Trying to renew, with certbot renew (or with --dry-run) yet it's failing with "Error getting validation data" and saying it's fetching from acme-challenge that is the problem.
Looking at server log, getting 200 back for these, and could also access test.html and test from browser in acme-challenge when I placed them there. "A" records seem correct for my domain, and there are no AAAA records on the DNS.
Everywhere I have looked the web root looks to be correct.
Running Debian 8.8 and nginx/1.12.0
Hopefully someone can help, done a lot of searching and not been able to find any solutions that work.
Thanks;
Here is the output from the renew request:
# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.sussextrains.co.uk.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.sussextrains.co.uk
http-01 challenge for livetrainmap.co.uk
http-01 challenge for sussextrains.co.uk
http-01 challenge for www.livetrainmap.co.uk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.sussextrains.co.uk.conf produced an unexpected error: Failed authorization procedure. sussextrains.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/ggRdfgjIRQ02Y5JnQ35CZE_p-jTQsW5vInGOBlQvT9A: Error getting validation data, www.livetrainmap.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU: Error getting validation data, livetrainmap.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/ivHimDB9tnlOLcvIXr5UYm29KZlfPrhr1PWyESUBGyo: Error getting validation data, www.sussextrains.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/SJSCotxce-CYD3z30sqJsDbTieBHzxffnmKoKC62EMo: Error getting validation data. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sussextrains.co.uk/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sussextrains.co.uk
Type: connection
Detail: Fetching
https://www.sussextrains.co.uk/.well-known/acme-challenge/ggRdfgjIRQ02Y5JnQ35CZE_p-jTQsW5vInGOBlQvT9A:
Error getting validation data
Domain: www.livetrainmap.co.uk
Type: connection
Detail: Fetching
https://www.sussextrains.co.uk/.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU:
Error getting validation data
Domain: livetrainmap.co.uk
Type: connection
Detail: Fetching
https://www.sussextrains.co.uk/.well-known/acme-challenge/ivHimDB9tnlOLcvIXr5UYm29KZlfPrhr1PWyESUBGyo:
Error getting validation data
Domain: www.sussextrains.co.uk
Type: connection
Detail: Fetching
https://www.sussextrains.co.uk/.well-known/acme-challenge/SJSCotxce-CYD3z30sqJsDbTieBHzxffnmKoKC62EMo:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Here is a line from the nginx log:
66.133.109.36 - - [30/Apr/2018:12:22:43 +0100] "GET /.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU HTTP/1.1" 200 87 "http://www.livetrainmap.co.uk/.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
The "challenges" part of the letsencrypt.log shows the correct ip is being used from the DNS