Forgive me, one question again please, should I remove the .well-known directory if it is not needed anymore ?
You can do - it will be needed when you come to renew your certificate ( you wonât need to do that using the standalone method ) It should be recreated by letsencrypt though at that time if it doesnât exist.
Ok thanks
Unfortunately I still have my trouble (I didn't close the port since our tests) :
./letsencrypt-auto certonly --test-cert --standalone --domain my_site.fr
Checking for new version...
Requesting root privileges to run letsencrypt...
/root/.local/share/letsencrypt/bin/letsencrypt certonly --test-cert --standalone --domain my_site.fr
Failed authorization procedure. my_site.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge
Do you know what ip is the letsencrypt server or its fqdn ? I think it would be nice to check my FW rules ...
I respond to myself : found at least test server : acme-staging.api.letsencrypt.org 
letsencrypt deliberately don't provide this information ( so that requests from them are not treated differently from normal users).
Is your setup a simple server with a firewall ? or do you have port forwards / proxy or anything else in your setup ?
mmmm this a a full server and the firewall contains a lot of rules, mainly to drop any attackers from outside of france. (mainly built with all ip with repeated tries on the port 22)
There are no port fworward or proxy.
the staging server is e981.dscb.akamaiedge.net @ 2.20.30.68 so it shouldnât be blocked as it is not part of my FW rules
In your logs there shouldnât be many trying to reach .well-known/lets-encrypt, so should tell you the IP address that is currently being used. That IP will change over time though ( there are possible plans to even perform the test via TOR to randomise the IP address used ) - so you canât just whitelist it.
would you be happy to briefly ( 1 min ) turn off the firewall to confirm thatâs what is causing the issue ( that will also give you the IP address used )
Well this what I wiil do tomorrow ⌠unfortunately I must leave now.
I will post the results here or may be I will solicite community again
Again, many many thanks for your kind help
Youâre welcome. Have a good evening
I finally found where was the trouble : I actually had a rule that drop any traffic from LE servers into my permanently banned adresses list and that do not log them.
I removed this ip and I was able to get certicats using ./letsencrypt-auto --apache --domain my_site.fr
@serverco Thanks again, I appreciate your quick and valuable help.
1 Like
Youâre Welcome 
Just be aware that LE might use random IP addresses in the future, so if you get a similar error on renewal, check whatâs been blocked.
Yes for sure I will.
In fact, my banned ip list should only be updated (automaticaly by script) when a number of tries on some ports is reached.
Sometimes it may needed to update it by hand and Iâm quite sure I did it by mistake as I can see it was done when I did my very first tries with LE.
So it should not occur again ⌠anyway I know what to do now 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.