We are getting many many renewal failures on one of our hosts. Domains that are on the host are getting errors like this:
There is no recorded error on the system for “mail.[domain-removed].com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
It's like let's encrypt cannot validate anymore. Maybe a firewall IP Block.
What IP's does LE use for validation? I'd like to white list them in the firewall to see if that helps.
No, they don't. They also recommend keeping port 80 open. See here. And, as alternative to HTTP Challenge there is DNS Challenge and TLS-ALPN (more here)
If you want specific help please answer questions below as best you can. You would have been shown this form had you posted in the Help section. I moved this thread there now
========================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
