So many years working smoothly but suddenly the same renew process stops working this time on the day when the certs expire from a mail server, an EC2 (Ubuntu 16.4) instance hosted on the AWS Cloud. There are no any other things changed; trying to troubleshooting the issue by disabling Access Control List of the VPC on the AWS Cloud, the issues and the error message from LetsEncrypt keep the same. Any helps?
I posted the system information below, and followed by the error message from LetsEncrypt.
Domain: mail.ibs-llc.net
Command to renew (not using Certbot): sudo letsencrypt renew
The output: Timeout during connect (likely firewall problem).
My web server: Postfix server - 3.1.0
OS: Ubuntu 16.4
Hosting provider: AWS
Shell login: no problem (regular OS SSH, or Putty)
Version of client: not using Certbot but the command - Letsencrypt renew
======= Error Message from Encrypt ===============
Timeout during connect (likely firewall problem). To fix these errors, please make sure that your domain name was entered correctly and the DNS on A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Welcome @jzheng I moved your post to the Help section. You would have been asked to answer the questions below. Please answer as much as you can.
===============================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
What ACME client is that, letsencrypt? I only know it as the ancient name Certbot originally was released. Many years ago. So I suspect you're actually using Certbot. Can you post the entire output of the renew command?
The question was not the name of the client, but the version of the ACME client used. However the name of that client
Thank you Osiris! Anyhow, it won't be able to contact my domain name with the public IP. The entire output:
Domain: mail.ibs-llc.net
Type: connection
Detail: 184.73.238.111: Fetching http://mail.ibs-llc.net/.well-known/acme-challenge/Gyf99aZR60s4R8f8KbRedIu9SlbdUWB3A9O2Js3WED0:
Timeout during connect (likely firewall problem)
Timeout during connect (likely firewall problem). To fix these errors, please make sure that your domain name was entered correctly and the DNS on A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Apologize, OSiris, and here is the entire terminal copy in text:
ubuntu@ip-10-0-2-214:~$ sudo letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Yeah, that's definitely Certbot. I'm wondering what the version would be, can you run sudo letsencrypt version please? Not that's really relevant for this issue, but it's good to verify.
You're also using the standalone authenticator plugin, which is good if there's only mailserver running.
However, I notice that your TCP port 80 is not responding at all, not even a "connection refused", which should be the response from your server if the standalone plugin wasn't running. You're probably blocking TCP port 80 in a firewall or perhaps a NAT portmap is missing.
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: version
Firewall is setup in UFW, and port 80 along with 443 all listed for accepting requests anywhere. However, Nmap says "filtered" port 80 and "closed" port 443.
That's quite old. I hope you have Expanded Security Maintenance for your Ubuntu 16.04. I don't know if Ubuntu 16.04 has snap installed or the possibility for that, but snap is the recommended method of installing Certbot nowadays. Although if you don't have ESM, it's also probably better to upgrade your Ubuntu entirely.
Yeah, something is blocking TCP port 80. I also see a lot of open ports indeed for your mailserver, but port 80 is not getting through at all. If it isn't UFW, there must be something else blocking TCP port 80. I don't know what kind of Amazon service you have, but sometimes the control panel of the hosting service also has a firewall.
That are great advices, and thank you so much, OSiris!
I will try to examine those topics one after another; and the worst case, I am going to rebuild the Postfix server with the latest and greatest!
Thanks again, OSiris!