Sudden problem, please help, I am still learning

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: super.org.za

I ran this command: I have not run any commands

It produced this output:
Docker logs for NGINX Proxy Manager:
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
[2/18/2025] [3:50:28 AM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-23' --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation

My web server is (include version): NGINX Proxy Manager v2.12.3

The operating system my web server runs on is (include version): Docker on Ubuntu 24

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):3.0.1

I woke up this morning with all of my services down. I quickly before work tried to troubleshoot, but all I could find was the my NGINX Proxy Manager Docker container is giving an error, advising me to seek help here.

I have lots of services running, but do not know a whole lot about certificates and DNS, just what I've been told in tutorials, etc, so I am still learning. I know I have a wildcard certificate at *.super.org.za

I am not sure how to even search this error, but here is the logs:
[2/18/2025] [10:00:37 AM] [SSL ] › :information_source: info Renewing Let'sEncrypt certificates for Cert #89: links.super.org.za

[2/18/2025] [10:00:37 AM] [SSL ] › :information_source: info Command: certbot renew --force-renewal --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-89' --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation

[2/18/2025] [10:00:37 AM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name 'npm-89' --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation

[2/18/2025] [10:00:51 AM] [SSL ] › :heavy_multiplication_x: error Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

Failed to renew certificate npm-89 with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/npm-89/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Here is the logs at the /tmp/letsencrypt.log: (Don't know how much of it I must paste here?)
Server: nginx
Date: Tue, 18 Feb 2025 10:00:51 GMT
Content-Type: application/json
Content-Length: 1075
Connection: keep-alive
Boulder-Requester: 1178563627
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: KDHPPURR-gT_qeEUSlRzkGeJ7P7sqV_c82PFW5ygaOUV5WSebqw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "links.super.org.za"
},
"status": "invalid",
"expires": "2025-02-25T10:00:39Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1178563627/477785210065/ZqHCDg",
"status": "invalid",
"validated": "2025-02-18T10:00:40Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "45.220.25.30: Fetching http://links.super.org.za/.well-known/acme-challenge/dDfHgsVYMd4KBbrtwQJ6XZzcC3c-cjRfimvfOgtmDxU: Timeout during connect (likely firewall problem)",
"status": 400
},
"token": "dDfHgsVYMd4KBbrtwQJ6XZzcC3c-cjRfimvfOgtmDxU",
"validationRecord": [
{
"url": "http://links.super.org.za/.well-known/acme-challenge/dDfHgsVYMd4KBbrtwQJ6XZzcC3c-cjRfimvfOgtmDxU",
"hostname": "links.super.org.za",
"port": "80",
"addressesResolved": [
"45.220.25.30"
],
"addressUsed": "45.220.25.30"
}
]
}
]
}
2025-02-18 10:00:51,338:DEBUG:acme.client:Storing nonce: KDHPPURR-gT_qeEUSlRzkGeJ7P7sqV_c82PFW5ygaOUV5WSebqw
2025-02-18 10:00:51,338:INFO:certbot._internal.auth_handler:Challenge failed for domain links.super.org.za
2025-02-18 10:00:51,339:INFO:certbot._internal.auth_handler:http-01 challenge for links.super.org.za
2025-02-18 10:00:51,339:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: links.super.org.za
Type: connection
Detail: 45.220.25.30: Fetching http://links.super.org.za/.well-known/acme-challenge/dDfHgsVYMd4KBbrtwQJ6XZzcC3c-cjRfimvfOgtmDxU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2025-02-18 10:00:51,339:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-02-18 10:00:51,339:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-02-18 10:00:51,340:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-02-18 10:00:51,340:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/dDfHgsVYMd4KBbrtwQJ6XZzcC3c-cjRfimvfOgtmDxU
2025-02-18 10:00:51,340:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2025-02-18 10:00:51,340:ERROR:certbot._internal.renewal:Failed to renew certificate npm-89 with error: Some challenges have failed.
2025-02-18 10:00:51,342:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1528, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 130, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-02-18 10:00:51,344:DEBUG:certbot._internal.display.obj:Notifying user:


2025-02-18 10:00:51,344:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2025-02-18 10:00:51,344:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/npm-89/fullchain.pem (failure)
2025-02-18 10:00:51,344:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-02-18 10:00:51,344:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/certbot/bin/certbot", line 8, in
sys.exit(main())
^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1876, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1620, in renew
renewed_domains, failed_domains = renewal.handle_renewal_request(config)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2025-02-18 10:00:51,345:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

It's most likely a problem with your firewall preventing HTTP (TCP port 80) requests from reaching your server. If this was previously working check that you haven't closed port 80 on your firewall or router and that it's still forwarding to the right machine IP address internally.

3 Likes

Thank you so much for your reply.

I just double check the firewall settings of the NPM server. It does allow 80 and 443 and my router's forwarding settings and IP's are all correct. Anything else that you can suggest?

After running certbot -v, the log file reads:
2025-02-18 11:24:18,624:DEBUG:certbot._internal.main:certbot version: 3.0.1
2025-02-18 11:24:18,625:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2025-02-18 11:24:18,625:DEBUG:certbot._internal.main:Arguments: ['-v']
2025-02-18 11:24:18,625:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-02-18 11:24:18,637:DEBUG:certbot._internal.log:Root logging level set at 20
2025-02-18 11:24:18,638:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-02-18 11:24:18,638:DEBUG:certbot._internal.plugins.selection:No candidate plugin

Don't know if any of that would make a difference?

You also need to check the firewall settings on your router. If traffic doesn't pass there, your server settings won't have any effect.

4 Likes

Thank you for replying.

I checked that too. I get through to my other servers from outside, so the router settings are all correct.

I really appreciate your response.

Darius

1 Like

Try testing from letsdebug.net. It was unable to connect to any of the hostnames I tried.

6 Likes

Hi I'm sorry I disappeared, but I had a crisis elsewhere too, but I have some time again to work on my servers, please could you explain what should I do if the letsdebug.net gave me the following reply:

ANotWorking

Error

ai.super.org.za has an A (IPv4) record (45.220.25.30) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with ai.super.org.za/45.220.25.30: Get "http://ai.super.org.za/.well-known/acme-challenge/letsdebug-test": dial tcp 45.220.25.30:80: i/o timeout

Trace:
@0ms: Making a request to http://ai.super.org.za/.well-known/acme-challenge/letsdebug-test (using initial IP 45.220.25.30)
@0ms: Dialing 45.220.25.30
@10000ms: Experienced error: dial tcp 45.220.25.30:80: i/o timeout

IssueFromLetsEncrypt

Error

A test authorization for ai.super.org.za to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

45.220.25.30: Fetching http://ai.super.org.za/.well-known/acme-challenge/UliysMRcURW4E2qI1cAm6CDstuCUYfQpWP2gz4lYt_U: Timeout during connect (likely firewall problem)

If the problem is network related and firewall related, and I have checked the firewall on my router, on my server, where else should I look for problems? Can this be from my ISP perhaps blocking ports on my network?

Thanks
Darius

I mean maybe. Your system looks inaccessible from everywhere. Your issue really isn't with getting a certificate, it's with getting a working website. Do that first, and then getting a certificate should be straightforward.

4 Likes

Thank you so much.. I will call my ISP to check with them first if something changed recently...

It turns out my ISP did change my static IP address without telling me and caused all of this problems... Thanks for everyone who helped!

3 Likes

For future reference, you can find your public IP with these:

https://icanhazip.com/
https://ipv4.icanhazip.com/
https://ipv6.icanhazip.com/

4 Likes

Thank you so much

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.