

It produced this output:
Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Failed authorization procedure. www.privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.privacyaudit.me/.well-known/acme-challenge/3RYTe56-xcWDN5Aawv-1jKetIWe4Ms3no6WB_5n66gA: Timeout during connect (likely firewall problem), privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://privacyaudit.me/.well-known/acme-challenge/HllQHIUrN19vu973bWtSipqeC9vWztB0I59jMXKYDUA: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)

My web server is (include version):
no web server, standalone

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The problem is to renew certificate - error message provided in output. Can anyone help me?

I will try...

Please show file:
/etc/letsencrypt/renewal/{your.domain}.conf

In the meantime, try:
/usr/bin/certbot-auto renew --standalone --deploy-hook ‘docker restart nginx’

renew_before_expiry = 30 days

version = 0.27.1
archive_dir = /etc/letsencrypt/archive/privacyaudit.me
cert = /etc/letsencrypt/live/privacyaudit.me/cert.pem
privkey = /etc/letsencrypt/live/privacyaudit.me/privkey.pem
chain = /etc/letsencrypt/live/privacyaudit.me/chain.pem
fullchain = /etc/letsencrypt/live/privacyaudit.me/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = standalone
account = e3bcc36768d2eef824f58ad408447ab6
server = https://acme-v02.api.letsencrypt.org/directory

There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:

Limits fired…

All docker containers was down when i performed tests. And system 80 port was not busy (netstat -ltnp | grep -w ‘:80’)

Try:
/usr/bin/certbot-auto renew --dry-run --standalone --deploy-hook ‘docker restart nginx’
and
/usr/bin/certbot-auto renew --dry-run --standalone --preferred-challenges tls-sni --deploy-hook ‘docker restart nginx’

Did you expose port 80 to this container?
or port 443?

/usr/bin/certbot-auto renew --dry-run --standalone -

Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Failed authorization procedure. privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://privacyaudit.me/.well-known/acme-challenge/RTbL-T_6jpmtUzzQw7BpdkHVUxGbbmaAUE248DPkQIo: Timeout during connect (likely firewall problem), www.privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.privacyaudit.me/.well-known/acme-challenge/yWCZ31VBi4Yyzv090wJx2wjDnctv52aBVQIe-SbQZy0: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)

/usr/bin/certbot-auto renew --dry-run --standalone --preferred-challenges tls-sni -
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)

Yes, but all containers now is down. If nessesary, i can stop docker daemon

port 443 is out of the question...

OK.
Follow me closely:
cd /usr/bin
/usr/bin/certbot-auto renew --dry-run --standalone

netstat -ltnp | grep -w ‘:443’ - same empty output, port not used

root@web_site:/usr/bin# /usr/bin/certbot-auto renew --dry-run --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/privacyaudit.me.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for privacyaudit.me
http-01 challenge for www.privacyaudit.me
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (privacyaudit.me) from /etc/letsencrypt/renewal/privacyaudit.me.conf produced an unexpected error: Failed authorization procedure. privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://privacyaudit.me/.well-known/acme-challenge/aC7sndlIOXQok9Vy7OGn6XR9GHK6jb28lhre9qYD0s0: Timeout during connect (likely firewall problem), www.privacyaudit.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.privacyaudit.me/.well-known/acme-challenge/jFOKqVJiPIN2ittxX8xvWvE7MDCz4Lso2mlXFvnmI-E: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/privacyaudit.me/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

OK.
I’m out of ideas…

It looks like it really is a “firewall”/routing problem.
AWS runs a firewall (must allow port 80 in)
Then your server runs a firewall (must allow port 80 in)
Then your server must forward port 80 to proper docker instance (docker settings).

No no, here was (and is) our site, so it was accesseble by 80 and 443 port. Now certificate was expired, so renew process was started…

Can you test that port 80 service (turn it on) from the Internet?

Do you remember the exact command you used to get the last cert?

Yes, now i start docker containers with site, and curl -v to http://privacyaudit.me/ return 302 status (it's ok). So 80 port can be accesseble from Internet.
And no, exact command to get cert i do not remember, sorry

Was that a different container?

docker config ls
docker config inspect {config}

docker network ls
docker network inspect {name}

If you talk about certbot-auto script environment, it was started not from container. It's started from host AWS VM, where we start docker containers.