Renewal works and then times out on second run

brace01 · August 16, 2022, 4:36am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: crunchygrooves.com

I ran this command: certbot certonly --pre-hook 'service apache24 stop' --post-hook 'service apache24 start' -d crunchygrooves.com --dry-run -v --standalone

It produced this output:

FIRST RUN:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: service apache24 stop
Hook 'pre-hook' ran with output:
Stopping apache24.
Waiting for PIDS: 1841.
Simulating a certificate request for crunchygrooves.com
Performing the following challenges:
http-01 challenge for crunchygrooves.com
Waiting for verification...
Cleaning up challenges
Running post-hook command: service apache24 start
Hook 'post-hook' ran with output:
Performing sanity check on apache24 configuration:
Starting apache24.
Hook 'post-hook' ran with error output:
Syntax OK
The dry run was successful.

SECOND RUN (SECONDS LATER):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: service apache24 stop
Hook 'pre-hook' ran with output:
Stopping apache24.
Waiting for PIDS: 1876.
Simulating a certificate request for crunchygrooves.com
Performing the following challenges:
http-01 challenge for crunchygrooves.com
Waiting for verification...
Challenge failed for domain crunchygrooves.com
http-01 challenge for crunchygrooves.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: crunchygrooves.com
Type: connection
Detail: During secondary validation: 75.130.116.46: Fetching http://crunchygrooves.com/.well-known/acme-challenge/q8_8VT2oi7rJ-qRsCl8nDFOLUj7AUF_TkePYNLs5A7c: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Running post-hook command: service apache24 start
Hook 'post-hook' ran with output:
Performing sanity check on apache24 configuration:
Starting apache24.
Hook 'post-hook' ran with error output:
Syntax OK
Some challenges have failed.

My web server is (include version): Apache 2.4.54

The operating system my web server runs on is (include version): FreeNAS 13

My hosting provider, if applicable, is: godaddy.com (DNS)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No (via godaddy.com)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.27.0

brace01 · August 16, 2022, 4:37am

DNS seems fine... Let's Debug

brace01 · August 16, 2022, 4:39am

hmm... the third test failed. Maybe this is why? Something with my Spectrum Business static IP address??

https://letsdebug.net/crunchygrooves.com

brace01 · August 16, 2022, 4:48am

Actually, I think that last test needs mod_md enabled (which it is not). It is likely invalid. I'm still not sure why some of my domains renew and others do not. It seems that the first domain to renew works and then the rest time out. Seems to be strange behavior and I caught it with the above mentioned "dry-run" which worked and then immediately after it did not. Maybe something within my ISP's network blocks it? It seems very random... The configs should be working fine (and have renewed previously).

rg305 · August 16, 2022, 2:58pm

It seems like you may have some Geo-location/fencing enabled that is preventing some of the LE validation server IPs from reaching your system.

MikeMcQ · August 16, 2022, 3:46pm

You might also check for a "smart" or "adaptive" firewall setting.

The Let's Encrypt servers make the identical request from various IP's around the world. Some too-sensitive firewall settings block these as DDoS protection.

brace01 · August 18, 2022, 4:09am

I think you might be right... I have no clue when this would have happened though but I think this makes the most sense. I just ran a test renewal against ~25 domains. First worked, next several didn't, then one would work, then again several not, then finally a third worked. It really seems to be some sort of DDoS or "adaptive" firewall. I'll try to find out more. This is a FreeNAS system and I don't recall installing it but maybe something in the latest version has enabled it.

brace01 · August 18, 2022, 5:06am

BINGO! It was a DDoS setting on my router! Ugh... well, it got me to overhaul all of my apache scripts and streamline everything so I guess three days of pulling my hair out was worth it?

Thank you!!

system · September 17, 2022, 5:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.