Problem with renewal of certificates

Hey Guys!

first of all: sorry, i am not a pro with the certificate-stuff. so maybe my question will be dumb. but… i cant help it by myself.
i have a problem with the renewal of my certificate.
The certificate needs to be installed on raspbian, its used for nextcloud.

when trying to renew the certificates, the following error shows up:
Failed authorization procedure. elberthome.dnshome.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://elberthome.dnshome.de/.well-known/acme-challenge/TxwoH5rxd6Cm3fFAT0stlsUBOpBNyHLhLiyau3Y69cE: Error getting validation data

problem is, i deleted the .well-known folder, i had to during the nextcloud-update.
how can i generate a complete new one?
is there any help?

EDIT!

Juergen asked me to update my Thread (sorry for that!)
more information here:

my domain is: elberthome.dnshome.de

i ran this command:
certbot certonly --webroot -w /var/www/html/ -d elberthome.dnshome.de -m simonelbert@gmx.de --agree-tos

it produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for elberthome.dnshome.de

Using the webroot path /var/www/html for all unmatched domains.

Waiting for verification…

Cleaning up challenges

Failed authorization procedure. elberthome.dnshome.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://elberthome.dnshome.de/.well-known/acme-challenge/TxwoH5rxd6Cm3fFAT0stlsUBOpBNyHLhLiyau3Y69cE: Error getting validation data

my webserver is: nextcloud

my operating system is: raspbian

i can login to a root shell on my machine: yes

Thank you in Advance!!

warm (cold) regards from germany,

Simon

Hi @noomiis

please answer all of the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

–

Moved to “Help”, there is this template.

Hi @JuergenAuer,

sorry for that, i just edited my post.

Thank you!

Your server is invisible ( https://check-your-website.server-daten.de/?q=elberthome.dnshome.de ):

The first and the second timeout aren't critical.

But Certbot creates a file under /.well-known/acme-challenge, Letsencrypt want's to fetch this file.

A timeout -> validation can't work.

Is there a firewall? Or a wrong router setting router port 80 -> server port 80?

i just tried the same check:

name “elberthome.dnshome.de” is domain, public suffix is “dnshome.de”
A good: All ip addresses are public addresses
A good: No asked Authoritative Name Server had a timeout
A DNS: “Name Error” means: No www-dns-entry defined. This isn’t a problem
A Good: Nameserver supports TCP connections: 1 good Nameserver
A Good: Nameserver supports Echo Capitalization: 1 good Nameserver
A Good: Nameserver supports EDNS with max. 512 Byte Udp payload, message is smaller: 1 good Nameserver
A Duration: 43554 milliseconds, 43.554 seconds

where do you see, that the server is invisible?
when you open the link https://elberthome.dnshome.de, and confirm the certificate-warning, you will get to the nextcloud-login. so i think the router / firewall works fine.

i used to renew the certificate with the command ./letsencrypt-auto, and that worked fine for 2 years.

i think the error is anywhere in the .well-known directory, and because i deleted it.

You may have used tls-sni-validation (via port 443).

But tls-sni-validation is deprecated, support ends 2019-02-13.

So Certbot switches to http - validation.

Then an open port 80 + http is required.

Your port 80 is closed or doesn't answer.

The tool ( https://check-your-website.server-daten.de/?q=elberthome.dnshome.de ) should see a http status 404 - not found.

But not a timeout.

I have the same problem – certificates stopped renewing after having auto-renewed for an extended period – and port 80 was not open. I’ve opened the port, but do I need to do anything else? I don’t have a webserver installed. Thanks.

[This should have been a separate topic]

What is your renewal process?
What is your domain name?
Can you verify that port is allowed and reaches your server?

I apologize for not creating a new topic – I thought it belonged here because I was getting the same error message.

Looking at the date on my certs, they were renewed tonight. Thanks again for the fantastic support culture on this forum.

Hi Juergen,

you were right --> opening port 80 solved the “mystery”
Certificate is renewed, everything works fine.

Thank you very much for you quick and great support!

Warm regards,

Simon

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.