SSL cert unable to renew

Hello Team,
I have centos 7 server hosted on Azure.I have 2 website hosted on it. Currently I am trying to renew SSl certs using certbot however it is throwing below error

Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.

I ran this command: certbot renew and certbot --apache certonly

It produced this output:

Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Attempting to renew cert () from /etc/letsencrypt/renewal9.conf produced an unexpected error: Some challenges have failed.. Skipping.

Type: connection
Detail: Fetching http://domainl/.well-known/acme-challenge/TnhubZTuDvt_JONf2ukdj_q9UtmnYW_2t6RNmh4mWdU: Timeout during connect (likely firewall problem)

My web server is (include version): Httpd-2.4, PHP

The operating system my web server runs on is (include version): Centos 7.5

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.5.0

I can see our domains are correct and websites are accessible to us however it is restricted to certain IPs on Azure level.
Could you please let me know what could have gone wrong.

Let's Encrypt needs to be able to connect to your site to verify ownership. This is also necessary for renewals, as valid authorizations are valid for only 30 days while certificates are valid for 90 days and it's recommended to renew after 60 days.

1 Like

Thanks Osiris for looking into it.
Could you please let me know how I can fix it.

  1. Do i need to open any inbound security groups on vm level for connection between Lets Encrypt and server. Also there is no firewall on OS level.
  2. Certs were expired on 19 Oct.
1 Like

I don't know what you technically need to open, I'm not familiair with Azure.

All I can tell you, Let's Encrypt needs HTTP access and that Let's Encrypt tries to connect from multiple vantage points. Also, Let's Encrypt doesn't publish a list of used IP addresses.

1 Like

As it was working in past and all of sudden it is unable to make authorization connections.
Is there any other way we can renew certs. or we can get new certs it self by removing current expired certs.

Perhaps something has changed in your hosting environment? I can't connect to either...

Yes, you could use the dns-01 challenge in stead of the http-01 challenge. Take a look at the Challenge Types documentation page and the documentation of your ACME client on how to set that up.

That wouldn't matter at all. How would your Azure firewall/security group magically accept incoming connections by Let's Encrypt if you removed the expired certificates? You'd still need to prove ownership over your hostnames.

1 Like

Hello Osiris,
It is fixed after allowing in bound traffic at port 80 and 443.

Thank you for direction.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.