SSL Certificate Renewal Failing for My Website

Help
1

Hi everyone,

I’m having trouble renewing the SSL certificate for my website, which is issued by Let’s Encrypt. The certificate recently expired, and the automatic renewal process didn’t work as expected.

Here’s my setup:

  • Web server: Nginx
  • OS: Ubuntu 22.04
  • Certificate managed with Certbot

What I’ve observed:

  1. Running certbot renew returns the following error:
    Failed to connect to example.com on port 80: Connection refused.

  2. The port 80 is open, and I’ve verified it with netstat and online tools.

  3. Visiting my website via HTTPS currently shows a certificate expired error.

What I’ve tried so far:

  1. Restarted Nginx and confirmed that the server is running and accessible.
  2. Verified DNS settings, and the A records point correctly to my server’s IP address.
  3. Tested with curl http://example.com/.well-known/acme-challenge/testfile, which works locally but not externally.
  4. Checked the firewall settings to ensure ports 80 and 443 are open.

Questions I have:

  1. Could this issue be related to changes in the Let’s Encrypt ACME protocol or Certbot?
  2. Is there a way to manually renew the certificate without relying on the automatic process?
  3. Are there specific Nginx or Certbot configurations I should check to fix the connection issue?

I’d appreciate any help or advice you can provide. Thanks in advance!

2

Hi!

Well this is your issue, it has to work externally. Look for firewalls/routers outside of your server. If you share your domain name, people here may advise further.

3 Likes
3

Thank you for your response!

I understand that external access is crucial for the validation process. I’ve double-checked the following:

  1. Firewall Settings: Both ufw on the server and the external firewall on my hosting provider (if applicable) have ports 80 and 443 open.
  2. Router Configuration: My server is directly accessible without any intermediate routers blocking traffic.
  3. DNS Records: My domain name’s A records point directly to the server’s IP address, and propagation seems to be complete.

Thank you again for the help!

4

Well, it's going to be hard for people here to help diagnose connectivity issues to your site without knowing the domain name. If you're willing to type it into some online tools, even if you aren't able to share it here, then you might want to try some of these:

3 Likes
5

Have you tried from an external network form the public internet with a command like nmap -Pn -p80,443 example.com?

Do you possibly have some Geo Blocking?

And some tools to help check in addition to @petercooperjr recommendations

Edit

One more thing all IP Addresses need to respond the same, that is including all IPv4 and IPv6 Addresses.

1 Like
6

A "connection refused" error usually means the port is open in firewalls et cetera, but no server is listening on that port.

I agree with my fellow volunteers in that it would be very helpful to know the actual hostname used (which is actually mandatory in the questionnaire you have deleted when you opened this thread in the Help section), so we can run some tests ourselves.

3 Likes
7

Here is the domain https://capprocutapk.com/ please check and do let me know. Thanks!

8

https://letsdebug.net/capprocutapk.com/2315728

image
image1290×1708 208 KB

2 Likes
9

Would you show the actual messages from the failed certbot renew

Because one odd thing is that is not the format of error you would see from Certbot.

The second odd thing is your domain is proxied at Cloudflare. When the Let's Encrypt server sends the HTTP validation request to your domain it will always reach the Cloudflare CDN. Now, the CDN may fail to reach you but the error seen by LE in that case and then reported by Certbot would be very different.

I see you have two different certs from Let's Encrypt covering different sets of domain names. HTTPS requests to your apex domain reach the CDN which is using a Google CA cert.

More details would be helpful to debug this. Thanks

2 Likes