Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: prsnl-server.com & files.prsnl-server.com (+ www)
I ran this command: certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (prsnl-server.com-0001) from /etc/letsencrypt/renewal/prsnl-server.com-0001.conf produced an unexpected error: Failed authorization procedure. prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://prsnl-server.com/.well-known/acme-challenge/aQgEESSbz75sHxSU92van7uiEB5tJCE0JEb7uZXNjOk: Timeout after connect (your server may be slow or overloaded), files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://files.prsnl-server.com/.well-known/acme-challenge/k5FCBjEsGBOCwQXP3OSjMpdZI94PvGntjq-0QYZa2Wo: Timeout after connect (your server may be slow or overloaded). Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
http-01 challenge for www.files.prsnl-server.com
http-01 challenge for www.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (prsnl-server.com) from /etc/letsencrypt/renewal/prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://files.prsnl-server.com/.well-known/acme-challenge/yL5r6WkVRxsDYD-FpaX-AzDU-Xttl6BiJ_P5UvgqQb8: Timeout after connect (your server may be slow or overloaded), www.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.prsnl-server.com/.well-known/acme-challenge/VeSzCY6pbNYXeBl-x4nrtcsZrXJhwDns4rAbWt9cYhs: Timeout after connect (your server may be slow or overloaded), prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://prsnl-server.com/.well-known/acme-challenge/_uvcHTfzq25WnHJDKABcBoaya8fZ1a746DjGQXew6eg: Timeout after connect (your server may be slow or overloaded), www.files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.files.prsnl-server.com/.well-known/acme-challenge/P3znZYgulNo8D3mlxmgR_STtFMyv3e_3SlvhryORkUU: Timeout after connect (your server may be slow or overloaded). Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.files.prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.files.prsnl-server.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.files.prsnl-server.com) from /etc/letsencrypt/renewal/www.files.prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. www.files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.files.prsnl-server.com/.well-known/acme-challenge/wUoMb7anALS_GO1pePv8ASGEi0_N1JsY4ywxv2C_HQc: Timeout after connect (your server may be slow or overloaded). Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.prsnl-server.com) from /etc/letsencrypt/renewal/www.prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. www.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.prsnl-server.com/.well-known/acme-challenge/_jV54H2HuS5MRFo3_7C5_xc85T7PPyJZXK6zHrPLuYU: Timeout after connect (your server may be slow or overloaded). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/prsnl-server.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/prsnl-server.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: files.prsnl-server.com
Type: connection
Detail: Fetching
http://files.prsnl-server.com/.well-known/acme-challenge/yL5r6WkVRxsDYD-FpaX-AzDU-Xttl6BiJ_P5UvgqQb8:
Timeout after connect (your server may be slow or overloaded)
Domain: www.prsnl-server.com
Type: connection
Detail: Fetching
http://www.prsnl-server.com/.well-known/acme-challenge/VeSzCY6pbNYXeBl-x4nrtcsZrXJhwDns4rAbWt9cYhs:
Timeout after connect (your server may be slow or overloaded)
Domain: prsnl-server.com
Type: connection
Detail: Fetching
http://prsnl-server.com/.well-known/acme-challenge/_uvcHTfzq25WnHJDKABcBoaya8fZ1a746DjGQXew6eg:
Timeout after connect (your server may be slow or overloaded)
Domain: www.files.prsnl-server.com
Type: connection
Detail: Fetching
http://www.files.prsnl-server.com/.well-known/acme-challenge/P3znZYgulNo8D3mlxmgR_STtFMyv3e_3SlvhryORkUU:
Timeout after connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: prsnl-server.com
Type: connection
Detail: Fetching
http://prsnl-server.com/.well-known/acme-challenge/aQgEESSbz75sHxSU92van7uiEB5tJCE0JEb7uZXNjOk:
Timeout after connect (your server may be slow or overloaded)
Domain: files.prsnl-server.com
Type: connection
Detail: Fetching
http://files.prsnl-server.com/.well-known/acme-challenge/k5FCBjEsGBOCwQXP3OSjMpdZI94PvGntjq-0QYZa2Wo:
Timeout after connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: www.files.prsnl-server.com
Type: connection
Detail: Fetching
http://www.files.prsnl-server.com/.well-known/acme-challenge/wUoMb7anALS_GO1pePv8ASGEi0_N1JsY4ywxv2C_HQc:
Timeout after connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: www.prsnl-server.com
Type: connection
Detail: Fetching
http://www.prsnl-server.com/.well-known/acme-challenge/_jV54H2HuS5MRFo3_7C5_xc85T7PPyJZXK6zHrPLuYU:
Timeout after connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I have done some research and it seems like port 80 isn’t open, so here is my ufw status:
Status: active
To Action From
-- ------ ----
Nginx HTTP ALLOW Anywhere
OpenSSH ALLOW Anywhere
443/tcp ALLOW Anywhere
5000 ALLOW Anywhere
8200 ALLOW Anywhere
22/tcp ALLOW Anywhere
22 ALLOW Anywhere
Nginx Full ALLOW Anywhere
5001 ALLOW Anywhere
Apache Full ALLOW Anywhere
80 ALLOW Anywhere
80/tcp ALLOW Anywhere
Nginx HTTP (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
5000 (v6) ALLOW Anywhere (v6)
8200 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
5001 (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Nginx config, I have been trying out a bunch of things here, so problem could be in here:
# HTTP — redirect all traffic to HTTPS
#server {
listen 80;
listen [::]:80;
server_name prsnl-server.com;
return 301 https://$host$request_uri;
#}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name prsnl-server.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
# proxy_pass http://my_http_servers;
proxy_pass http://localhost:5000;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
}
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.prsnl-server.com;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.prsnl-server.com/privkey.pem; # managed by Certbot
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
# proxy_pass http://my_http_servers;
proxy_pass http://localhost:5000;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
}
}
server {
server_name files.prsnl-server.com;
location / {
proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
proxy_hide_header Strict-Transport-Security;
proxy_cache example-cache;
proxy_cache_valid 200 1440m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_revalidate on;
proxy_cache_lock on;
proxy_ignore_headers Set-Cookie;
add_header X-Cache-Status $upstream_cache_status;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name www.files.prsnl-server.com;
location / {
proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
proxy_hide_header Strict-Transport-Security;
proxy_cache example-cache;
proxy_cache_valid 200 1440m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_revalidate on;
proxy_cache_lock on;
proxy_ignore_headers Set-Cookie;
add_header X-Cache-Status $upstream_cache_status;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.files.prsnl-server.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
My web server is (include version): nginx/1.14.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 18.04.3 (LTS) x64
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, DigitalOcean control panel, but that’s it.
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.31.0