Hi, I have been unable to renew my SSL certificate for a domain with currently perfectly working https connection. Let's debug says the site is fine using http-01 or dns-01. I also temporary stopped fail2ban before running certbot renewal command. I haven't changed the Apache configuration file or .htaccess file since the last time I renewed the certificate with success, I don't see any possible firewall aside from fail2ban (that I stopped temporarily for the sake of renewal), so my case seems to be different from the ones that I found in this forum (sorry if I have overlooked something, but there are so many of these...).
Thank you very much in advance.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:paccoud.booqinez.com
I ran this command: certbot renew
It produced this output:
Processing
Processing /etc/letsencrypt/renecertbot 2.6.0certbot 2.6.0wal/paccoud.booqinez.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for paccoud.booqinez.com and olivierpaccoud.booqinez.com
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: olivierpaccoud.booqinez.com
Type: connection
Detail: 82.64.132.53: Fetching http://olivierpaccoud.booqinez.com/.well-known/acme-challenge/E1SKGbQDspSbyiWbOBO5l2Ycn2fhAOebdPIcHPqkPRI: Connection refused
Domain: paccoud.booqinez.com
Type: connection
Detail: 82.64.132.53: Fetching http://paccoud.booqinez.com/.well-known/acme-challenge/TFzJ5nDZT9CgsV1G8rofE8yomOWktzV4jCjeZDAcQ80: Connection refused
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Failed to renew certificate paccoud.booqinez.com with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/paccoud.booqinez.com/fullchain.pem (failure)
My web server is (include version):
apache-2.4.57-1
The operating system my web server runs on is (include version):
Arch Linux (up to date)
My hosting provider, if applicable, is: I am hosting myself
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0
The "Connection refused" error message suggests your Apache wasn't running at the time of the renewal attempt. Which is weird, as you're using the apache authenticator, which, I believe, should try to start Apache when it wasn't running before..?
Currently I see a perfectly fine Apache on HTTP port 80. If you try to renew again, do you still get the "Connection refused" error or a different one?
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Simulating a certificate request for paccoud.booqinez.com
Performing the following challenges:
http-01 challenge for paccoud.booqinez.com
Waiting for verification...
Challenge failed for domain paccoud.booqinez.com
http-01 challenge for paccoud.booqinez.com
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: paccoud.booqinez.com
Type: connection
Detail: 82.64.132.53: Fetching http://paccoud.booqinez.com/.well-known/acme-challenge/pPC7Meg93NheaE1g8pj2HI38Ajj-_LyD_B4g4bamO2w: Connection reset by peer
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
So this time I got "connection reset by peer" instead of "connection refused", although I made no change on my side. Would this mean anything useful?
By the way, Appache log shows no entering connection...
I have no clue.. I can reach your site perfectly and LetsDebug at Let's Debug also doesn't show any issues..?
Perhaps you could try the webroot plugin? (Option 3 in the list you saw earlier, or use --webroot in combination with -w followed by the document root on the command line; see User Guide — Certbot 2.6.0 documentation for more information about the webroot authenticator plugin.)
Note that the current certificate contains the hostnames olivierpaccoud.booqinez.com and paccoud.booqinez.com, but with your latest command you only selected the latter hostname using the -d option. I'd recommend to include both hostnames in your next attempts. See the webroot documenation above on how to specify multiple webroots for multiple hostnames, if necessary.
It turned out reinsalling libxml2 solved the problem (I had Init: Session Cache is not configured [hint: SSLSessionCache] in apache error log). Thank you very much anyway.