Renewing an existing certificate

Help
1

Hello, I need your help please :slight_smile:

I want to renew my certificate and I got this error

My domain is: x.xxxxxxx.net

I ran this command: certbot renew --cert-name x.xxxxxxx.net --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/x.xxxxxxx.net.conf

Renewing an existing certificate for x.xxxxxxx.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: x.xxxxxxx.net
Type: connection
Detail: xx.xx.xx.xxx: Fetching http://x.xxxxxxx.net/.well-known/acme-challenge/5wnh2GSsqhjMAXmkr_3y4sVr46apSZlqLeFMv8irs4I: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate x.xxxxxxx.net with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/x.xxxxxxx.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

Also is there a way to reinstall an existing certificate ?

Thanks

1 Like
2

Is it the same problem you had here Renewing an existing certificate

2 Likes
3

Thanks for your reply. I was the one who had this problem but this time it's not due to a router problem because port 80 and 443 are open.

3 Likes
4

@sing0021 are you willing to provide the Domain Name?
Can you try using Let's Debug?
And please use the Staging Environment - Let's Encrypt until you get the issue resolved,
as there are Rate Limits - Let's Encrypt.

2 Likes
5

That depends...
Reinstall it into what?
If certbot was able to install it before, then, yes, it can be told to do that again.

4 Likes
6

Not from the perspective of the Let's Encrypt validation server(s). A timeout wouldn't occur if port 80 was open.

4 Likes
7

Here is an online tool you can use to TCP Port Scanner, Online Port Scan, Port Scanning | IPVoid
It take an IPv4 or IPv6 address to scan, and select Scan all common ports.

But if you would be willing to share your Domain Name, that would be most helpful.

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

1 Like
8

are you willing to provide the Domain Name?

@Bruce5051, I really don't have the right to provide this unfortunately.

Can you try using Let's Debug ?

ANotWorking

ERROR

x.xxxxxx.net has an A (IPv4) record (xx.xx.xx.xxx) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with x.xxxxxxx.net/xx.xx.xx.xxx: Get "http://x.xxxxxxx.net/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://x.xxxxxxx.net/.well-known/acme-challenge/letsdebug-test (using initial IP xx.xx.xx.xxx)
@0ms: Dialing xx.xx.xx.xxx
@10000ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt

ERROR

A test authorization for x.xxxxxxx.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

xx.xx.xx.xxx: Fetching http://x.xxxxxxx.net/.well-known/acme-challenge/CwzZZxtEZqQbDcXWjk-UmL-10gqO0LVCyOqjRuA4W64: Timeout during connect (likely firewall problem)

That depends...
Reinstall it into what?
If certbot was able to install it before, then, yes, it can be told to do that again.

@rg305, I would like to rule out an error in my .pem files

@Osiris and @Bruce5051, I have this output

image
image862×18 1.37 KB

image

And with TCP SCANNER
image

9

That is not an HTTPS issue.
HTTP is being blocked at the firewall or by the ISP.

6 Likes
10

If you cannot get Port 80 open to the Internet, could you use the DNS-01 Challenge type for this domain?

4 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.