Renewal Failure

My domain is: mike-r.com

I ran this command: /usr/bin/certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mike-r.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for alpha.mike-r.com
http-01 challenge for mike-r.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mike-r.com) from /etc/letsencrypt/renewal/mike-r.com.conf produced an unexpected error: Failed authorization procedure. mike-r.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://mike-r.com/.well-known/acme-challenge/0WqUYDeJq9MClLa8mT1CMslRcwEyTBG3VRWJ4FjLKB0: Timeout during connect (likely firewall problem), alpha.mike-r.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://alpha.mike-r.com/.well-known/acme-challenge/n5GnrczKSibyuBqbO5UhLgEO52wr-1gKnf0Au1KDwOk: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mike-r.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mike-r.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Note: the validation server accesses appear successful in the Apache access.log:

66.133.109.36 - - [30/Sep/2020:06:38:12 +0300] "GET /.well-known/acme-challenge/n5GnrczKSibyuBqbO5UhLgEO52wr-1gKnf0Au1KDwOk HTTP/1.1" 200 307 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [30/Sep/2020:06:38:12 +0300] "GET /.well-known/acme-challenge/0WqUYDeJq9MClLa8mT1CMslRcwEyTBG3VRWJ4FjLKB0 HTTP/1.1" 200 307 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

1 Like

Check you don't have any geographic IP blocking in place?

2 Likes

I have geoip blocking for selected countries, but the letsencrypt verification servers appear with status 200 (success) in the apache logs.
The countries blocked are: CN,PK,RU,BG,AF,IN,JP,MX,UA,VN,CZ,NG,BD,EG,EE,HK,RO,SC,MD,GE,KH,KP
... also, last month the certbot renewal succeeded, as far as I recall with identical definitions

1 Like

If you notice, it is the same single IP that is being allowed in your logs.
LE tries from several locations.
So you must be blocking some of those other requests.
HTTP requests should be exempt from GeoLocation blocking for this reason.

1 Like

You are RIGHT!! Closed firewall entirely, rebooted and renewal succeeded!!

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/mike-r.com/fullchain.pem (success)

Many thanks, and mark this call SOLVED
... of course, now I have to find how to do this automatically...

~~Mike

3 Likes

You could switch to DNS validation, that way you don't have to respond to any http requests to validate, or you can use pre/post validation hooks to add/remove firewall settings: https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

2 Likes

Only you can mark this topic as (re)solved.
Choose an entry that best suits.

And to add to @webprofusion suggestion, you could also just allow HTTP and catch all that, handle the challenge requests and then simply redirected the rest to HTTPS and deal with GeoLocation on the HTTPS side.

1 Like

What happened was the systemd took over the certbot.timer, (automatically, not my doing...)
previously I had a cron job that ran monthly, and opened the firewall to the relevant IPs. certbot.timer ran certbot.service without doing that.
I have disabled certbot.service and certbot.timer, hopefully this will help.
Just in case this happens to someone else

2 Likes

Yeah, the newer versions of certbot now set the autorenew check via systemd.
You might want to move your logic/script there.

Cheers from Miami :beers:

1 Like

Please, when you make these changes, let the poor old user know...
I can't afford to tear out any more hair!! :wink:

2 Likes

I only (volunteer) work here, I don't make changes; But I will try tp pass that suggestion on.
[Sorry to hear about the hair loss, we'll try harder to help you keep what you got - LOL]

1 Like

Those systemd thingies are managed by the OS package maintainers, right? Not the certbot team?

1 Like