[SOLVED] Can't renew SSL certificate


I have a problem when I try to renew my SSL certificate.
The error message is:
Attempting to renew cert from /etc/letsencrypt/renewal/my-site.fr.conf produced an unexpected error: Failed authorization procedure. my-site.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my-site.fr/.well-known/acme-challenge/8TMamusugLC0gWioyvXx7NcQTKOqdvQ64_xMqMkYsls: Timeout, www.my-site.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.my-site.fr/.well-known/acme-challenge/4HPyCNmnCX-X0TKbP1TblahIhQro6-FRZZCYkRCahpM: Timeout. Skipping.

My configuration:

  • OS : Raspbian 9
  • Apache

The 8080 & 443 ports are open on my box and by iptables, and is defined on Apache configuration.

The renew command is executed with a specific user, on a ksh script (with “sudo”).

The SSL certificate, which used by 3 servers and 1 NAS, is on a repertory on my NAS, which is mounted with NFS (/NFS_Mounts/SSL_KEYS) on all.

The repertory “/etc/letsencrypt” is present on the server where I execute ksh script.


Can you please fill the form and revail us the true domain?

(Although the problem might be port 80 blocked)

Thank you

My domain is: mehl-family.fr

That’s timing out for me on port 80 - are you positive that is the correct IP address, and that it’s reachable from the outside world?

It’s the right IP yes.
All my URLs are reachable from outside, but none use 80 or 443.

HTTP validation makes a connection on port 80. (Though it will follow redirects to port 443.)

If there’s a firewall blocking port 80, you have to unblock it.

If that’s not possible, you can use DNS validation, but that may take some setup.

port 80 isn’t blocked…
It is open on my box, iptables rules open multiport (8080 & 443)
Is 80 or 8080 that must be open ?

Well, then http-01 isn't going to work for you. This challenge type must initiate connection on port 80, so your web server has to be accessible on port 80 from the outside world. It will follow redirects, however.

This makes it sound like you're saying 80 is blocked:

None of my URLs that I use are reachable with 80 or 443, but with a specific port by URL.

I’ve checked my box firewall… Port 80 is authorised, just to my server IP.

I’ve checked netstat on my server:
tcp 0 0* LISTEN 19812/apache2
tcp 0 0* LISTEN 19812/apache2

I’ve checked my iptables rules:
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

Did I forget something ?

Is it forwarded through whatever router is in front of your server?

I’m French, sorry for my english and if I don’t understand the good sense of a question.

My servers are behind a internet box.

Not a problem! I assume by “internet box”, you’re operating this on a residential internet connection? If so, you’ll need to make sure port 80 on the outside routes to your server. This is usually set up in a port forwarding page somewhere on the internet box.

However, not all residential internet providers allow inbound access on port 80 (which I think might be why you’re using 8080?) If this is the case, you’ll probably need to look into using DNS authorization instead, or asking your internet service provider to allow inbound port 80.

The redirection port was not good: “to 8080” instead of “to 80”. I’ve corrected it.

I’ve retried to renew certificate: KO. With the same message.

Still no good from my end:

# curl http://mehl-family.fr
curl: (7) couldn't connect to host

What’s the “from” port in that setup?

It’s OK…

It was an iptables rule that I forgot:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

I had put “output” rule, but not “input”.

And now, the certificate was renewed.

Thank’s for your help.

A last question: letsencrypt use only 80 or 80 + 443 ?

Let's encrypt only connect to port 80 first for HTTP01 verification. (Which can follow redirect to other ports, especially port 443) however, you must connect to port 80 first before to other port.

Thus if I block 443, no problem with letsencrypt?

Unless you’re redirecting to it.

Not necessary.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.