Renewing certificate

hi, i need help with renewing my certificate, i can't figure out what exactly to do. this is the error samba gives:

[root@samba ~]# certbot --apache -d cl.ocv.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for cl.ocv.ru

Certbot failed to authenticate some domains (authenticator: apache). The Certifi cate Authority reported these problems:
Domain: cl.ocv.ru
Type: connection
Detail: 46.28.91.131: Fetching http://cl.ocv.ru/.well-known/acme-challenge/MTP fDJNQ4ufl7VHMD_zGGHieH_ntqx-Vjj9Q_dYKZ4A: Timeout during connect (likely firewal l problem)

Hint: The Certificate Authority failed to verify the temporary Apache configurat ion changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See t he logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for mo re details.
[root@samba ~]#

/var/log/letsencrypt/letsencrypt.log:

2025-06-25 10:34:04,539:DEBUG:certbot._internal.main:certbot version: 1.22.0
2025-06-25 10:34:04,541:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2025-06-25 10:34:04,541:DEBUG:certbot._internal.main:Arguments: ['--apache', '-d', 'cl.ocv.ru']
2025-06-25 10:34:04,542:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-06-25 10:34:04,587:DEBUG:certbot._internal.log:Root logging level set at 30
2025-06-25 10:34:04,589:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2025-06-25 10:34:04,733:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.37
2025-06-25 10:34:05,087:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f805e13bb00>
Prep: True
2025-06-25 10:34:05,089:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f805e13bb00>
Prep: True
2025-06-25 10:34:05,090:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f805e13bb00> and installer <certbot_apache._internal.override_centos.Cent$
2025-06-25 10:34:05,090:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2025-06-25 10:34:05,101:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_ac$
2025-06-25 10:34:05,103:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2025-06-25 10:34:05,106:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2025-06-25 10:34:05,665:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1012
2025-06-25 10:34:05,666:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 25 Jun 2025 07:34:05 GMT
Content-Type: application/json
Content-Length: 1012
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "Profiles - Let's Encrypt",
"shortlived": "Profiles - Let's Encrypt (not yet generally available)",
"tlsserver": "Profiles - Let's Encrypt"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"obYd-nZhk0g": "Adding random entries to the directory",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2025-06-25 10:34:05,703:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache

The normal thing to do to renew your cert is, well, nothing. It runs on an automatic schedule, unless it can't renew.

This error message is pretty clear, isn't it? The Let's Encrypt servers aren't able to connect to your server to validate domain control. You'll need to fix whatever firewall is interfering with that in order to get a new cert.

4 Likes

Just adding further info ... HTTPS connections on port 443 to your domain work but HTTP connections on port 80 fail.

The certificate used for HTTPS connections expired last October. So, you need to review any changes affecting port 80 since that cert was issued Aug1 2024.

As noted by the error this often a firewall. But, it can be caused by other problems like incorrect routing of port 80 requests by a router or similar equipment / software.

I don't see any HTTP port 80 connections working so this is not unique to Let's Encrypt. See: Check website performance and response : Check host - online website monitoring

3 Likes