Timeout after connect (your server may be slow or overloaded)

PennyWise94 · September 24, 2020, 8:50pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: prsnl-server.com & files.prsnl-server.com

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (prsnl-server.com-0001) from /etc/letsencrypt/renewal/prsnl-server.com-0001.conf produced an unexpected error: Failed authorization procedure. files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://files.prsnl-server.com/.well-known/acme-challenge/m5empZraz3YGUoVS_3_Q72UquP4P4GdbsTd51DH0vsM: Timeout after connect (your server may be slow or overloaded), prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://prsnl-server.com/.well-known/acme-challenge/yUF_tG-WDn0Lecz9CnBnIxkAPoNRRvDlv6SziU6BGKI: Timeout after connect (your server may be slow or overloaded). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
http-01 challenge for www.files.prsnl-server.com
http-01 challenge for www.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
^CCleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 215, in _poll_challenges
time.sleep(min_sleep)
KeyboardInterrupt
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://files.prsnl-server.com/.well-known/acme-challenge/m5empZraz3YGUoVS_3_Q72UquP4P4GdbsTd51DH0vsM:
   Timeout after connect (your server may be slow or overloaded)

   Domain: prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://prsnl-server.com/.well-known/acme-challenge/yUF_tG-WDn0Lecz9CnBnIxkAPoNRRvDlv6SziU6BGKI:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.3 (LTS) x64

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

rg305 · September 24, 2020, 10:15pm

HTTP is redirecting to HTTPS.
But HTTPS seems to require authentication - which would break the auth request.
You should exclude the /.well-known/acme-challenge/ requests from the redirection.
For nginx you can use something simple like:

  #skip challenge requests and
  location ^/(?!\.well-known) {
    #send all other requests to HTTPS
    return 301 https://$host$request_uri;
  }#location

rg305 · September 24, 2020, 10:28pm

rg305 · September 24, 2020, 10:30pm

griffin · September 24, 2020, 11:21pm

Your certbot is also rather outdated (0.31.0 vs 1.8.0). If you choose to update, please be sure to use the snap installation instructions if possible. You may find that the "classic" instructions for updating indicate that your current version is the newest available.

https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

schoen · September 24, 2020, 11:51pm

Anyone who followed the then-current instructions on the Certbot web site (involving using apt-get or apt) to install Certbot on Ubuntu 18.04 would probably have Certbot 0.31.0, because Ubuntu developers didn't rush to update Certbot with new releases in the long term support versions of Ubuntu.

The new instructions on the Certbot web site today call for uninstalling the older Certbot and replacing it with a different installation method, using snap, which will result in a more up-to-date version.

It's worth pointing this out because someone who followed all of the official directions at one time could still have an outdated version today due to the change in the official documentation.

griffin · September 25, 2020, 12:04am

@schoen

You make an excellent point. I will be sure to enhance my upgrade spiel going forward.

PennyWise94 · September 25, 2020, 8:57am

I do have the following in my nginx conf file:

# HTTP — redirect all traffic to HTTPS
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name prsnl-server.com;
    return 301 https://$host$request_uri;
location = /.well-known/acme-challenge/IByAhjG8TV1gtqBAxukWpTNOwk011Ye7FCV4ETauZao{default_type text/plain;return 200 IByAhjG8TV1gtqBAxukWpTNOwk$

}

Shouldn't that work?

PennyWise94 · September 25, 2020, 8:57am

Ha. I removed the index.html file, as it was only intended for testing. Renamed the file, that should be OK now?

rg305 · September 25, 2020, 9:05am

That served only one specific file, which will never be used again.
And probably never got used...
Your site still has no renewed cert.

I really can't see, from where I am sitting, if your config is OK or not.
What says?:
sudo nginx -t

rg305 · September 25, 2020, 9:11am

rg305:

You should exclude the /.well-known/acme-challenge/ requests from the redirection.
For nginx you can use something simple like:
  #skip challenge requests and
  location ^/(?!\.well-known) {
    #send all other requests to HTTPS
    return 301 https://$host$request_uri;
  }#location

You can use that code in the HTTP config file.

