Renew: Certbot failed

ChristianHerber · November 22, 2022, 1:46pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tangaradaserra.mt.gov.br

I ran this command: certbot

It produced this output:

Requesting a certificate for tangaradaserra.mt.gov.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
** Domain: tangaradaserra.mt.gov.br**
** Type: connection**
** Detail: 177.190.246.22: Fetching http://tangaradaserra.mt.gov.br/.well-known/acme-challenge/p2637axetadVT1QkFyxWsc284oITJmzcwfel9RlI1xY: Timeout during connect (likely firewall problem)**

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu server 18.04

My hosting provider, if applicable, is: Apache 2.4.29

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.32.0

MikeMcQ · November 22, 2022, 2:24pm

Welcome to the community @ChristianHerber

The Let's Encrypt server must be able to reach your domain to confirm you control it. That request is timing out. It makes several requests from various points around the world.

I cannot reach your site from my test server in an AWS region in the US East Coast. And, the Let's Debug test site cannot reach your server either.

But, testing from other points around the world I see some connections work.

So, it looks like you have a firewall blocking certain regions or maybe just many IP addresses. You will need to remove those for the HTTP Challenge to work. Or, switch to using a DNS Challenge. The DNS Challenge is often much harder to automate.

Related topics:
Challenge Types
Best Practice Keep Port 80 Open

ChristianHerber · November 22, 2022, 5:31pm

Ports 80 and 443 are allowed in firewall.

MikeMcQ · November 22, 2022, 5:42pm

But something is blocking connections to your server.

The Let's Debug test site and Let's Encrypt servers still cannot reach your server. You need to review each part of your network connection from your server out to your ISP and check each to ensure they are not blocking connections.

Here is another test site that shows connection tests from some regions work but others fail.

Osiris · November 22, 2022, 5:42pm

But there's no connection possible:

$ sudo nmap -Pn 177.190.246.22
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-22 18:40 CET
Nmap scan report for 177.190.246.22
Host is up (0.30s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT    STATE  SERVICE
113/tcp closed ident

Nmap done: 1 IP address (1 host up) scanned in 32.96 seconds
$

MikeMcQ · November 22, 2022, 5:43pm

Not to you but some regions work as noted from the site24x7 site. Note especially an NL region failed

Osiris · November 22, 2022, 5:44pm

Jup, looks like some kind of geo-blocking.

ChristianHerber · November 22, 2022, 6:04pm

that was it, all right now, thank's.

system · December 22, 2022, 6:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.