Sudo certbot renew failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:inet.bbs-ahaus.de

I ran this command:sudo certbot renew

It produced this outputsudo certbot renew
[sudo] password for edv:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/inet.bbs-ahaus.de.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for inet.bbs-ahaus.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (inet.bbs-ahaus.de) from /etc/letsencrypt/renewal/inet.bbs-ahaus.de.conf produced an unexpected error: Failed authorization procedure. inet.bbs-ahaus.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://inet.bbs-ahaus.de/.well-known/acme-challenge/gCnd7apZgaW9DX0N1h2Bf5_OOJEI6ww8o_VLSEIH3Nk: Timeout after connect (your server may be slow or overloaded). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inet.bbs-ahaus.de/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inet.bbs-ahaus.de/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: inet.bbs-ahaus.de
    Type: connection
    Detail: Fetching
    http://inet.bbs-ahaus.de/.well-known/acme-challenge/gCnd7apZgaW9DX0N1h2Bf5_OOJEI6ww8o_VLSEIH3Nk:
    Timeout after connect (your server may be slow or overloaded)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

Thanks for any suggestions

1 Like
2

Did you make some edits to your virtualhosts recently?

Please show us.

2 Likes
3

Welcome to the community @EDV

Something is blocking the Let's Encrypt server from making its HTTP challenge request to your server. HTTP requests to your domain "index" page work fine and redirect to https. But, requests of the kind used by LE challenge timeout

curl -I -m10 http://inet.bbs-ahaus.de/.well-known/acme-challenge/ChallengeFile
curl: (28) Operation timed out after 10000 milliseconds with 0 bytes received

You must process challenge requests for http on port 80. You can redirect them but it starts there.

2 Likes
4

Hi no, no changes were made. The last extension had also worked without problems
do you mean this under under /etc/apache2/sites-available

000-default-le-ssl.conf

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com 
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

ServerName inet.bbs-ahaus.de
SSLCertificateFile /etc/letsencrypt/live/inet.bbs-ahaus.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/inet.bbs-ahaus.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

and 000-default.conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =inet.bbs-ahaus.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

5

Hey thanks, actually no firewall should hinder the connection. the last extension had also worked under the same settings. But I have another server that outputs the same error, so it could be that the error is to be found there. The only question is where :slight_smile:

1 Like
6

Something is misbehaving. Check the output of

grep -ir acme /etc/apache2

1 Like
7

:thinking: the command does nothing

8

Empty output. That's informative.

Try sudo ss -tlpn | grep 80

1 Like
9

LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* users:(("mysqld",pid=1333,fd=35))
LISTEN 0 511 *:80 : users:(("apache2",pid=2818,fd=4),("apache2",pid=2817,fd=4),("apache2",pid=2816,fd=4),("apache2",pid=2815,fd=4),("apache2",pid=2814,fd=4),("apache2",pid=1308,fd=4))

10

So it's actually Apache.

Tell me what happens with

curl --resolve inet.bbs-ahaus.de:80:127.0.0.1 -i http://inet.bbs-ahaus.de/.well-known/acme-challenge/test

and

curl -i http://inet.bbs-ahaus.de/.well-known/acme-challenge/test

1 Like
11

Yes it is.

HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Apr 2022 12:23:01 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://inet.bbs-ahaus.de/.well-known/acme-challenge/test
Content-Length: 348
Content-Type: text/html; charset=iso-8859-1

301 Moved Permanently

Moved Permanently

The document has moved here.

Apache/2.4.29 (Ubuntu) Server at inet.bbs-ahaus.de Port 80

and

Date: Thu, 14 Apr 2022 12:24:00 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://inet.bbs-ahaus.de/.well-known/acme-challenge/test
Content-Length: 348
Content-Type: text/html; charset=iso-8859-1

301 Moved Permanently

Moved Permanently

The document has moved here.

Apache/2.4.29 (Ubuntu) Server at inet.bbs-ahaus.de Port 80
12

Then the error speaks the truth. Your server is indeed taking too much time to respond.

Is it overloaded?

1 Like
13

This is really weird the server is not busy at all. Is it possible to somehow get banned on Lets encrypt or something? I have no idea why it doesn't work anymore either.

14

If you were banned, you'd see another error (429 or just a timeout). This is something interfering with requests from LE to you. So, maybe your ISP is playing dirty.

1 Like
15

I agree. @EDV you should ask your ISP if they are blocking port 80. Some ISPs do that.

I can reach your site fine with HTTPS (port 443) but not with HTTP (port 80)

curl -I -m10 http://inet.bbs-ahaus.de/.well-known/acme-challenge/ChallengeFile
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

curl -I -m10 https://inet.bbs-ahaus.de/.well-known/acme-challenge/ChallengeFile
HTTP/1.1 404 Not Found
Date: Thu, 14 Apr 2022 12:50:19 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
2 Likes
16

That could be theoretical. The isp currently has a few problems here. The internet is sometimes there and sometimes gone. But the internet is currently stable and the error keeps coming and that was the case yesterday. In addition, the website can also be reached, only Lets encrypt has problems

17

It looks like the story of the firewall from Michigan, but this time we actually get a 502 error (who the hell is issuing that error? @EDV check /var/log/apache2/error.log maybe?)

