NEXT LEFT LAST PASSED UNIT ACTIVATES
Sat 2022-04-23 05:03:26 +03 2h 25min left Fri 2022-04-22 16:09:23 +03 10h ago certbot.timer certbot.service
this is what i found in systemctl timers list... it's automatic trying for renewal i think... so will wait until 29 or 30 of april... then the result will comes if i am not wrong.
Of course it is. I remembered my directives wrong.
There is no reason to wait. You can (and did) test it but it failed. It will continue to fail unless you fix it. Use this command to prove your fixes worked.
sudo certbot renew --dry-run
You can also try using this test site
Note to myself for later:need your suggestion now in our firewall only http and https port allowed do we need to allow any other port for renewal...
HTTP authenticated renewals will only require HTTP.
HTTPS should be allowed so that you can serve the secure site to the Internet (not "required" for renewals).
OR
If you redirect all HTTP to HTTPS, then you may be forcing HTTPS onto the renewal process.
I allow http and https. but still not able to renew getting same error. above mention
Shown below is the error from above. Are you sure this is the exact error you get now?
Because your press.alwatan.com.sa domain cannot be reached. It would not be possible for it to redirect to the live.alwatan.com.sa site in the error message below.
The Let's Debug test site cannot reach your server. From my own server it looks like a firewall is blocking all access (curl times out, nmap shows filtered). Please show the error message you are getting from the renew --dry-run test now.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/press.alwatan.com.sa.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for press.alwatan.com.sa
Waiting for verification...
Challenge failed for domain press.alwatan.com.sa
http-01 challenge for press.alwatan.com.sa
Cleaning up challenges
Attempting to renew cert (press.alwatan.com.sa) from /etc/letsencrypt/renewal/press.alwatan.com.sa.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/press.alwatan.com.sa/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/press.alwatan.com.sa/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: press.alwatan.com.sa
Type: connection
Detail: 37.224.110.174: Fetching
http://press.alwatan.com.sa/.well-known/acme-challenge/6w17B9AeU7Fq2dOSSjzFxuHLCAYW8n9n0eplgyx5x7I:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Are you sure that domain is pointing to your actual server? It looks like some kind of network apparatus from here:
% nmap press.alwatan.com.sa -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-27 15:58 CEST
Nmap scan report for press.alwatan.com.sa (37.224.110.174)
Host is up (0.082s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
179/tcp closed bgp
Nmap done: 1 IP address (1 host up) scanned in 117.90 seconds
I must disagree.
As shown here:
curl -Ii http://press.alwatan.com.sa/
curl: (56) Recv failure: Connection reset by peer
curl -Ii https://press.alwatan.com.sa/
curl: (7) Failed to connect to press.alwatan.com.sa port 443: Connection timed out
Either:
i already allowed https and http. and i can access press.alwatan.com.sa from outside but include more link... but don't know where it's stuck ..
Wait a second, does .sa mean South Africa or Saudi Arabia?
Is it possible some firewall you don't control and can't control is interfering somewhat with any connections from foreign countries?
Saudi Arabia. South Africa is .za
Good point about external firewall. My nmap from US gave same result as yours. Looks like a network device (bgp).
They got a Let's Encrypt cert in Feb 2022 though
Is the government there a Palo Alto customer? 
Who knows 
If we can ever each the domain we can check the acme challenge path
@shahjs2002 Can you check the public IP of your server. Show us result of this:
curl -4 http://ifconfig.co
37.224.110.174 in my public ip address. i use above mention command and give me the same.
but it was working and automatic renew on 28 Feb now it will expire again on 29 May...
Not valid before: 2022-02-28T14:40:05
| Not valid after: 2022-05-29T14:40:04
You might want to try using the dns-01 challenge.
i don't know how to use. can you guide
Wow, you figured that out after just 2 minutes of researching, reading and learning all there is to know about the dns-01 challenge?