Renew certificates ISP3Config debian stretch

Help
1

Hello,

after a long time my renew of the certificates does not work anymore.

I did not make any changes except System debian updates

I use debian stretch, ISP3Config, certbot 0.28.0

Processing /etc/letsencrypt/renewal/my-domain.de.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-domain.de
http-01 challenge for www.my-domain.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (my-domain.de) from /etc/letsencrypt/renewal/my-domain.de.conf produced an unexpected error: Failed authorization procedure. my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://my-domain.de/.well-known/acme-challenge/-Wa1X8LJ2byy69HNxjRpTknHeR4V1IgptYN6WADc4Q8: Timeout during connect (likely firewall problem), www.my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://www.my-domain.de/.well-known/acme-challenge/vcRvRjs2REj3qPtskmYteqlU_YEQ5hq_zXrL5H23geI: Timeout during connect (likely firewall problem). Skipping.

Domain: www.my-domain.de
Type: connection
Detail: xx.xx.xx.xx: Fetching http://www.my-domain.de/.well-known/acme-challenge/vcRvRjs2REj3qPtskmYteqlU_YEQ5hq_zXrL5H23geI: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2022-10-21 11:37:15,814:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://my-domain.de/.well-known/acme-challenge/-Wa1X8LJ2byy69HNxjRpTknHeR4V1IgptYN6WADc4Q8: Timeout during connect (likely firewall problem), www.my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://www.my-domain.de/.well-known/acme-challenge/vcRvRjs2REj3qPtskmYteqlU_YEQ5hq_zXrL5H23geI: Timeout during connect (likely firewall problem)

2022-10-21 11:37:15,814:DEBUG:certbot.error_handler:Calling registered functions
2022-10-21 11:37:15,814:INFO:certbot.auth_handler:Cleaning up challenges
2022-10-21 11:37:15,814:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/-Wa1X8LJ2byy69HNxjRpTknHeR4V1IgptYN6WADc4Q8
2022-10-21 11:37:15,815:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/vcRvRjs2REj3qPtskmYteqlU_YEQ5hq_zXrL5H23geI
2022-10-21 11:37:15,815:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2022-10-21 11:37:15,815:WARNING:certbot.renewal:Attempting to renew cert (my-domain.de) from /etc/letsencrypt/renewal/my-domain.de.conf produced an unexpected error: Failed authorization procedure. my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://my-domain.de/.well-known/acme-challenge/-Wa1X8LJ2byy69HNxjRpTknHeR4V1IgptYN6WADc4Q8: Timeout during connect (likely firewall problem), www.my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://www.my-domain.de/.well-known/acme-challenge/vcRvRjs2REj3qPtskmYteqlU_YEQ5hq_zXrL5H23geI: Timeout during connect (likely firewall problem). Skipping.
2022-10-21 11:37:15,816:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1168, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 318, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://my-domain.de/.well-known/acme-challenge/-Wa1X8LJ2byy69HNxjRpTknHeR4V1IgptYN6WADc4Q8: Timeout during connect (likely firewall problem), www.my-domain.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: xx.xx.xx.xx: Fetching http://www.my-domain.de/.well-known/acme-challenge/vcRvRjs2REj3qPtskmYteqlU_YEQ5hq_zXrL5H23geI: Timeout during connect (likely firewall problem)

...

Any idea ?
Ralph

2

Does the problem repeat? Because I can see your server just fine and the Let's Debug test site says site looks ok. Maybe it was temporary problem?

3 Likes
3

How could you check my domain ?

my-domain.de is just a placeholder.

4

Oh. Please don't use someone else's valid domain in your description.

The error says the Let's Encrypt server cannot reach your server. And, as the error says it is most likely a firewall. Without more info from you there is little we can say. Please complete the questionnaire as best you can including your actual domain name.

=================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

5 Likes
5

--- CHANGED DOMAIN----

I ran this command:

certbot renew --cert-name hefipro.org --dry-run

Processing /etc/letsencrypt/renewal/hefipro.org.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hefipro.org
http-01 challenge for www.hefipro.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (hefipro.org) from /etc/letsencrypt/renewal/hefipro.org.conf produced an unexpected error: Failed authorization procedure. hefipro.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 185.158.212.136: Fetching http://hefipro.org/.well-known/acme-challenge/oIKaekkSIvxzytlTjfcGfPYxgcYtyqhBxCNa0iLk7g8: Timeout during connect (likely firewall problem), www.hefipro.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 185.158.212.136: Fetching http://www.hefipro.org/.well-known/acme-challenge/dImjNy895d5CmXjKRuTBgcO1ObnuHfccKUoMZVfTzDo: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hefipro.org/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hefipro.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

Running post-hook command: echo '1' > /usr/local/ispconfig/server/le.restart
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):

debian stretch

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

isp3config latest version

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.28.0

6

It looks like you have a firewall blocking certain IP addresses. Let's Encrypt servers will try from various parts around the world.

I say this because:

I can see your site from my own test server and the Let's Debug connect test works

I can also see your site even if I use the Let's Encrypt user-agent (to eliminate possible known Palo Alto Networks firewall problem)

For other volunteers, Max's MSS test also succeeded.

Given all that, the most likely explanation is you have a firewall blocking the IP(s) used by the Let's Encrypt servers.

3 Likes
7

I have fail2ban running ?

Can there maybe the provider make some blockings themselve ? its a VirtualServer.

8

Try disabling that and see if that helps. It's possible your provider is blocking. You'd have to ask them but I think more likely fail2ban

4 Likes
9

Seems to work now.

I had a lot of blockings in my iptables

Thanks !

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.