Renew: timeout on :443

Title and output say it all, web seems to be accessible anywhere from Czech Rep.
Domain: rict.cz
Command: sudo certbot renew (ver: 0.19.0-1, updated from buster rep.)
Webserver: nginx/1.10.3, no wordpress
OS: Linux 4.9.0-4-armmp-lpae #1 SMP Debian (Stretch) 4.9.51-1 (2017-09-28) armv7l GNU/Linux
Root: yes
Output: Processing /etc/letsencrypt/renewal/rict.cz.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0xb6ac34f0>, 'Connection to acme-v01.api.letsencrypt.org timed out. (connect timeout=45)')). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)

Looks like that is not a failure to connect to your site, but rather a failure of your server to connect to the let’s encrypt api. Do you have a firewall blocking outgoing connections?

Both ip(6)tables in both mangle/filter tables have the OUTPUT policy set to ACCEPT

Well, it’s working from here and there’s no known outage reported https://letsencrypt.status.io/ currently. Can you access https://acme-v01.api.letsencrypt.org/directory from your server via curl/wget etc?

Without problem, but you were right with iptables (I have such a strict rules…), next error:

Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: Failed authorization procedure. rict.cz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rict.cz/.well-known/acme-challenge/1Kr2fvl5N5YPXtCA7n6LyztA_r1zsY20AnLIYltpG2Y: Timeout, www.rict.cz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.rict.cz/.well-known/acme-challenge/PvoBn628AKRZMK8eiwislWbih-XE4yF9dLJLG0zt8aM: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)

I dunno why my server replies with forbidden…
Is it ok to have redirect from :80 to :443 ssl?

location ~ /.well-known/ {
            try_files $uri $uri/ =404;
}

Edit: it responses with 404 on /.well-known/acme-challenge/

It’s fine to redirect from 80 to 443. I’m not familiar enough with nginx to know if your configuration is correct. But the error message you got seems to indicate that the validation server didn’t even get as far as the 404… which might possibly indicate a firewall issue again? Possibly specific to ipv6 as that’s what the validation server uses if you have an aaaa record.

A post was split to a new topic: Timeout fetching HTTP-01 challenge

The LE error is not 404; it is timeout on port 80.
You can't redirect from 80 to 443 when 80 is blocked.
The server could not connect to the client to verify the domain :: Fetching http://www.rict.cz/.well-known/acme-challenge/PvoBn628AKRZMK8eiwislWbih-XE4yF9dLJLG0zt8aM: Timeout. Skipping.

I do see 404 from my systems...
As the site has multiple redirects (302 and 301 - see below) I would try placing a test.txt (with minimal content) file at:
http://www.rict.cz/.well-known/acme-challenge/test.txt
and if different location also at:
https://www.rict.cz/.well-known/acme-challenge/test.txt
I think the second redirect may be causing a problem.

MULTIPLE REDIRECTS:
wget http://www.rict.cz/
-2017-10-12 22:45:53-- http://www.rict.cz/
Resolving www.rict.cz (www.rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to www.rict.cz (www.rict.cz)|93.153.32.250|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://rict.cz/ [following]
-2017-10-12 22:45:58-- https://rict.cz/
Resolving rict.cz (rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to rict.cz (rict.cz)|93.153.32.250|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://rict.cz/index.html [following]
-2017-10-12 22:45:59-- https://rict.cz/index.html
Reusing existing connection to rict.cz:443.
HTTP request sent, awaiting response... 200 OK
Length: 125 [text/html]
Saving to: ‘index.html’

And as the site already has a valid cert (expiring soon), you could probably just use HTTPS auth and avoid (at least one of) the redirections.

These redirects are correct and well tested. So I can redirect http:80 to https:443 except /.well-kwown/acme-challenge/ location? Because on http:80 there is just location block that test if it’s public or home traffic and then redirects to https:443 for public or http:xxx for home traffic.
How can I change to tls-sni-01 challenge if I’m using webroot plugin?

Edit: suggested test with test.txt files works for me perfectly.

To use port 443, you could try:
--preferred-challenges tls-sni

But I'm pretty sure webroot is only http.
That said, there may be another way, try having a look at:
http://letsencrypt.readthedocs.io/en/latest/using.html
or
https://certbot.eff.org/docs/using.html

I get zero bytes:
wget http://rict.cz/.well-known/acme-challenge/test.txt
URL transformed to HTTPS due to an HSTS policy
--2017-10-13 09:17:45-- https://rict.cz/.well-known/acme-challenge/test.txt
Resolving rict.cz (rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to rict.cz (rict.cz)|93.153.32.250|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]

Also, I see now that IPv6 is in use.
Please note that LE will prefer IPv6 over IPv4 and will not fallback to IPv4 should IPv6 fail.

I have read this a while ago. I guess I would need to recertificate this, but it would be great to not leave webroot plugin

YES - that would be preferred.

It was created with touch, but is accessible. IPv6 is online for one week without problem

Can you add “this works” into the file and access it from the Internet via IPv6?

For the record: Even if it does work via IPv6, I still think that the way you have implemented the multiple redirects is part of the problem.
But maybe you can avoid all that by excluding /.well-known/acme-challenge/ from the redirection.

Done, just to make it clear: behind http/https and ipv4/ipv6 is still the same server (devided into http:80 and https:443, mentioned above) with same root folder

I do see “this works” but I’m using only IPv4…

So what is the current status of:
sudo certbot-auto renew
(not sudo certbot renew)

> sudo certbot-auto renew
sudo: certbot-auto: command not found

> sudo certbot -auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rict.cz.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The requested uto plugin does not appear to be installed
Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: The requested uto plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

please also show this log:
Saving debug log to /var/log/letsencrypt/letsencrypt.log