% curl -I -m10 http://inet.bbs-ahaus.de/.well-known/acme-challenge
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Apr 2022 12:56:26 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://inet.bbs-ahaus.de/.well-known/acme-challenge
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive

% curl -I -m10 http://inet.bbs-ahaus.de/.well-known/acme-challenge
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Apr 2022 12:56:29 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://inet.bbs-ahaus.de/.well-known/acme-challenge
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive

% curl -I -m10 http://inet.bbs-ahaus.de/.well-known/acme-challenge/
HTTP/1.1 502 Connection timed out
Date: Thu, 14 Apr 2022 12:56:41 GMT
Connection: close
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 219

% curl -I -m10 http://inet.bbs-ahaus.de/.well-known/acme-challenge/
HTTP/1.1 502 Connection timed out
Date: Thu, 14 Apr 2022 12:56:50 GMT
Connection: close
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 219

%
2 Likes
18

Yeah, I was just going to add to my post that "index page" requests reached fine so not ISP.

I don't get a 502 but that can happen when a proxy fails. But, I don't get a 502 just a normal curl timeout even with 120s timeout.

Maybe the hosting site is blocking inbound requests to that path?

@EDV We are making curl requests to your site. Let's Encrypt is not involved. We are using a URL path like LE would but any path to your site should give some response. It is just this certain path that does not respond right.

2 Likes
19

It almost looks like this. The website works without any problems, only when calling the command certbot renew there is a timeout
Actually it can almost only be the firewall or the ISP because another server shows the same error.

20

Maybe it is the firewall. The logs /var/log/apache2/error.log look like that:

[Wed Apr 13 06:25:01.430562 2022] [mpm_prefork:notice] [pid 106026] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Wed Apr 13 06:25:01.430575 2022] [core:notice] [pid 106026] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 13 06:58:15.017856 2022] [mpm_prefork:notice] [pid 106026] AH00171: Graceful restart requested, doing restart
[Wed Apr 13 06:58:15.053405 2022] [mpm_prefork:notice] [pid 106026] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Wed Apr 13 06:58:15.053416 2022] [core:notice] [pid 106026] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 13 06:59:50.079824 2022] [mpm_prefork:notice] [pid 106026] AH00171: Graceful restart requested, doing restart
[Wed Apr 13 06:59:50.109109 2022] [mpm_prefork:notice] [pid 106026] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Wed Apr 13 06:59:50.109121 2022] [core:notice] [pid 106026] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 13 07:07:54.550139 2022] [mpm_prefork:notice] [pid 106026] AH00169: caught SIGTERM, shutting down
[Wed Apr 13 07:08:11.230219 2022] [mpm_prefork:notice] [pid 1292] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Wed Apr 13 07:08:11.232310 2022] [core:notice] [pid 1292] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 13 07:08:39.156816 2022] [mpm_prefork:notice] [pid 1292] AH00171: Graceful restart requested, doing restart
[Wed Apr 13 07:08:39.270117 2022] [mpm_prefork:notice] [pid 1292] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Wed Apr 13 07:08:39.270129 2022] [core:notice] [pid 1292] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 13 07:10:14.106822 2022] [mpm_prefork:notice] [pid 1292] AH00171: Graceful restart requested, doing restart
[Wed Apr 13 07:10:14.133349 2022] [mpm_prefork:notice] [pid 1292] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Wed Apr 13 07:10:14.133360 2022] [core:notice] [pid 1292] AH00094: Command line: '/usr/sbin/apache2'
[Thu Apr 14 11:28:57.120620 2022] [mpm_prefork:notice] [pid 1308] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Thu Apr 14 11:28:57.123634 2022] [core:notice] [pid 1308] AH00094: Command line: '/usr/sbin/apache2'
[Thu Apr 14 11:30:00.137235 2022] [mpm_prefork:notice] [pid 1308] AH00171: Graceful restart requested, doing restart
[Thu Apr 14 11:30:00.173431 2022] [mpm_prefork:notice] [pid 1308] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Thu Apr 14 11:30:00.173444 2022] [core:notice] [pid 1308] AH00094: Command line: '/usr/sbin/apache2'
[Thu Apr 14 11:31:35.468925 2022] [mpm_prefork:notice] [pid 1308] AH00171: Graceful restart requested, doing restart
[Thu Apr 14 11:31:35.506033 2022] [mpm_prefork:notice] [pid 1308] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Thu Apr 14 11:31:35.506046 2022] [core:notice] [pid 1308] AH00094: Command line: '/usr/sbin/apache2'
[Thu Apr 14 12:47:33.596834 2022] [mpm_prefork:notice] [pid 1308] AH00171: Graceful restart requested, doing restart
[Thu Apr 14 12:47:33.637631 2022] [mpm_prefork:notice] [pid 1308] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Thu Apr 14 12:47:33.637643 2022] [core:notice] [pid 1308] AH00094: Command line: '/usr/sbin/apache2'
[Thu Apr 14 12:49:08.528482 2022] [mpm_prefork:notice] [pid 1308] AH00171: Graceful restart requested, doing restart
[Thu Apr 14 12:49:08.563343 2022] [mpm_prefork:notice] [pid 1308] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Thu Apr 14 12:49:08.563354 2022] [core:notice] [pid 1308] AH00094: Command line: '/usr/sbin/apache2'