Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure th at the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsen crypt.log or re-run Certbot with -v for more details.
michael@wpmm22:/var/www/wp.scsiraidguru.com/public_html$
Is the IPv6 address correct? Because 2601:402:8200:d410:20c:29ff:fea5:7fec seems to be a ComCast address while your IPv4 address 99.158.235.35 seems to be an AT&T address.
I agree with Osiris that your IPv6 address looks wrong.
You currently allow HTTP on IPv4. I don't see any reason to intentionally block that. But, other options are the DNS Challenge or TLS-ALPN which uses port 443. Apache supports TLS-ALPN in its mod_md feature. See the Apache docs or I like these GitHub docs
I have a Fortinet 60E firewall with SD-WAN. WAN1 is AT&T. WAN2 is Comcast. Godaddy has both IPv4 and IPv6 configured. SSL Labs gives me A+ for my IPv4 and IPv6.
I missed this earlier. But Certbot does not support the tls-alpn-01 challenge, which uses port 443. I believe Apaches mod_md module however does support that challenge.
But why isn't HTTP open? It's required for any HTTP to HTTPS redirect, if necessary. I believe only Chrome starts with HTTPS by default, so other browsers would require a HTTP to HTTPS redirect for your site to work.
HTTP is being redirected to HTTPS. So, you do allow it and it should work for an HTTP Challenge if done right. See my prior post about mod_md docs to use TLS-ALPN as your ACME Client must support that and Certbot does not.
Further, once the "connection reset" problem is fixed you will need to change your CAA records as they currently only allow GoDaddy issuance (Let's Debug link).
Sorry about my bad info using my VPN earlier. It's IPv6 was broken and led to my wrong conclusions. But, something seems wrong with your IPv6 in relation to the HTTP Challenge. I don't get a connection failure but get this from the LE staging system
Authority reported these problems:
Domain: mc.scsiraidguru.com
Type: connection
Detail: 2601:402:8200:d410:20c:29ff:fea5:7fec:
Fetching https://mc.scsiraidguru.com.well-known/acme-challenge/L6Ce3Ad3JNqv0u5YNy-u_BB6bhhhsyIYEkMzkJYDASk:
Invalid host in redirect target "mc.scsiraidguru.com.well-known".
Check webserver config for missing '/' in redirect target.
To all who have made suggestions, a Big Thank You. I need to add a CAA record to Godaddy for Let's Encrypt. Can I keep both CAA records for Godaddy and Let's Encrypt?
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mc.scsiraidguru.com
Type: caa
Detail: CAA record for scsiraidguru.com prevents issuance
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
michael@wpmm22:/etc/apache2/conf-available$
Note the CAA IODEF record is ignored by Let's Encrypt. I see you have it so just wanted to alert that it won't provide any benefit from LE (and probably never did with GoDaddy either).
I logged into work to check the certificates. My workstation runs Avast.
They showed up Let's Encrypt
SSLLabs gave me A+ after I uploaded the chain.pem to my Fortinet 60E firewall as a CA Cert
Tomorrow, I will finish cleaning up Godaddy DNS for an old URL no longer in use.
michael@wpmm22:~$ sudo systemctl status certbot.timer
[sudo] password for michael:
â—Ź certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset:>
Active: active (waiting) since Sun 2023-12-10 12:39:23 EST; 7h ago
Trigger: Mon 2023-12-11 11:10:27 EST; 15h left
Triggers: â—Ź certbot.service
Dec 10 12:39:23 wpmm22 systemd[1]: Started Run certbot twice daily.
michael@wpmm22:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log