Renew process suddenly stops working on Postfix server

So many years working smoothly but suddenly the same renew process stops working this time on the day when the certs expire from a mail server, an EC2 (Ubuntu 16.4) instance hosted on the AWS Cloud. There are no any other things changed; trying to troubleshooting the issue by disabling Access Control List of the VPC on the AWS Cloud, the issues and the error message from LetsEncrypt keep the same. Any helps?

I posted the system information below, and followed by the error message from LetsEncrypt.

Domain: mail.ibs-llc.net
Command to renew (not using Certbot): sudo letsencrypt renew
The output: Timeout during connect (likely firewall problem).
My web server: Postfix server - 3.1.0
OS: Ubuntu 16.4
Hosting provider: AWS
Shell login: no problem (regular OS SSH, or Putty)
Version of client: not using Certbot but the command - Letsencrypt renew

======= Error Message from Encrypt ===============

Timeout during connect (likely firewall problem). To fix these errors, please make sure that your domain name was entered correctly and the DNS on A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

=====================
Thank you, guys!

  • James
1 Like

Welcome @jzheng I moved your post to the Help section. You would have been asked to answer the questions below. Please answer as much as you can.

===============================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

What ACME client is that, letsencrypt? I only know it as the ancient name Certbot originally was released. Many years ago. So I suspect you're actually using Certbot. Can you post the entire output of the renew command?

The question was not the name of the client, but the version of the ACME client used. However the name of that client :wink:

Thank you Osiris! Anyhow, it won't be able to contact my domain name with the public IP. The entire output:

Domain: mail.ibs-llc.net
Type: connection
Detail: 184.73.238.111: Fetching
http://mail.ibs-llc.net/.well-known/acme-challenge/Gyf99aZR60s4R8f8KbRedIu9SlbdUWB3A9O2Js3WED0:
Timeout during connect (likely firewall problem)
Timeout during connect (likely firewall problem). To fix these errors, please make sure that your domain name was entered correctly and the DNS on A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

That still looks like just the output from the ACME server.

I really would like to see the entire terminal contents including the part where you say sudo letsencrypt renew and the ultimate last part.

(Mainly so I can recognise which client is being used, hopefully.)

Apologize, OSiris, and here is the entire terminal copy in text:
ubuntu@ip-10-0-2-214:~$ sudo letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.ibs-llc.net.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for imap.artistsgalleries.com
http-01 challenge for imap.ibs-llc.net
http-01 challenge for lmtp.artistsgalleries.com
http-01 challenge for lmtp.ibs-llc.net
http-01 challenge for mail.artistsgalleries.com
http-01 challenge for mail.ibs-llc.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mail.ibs-llc.net) from /etc/letsencrypt/renewal/mail.ibs-llc.net.conf produced an unexpected error: Failed authorization procedure. mail.ibs-llc.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 184.73.238.111: Fetching http://mail.ibs-llc.net/.well-known/acme-challenge/n-j1eIn9VeGs61GxPWSU03FerGcioXQ8fLEvX2mpWjc: Timeout during connect (likely firewall problem), imap.ibs-llc.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 184.73.238.111: Fetching http://imap.ibs-llc.net/.well-known/acme-challenge/KRFd8SJ-0gh-Rz8J64mejBw9Lx3LvMuLER4irAw515A: Timeout during connect (likely firewall problem), lmtp.ibs-llc.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 184.73.238.111: Fetching http://lmtp.ibs-llc.net/.well-known/acme-challenge/SO7ccHgMm6lChaQ-z4dvSrHlAJWdFCJ8yDC6naefhkA: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.ibs-llc.net/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.ibs-llc.net/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

ubuntu@ip-10-0-2-214:~$

Yeah, that's definitely Certbot. I'm wondering what the version would be, can you run sudo letsencrypt version please? Not that's really relevant for this issue, but it's good to verify.

You're also using the standalone authenticator plugin, which is good if there's only mailserver running.

However, I notice that your TCP port 80 is not responding at all, not even a "connection refused", which should be the response from your server if the standalone plugin wasn't running. You're probably blocking TCP port 80 in a firewall or perhaps a NAT portmap is missing.

Thanks!

Do you think that installing a "clean certbot" would be worth a try and solving the issue?

Here is the output from running: sudo letsencrypt version

ubuntu@ip-10-0-2-214:~$ sudo letsencrypt version
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: version

ubuntu@ip-10-0-2-214:~$

1 Like

No, I don't think so, but it's a good idea to keep the software uptodate.

The thing that is giving you issues is your firewalled-off TCP port 80, see above. That's not within the realm of Certbots influence.

Uch, sorry, it's --version, my bad.

2 Likes

ubuntu@ip-10-0-2-214:~$ sudo letsencrypt --version
certbot 0.27.0
ubuntu@ip-10-0-2-214:~$

Firewall is setup in UFW, and port 80 along with 443 all listed for accepting requests anywhere. However, Nmap says "filtered" port 80 and "closed" port 443.

That's quite old. I hope you have Expanded Security Maintenance for your Ubuntu 16.04. I don't know if Ubuntu 16.04 has snap installed or the possibility for that, but snap is the recommended method of installing Certbot nowadays. Although if you don't have ESM, it's also probably better to upgrade your Ubuntu entirely.

Yeah, something is blocking TCP port 80. I also see a lot of open ports indeed for your mailserver, but port 80 is not getting through at all. If it isn't UFW, there must be something else blocking TCP port 80. I don't know what kind of Amazon service you have, but sometimes the control panel of the hosting service also has a firewall.

3 Likes

That are great advices, and thank you so much, OSiris!
I will try to examine those topics one after another; and the worst case, I am going to rebuild the Postfix server with the latest and greatest! :slightly_smiling_face:
Thanks again, OSiris!

  • James
1 Like

While I certainly recommend not running end of life software, that's probably not going to fix your port 80 issue though :slight_smile:

2 Likes

That really needs an update.
OR
It shouldn't be connected to/from the Internet.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.