Renewing certificates fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: multiple virtual domains on Apache

I ran this command: certbot renew --force-renewal

It produced this output:

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

My problem is, that renewal of certificates fails with the ‘Timeout during connection (likly firewall problem’
BUT, if i comment this line out in the :80 version of the vhost, it works fine:
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Now… I have updated certificate, and everyone is happe, execpt, how do i redirect visitors to the https version on the site, and at the same time let certbot renew certificate?

BTW… The line is inserted by certbot, when the certificate was first created!

That RewriteRule is only redirecting HTTP to HTTPS. If that rule is the cause of a timeout, then your HTTPS site might not be accessible at all! Unfortunately, didn’t provide a relevant (affected) hostname, so we can’t try to debug that remotely.

Sorry. Forgot hostname.

http://ckvist.dk or https://ckvist.dk

Both works, and have always done. - It if i activate the rewrite rule, certbot can not renew certificate.

The rewrite rule redirects ALL connections to HTTPS.
It seems the authentication requests are somehow unable to pass via the HTTPS path.
Either:

  • correct the HTTPS path to do the same as the HTTP path does when NOT redirecting
  • add an exception to the redirection, so that request to /.well-known/acme-challenge/ are NOT redirected to HTTPS.

[The second choice may be easier, simpler, and quicker to implement - but you have choices]

And… Welcome to the LE Community!

Second choice seems the right one. Thanks. :slight_smile: - I’ll try that.

1 Like

If you have any issues, just let us know :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.