Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
sudo certbot renew
It produced this output:
Attempting to renew cert (cv.cognitivetools.com) from /etc/letsencrypt/renewal/cv.cognitivetools.com.conf produced an unexpected error: Failed authorization procedure. cv.cognitivetools.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cv.cognitivetools.com/.well-known/acme-challenge/gP0uAaIEBjJ7QDCD_js8UX1CVhgaqblvcHR-Vmuo2VM: Timeout during connect (likely firewall problem). Skipping.
My web server is (include version):
SWI-Prolog HTTP server
The operating system my web server runs on is (include version):
Raspbian GNU/Linux 10 (buster)
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
While LetsEncrypt claims it cannot connect, I copied the challenge file and restored it, after which I can get it using curl from a host outside my network.
Also, when I enable debugging the web server I do get a connect and reply:
[Thread httpd@80_1] 2021-04-18 09:53:22.273 First line: GET /.well-known/acme-challenge/z9YSZmYsmtGlhkvMe-gdVGY1oxpOUIBtf5QTxjDrsWo HTTP/1.1 [Thread httpd@80_1] 2021-04-18 09:53:22.274 Header = Host: cv.cognitivetools.com User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org) Accept: */* Accept-Encoding: gzip Connection: close [Thread httpd@80_1] 2021-04-18 09:53:22.277 Field: [host('cv.cognitivetools.com'),user_agent('Mozilla/5.0 (compatible; Let\'s Encrypt validation server; +https://www.letsencrypt.org)'),accept([media(_4600/_4602,,1.0,)]),accept_encoding(gzip),connection(close)] [Thread httpd@80_1] 2021-04-18 09:53:22.279  get /.well-known/acme-challenge/z9YSZmYsmtGlhkvMe-gdVGY1oxpOUIBtf5QTxjDrsWo ... [Thread httpd@80_1] 2021-04-18 09:53:22.285  200 file(application/unknown,/home/pi/src/zwave/.well-known/acme-challenge/z9YSZmYsmtGlhkvMe-gdVGY1oxpOUIBtf5QTxjDrsWo); 87 bytes
This used to work fine. The system was running Jessie when it started reporting this issue. I updated the OS and all software to their latest version, but this problem remains unchanged.
The server runs behind a Turris router that forwards port 80 and 443. Turris has a dynamic distributed firewall. Just to be sure I disabled this briefly, but that doesn't make a difference (as expected because the server does connect).
Could it be an issue that the server ignores
Accept-Encoding: gzip? The replied header is
HTTP/1.1 200 OK Date: Sun, 18 Apr 2021 09:25:46 GMT Last-modified: Sun, 18 Apr 2021 08:42:33 GMT Connection: Keep-Alive Content-Length: 87 Content-Type: application/unknown
I left the challenge file on the server. Any clue is welcome ...
edit I added handling for
Accept-Encoding: gzip to the server. I can verify the compression is done and the reply header is now as below, but the behavior has not changed (still claiming it cannot connect, probably due to a firewall issue).
HTTP/1.1 200 OK Date: Sun, 18 Apr 2021 11:57:05 GMT Last-modified: Sun, 18 Apr 2021 11:56:45 GMT Connection: close Content-Length: 113 Content-Type: application/unknown Content-Encoding: gzip