Renewal SSL certificat issue

Good evening,
I attempt to renew my certificat since june 2021 without success.

Issuer: R3
Expires on: 1 juil. 2021

I ran this command:certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry

Due to the result I deactivated firewall and IPTABLE but the result is same.

So I ran this command: apachectl -S

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
VirtualHost configuration:
*:8081        (/etc/apache2/sites-enabled/000-apps.vhost:9)
*:8080        (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
*:80                   is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
*:443         (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex fcgid-pipe: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

But I don't know if my problem is due to numbers of ssl domaines or a problem configuration.
Could you help me to identify my renewal problem?

Thank's you in advance.


Welcome to the Let's Encrypt Community :slightly_smiling_face:

You almost certainly encountered the Certificates per Registered Domain (50 per week) rate limit recently, but that's not causing the timeout. Nevermind. The listed certs are dated 2020. According to Let's Debug, there are 239 Certificates contributing to rate limits for this domain. That certainly could pose an issue, but would be hindered by a timeout problem, not cause it.

I believe there is something in your Apache configuration (or an .htaccess file) causing the timeout.

1 Like

Wow, I'm off my game today. :woozy_face: I made an edit-mess of things.

1 Like

Hi Griffin and Thank you for your quick answer.
Effectively I don't think to watch my .htaccess.
In a first time I'll check this file and I back to you.


No problem, you're welcome :wink:

1 Like


Given the 404 here:

and the timeout here:

I deduce that a rule in Apache (config or .htaccess) is responsible for the timeout. It could be a dynamic defense type of problem though (e.g. adaptive firewall).

1 Like

Thank tou again Griffin, I check this.


FWIW, my browser doesn't see the timeout while Let's Debug does. This difference in behavior would seem to indicate a firewall issue.

1 Like

Beyond the firewall issue...
[after you fix that]

It seems that there is no vhost config that covers that name for port 80.

1 Like


The amount of times I have found myself saying "I wish things worked X way in Apache", you'd think there were a genie :genie: in there.

I wish Apache would do ServerName/ServerAlias matching only and thus not match against ip:port.

1 Like

Maybe by adding a global toggleswitch (feature request).
But, for me, I wouldn't switch it on.
[and needless to say, would opt for another web server altogether - LOL]
[but I don't use a Mac, so I don't really know if there are other choices there]

1 Like

Offtopic: That's a feature. IP based virtualhosts were actually quite necessary when SNI didn't exist or wasn't as wide spread.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.