PennyWise94 · September 25, 2020, 11:47am

nginx -t:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Furthermore, I have changed my config file (default for prsnl-server.com, in the folder "sites-available"). This is the entire file, because a fragment only says so much:

# HTTP — redirect all traffic to HTTPS
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name prsnl-server.com;
    #skip challenge requests and
    location ^/(?!\.well-known) {
      #send all other requests to HTTPS
      return 301 https://$host$request_uri;
     }
#location
#    return 301 https://$host$request_uri;
location = /.well-known/acme-challenge/IpWvtupr1WY3cjXIuCS-NI_lEmlM3pC9coMsow8Gb9M{default_type text/plain;return 200 IpWvtupr1WY3cjXIuCS-NI_lEmlM3pC9coMsow8Gb9M.vqsmwnas2RpfbcZeLJJB_G8aCMvlMef-Nw3DCDX6zC0;} # managed by Certbot

}

#upstream my_http_servers {
    #ip_hash;
#    server 127.0.0.1:5000;      # httpServer1 listens to port 444
#    server 127.0.0.1:5001;      # httpServer2 listens to port 445
#}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name prsnl-server.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
       # proxy_pass http://my_http_servers;
        proxy_pass http://localhost:5000;
       # proxy_set_header Upgrade $http_upgrade;
       # proxy_set_header Connection "upgrade";
       # proxy_http_version 1.1;
       # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       # proxy_set_header Host $host;
    }


}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.prsnl-server.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.prsnl-server.com/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
        # proxy_pass http://my_http_servers;
        proxy_pass http://localhost:5000;
        # proxy_set_header Upgrade $http_upgrade;
        # proxy_set_header Connection "upgrade";
        # proxy_http_version 1.1;
        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header Host $host;
    }

}



server {
    server_name files.prsnl-server.com;

    location / {
        proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
        proxy_hide_header      Strict-Transport-Security;
        proxy_cache            example-cache;
        proxy_cache_valid      200 1440m;
        proxy_cache_use_stale  error timeout updating http_500 http_502 http_503 http_504;
        proxy_cache_revalidate on;
        proxy_cache_lock       on;
        proxy_ignore_headers   Set-Cookie;
        add_header             X-Cache-Status $upstream_cache_status;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

#server {
#    server_name www.files.prsnl-server.com;
#
#    location / {
#        proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
#        proxy_hide_header      Strict-Transport-Security;
#        proxy_cache            example-cache;
#        proxy_cache_valid      200 1440m;
#        proxy_cache_use_stale  error timeout updating http_500 http_502 http_503 http_504;
#        proxy_cache_revalidate on;
#        proxy_cache_lock       on;
#        proxy_ignore_headers   Set-Cookie;
#        add_header             X-Cache-Status $upstream_cache_status;
#    }
#
#    listen [::]:443 ssl ipv6only=on; # managed by Certbot
#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/www.files.prsnl-server.com/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#
#}

Then, my config file for files.prsnl-server.com, also in "sites-available":

server {
    server_name files.prsnl-server.com;

    location / {
        proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
        proxy_hide_header      Strict-Transport-Security;
        proxy_cache            example-cache;
        proxy_cache_valid      200 1440m;
        proxy_cache_use_stale  error timeout updating http_500 http_502 http_503 http_504;
        proxy_cache_revalidate on;
        proxy_cache_lock       on;
        proxy_ignore_headers   Set-Cookie;
        add_header             X-Cache-Status $upstream_cache_status;
    }
}

server {
    if ($host = files.prsnl-server.com) {
      #skip challenge requests and
      location ^/(?!\.well-known) {
      #send all other requests to HTTPS
        return 301 https://$host$request_uri;
      }
#location
       # return 301 https://$host$request_uri;
     # } # managed by Certbot
}

And then I also have this file "default" in the folder "sites-enabled":

# HTTP — redirect all traffic to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name prsnl-server.com;
    #skip challenge requests and
    location ^/(?!\.well-known) {
      #send all other requests to HTTPS
      return 301 https://$host$request_uri;
     }
#location
#    return 301 https://$host$request_uri;
}

#upstream my_http_servers {
    #ip_hash;
#    server 127.0.0.1:5000;      # httpServer1 listens to port 444
#    server 127.0.0.1:5001;      # httpServer2 listens to port 445
#}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name prsnl-server.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
       # proxy_pass http://my_http_servers;
        proxy_pass http://localhost:5000;
       # proxy_set_header Upgrade $http_upgrade;
       # proxy_set_header Connection "upgrade";
       # proxy_http_version 1.1;
       # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       # proxy_set_header Host $host;
    }


}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.prsnl-server.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.prsnl-server.com/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
        # proxy_pass http://my_http_servers;
        proxy_pass http://localhost:5000;
        # proxy_set_header Upgrade $http_upgrade;
        # proxy_set_header Connection "upgrade";
        # proxy_http_version 1.1;
        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header Host $host;
    }

}



server {
    server_name files.prsnl-server.com;

    location / {
        proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
        proxy_hide_header      Strict-Transport-Security;
        proxy_cache            example-cache;
        proxy_cache_valid      200 1440m;
        proxy_cache_use_stale  error timeout updating http_500 http_502 http_503 http_504;
        proxy_cache_revalidate on;
        proxy_cache_lock       on;
        proxy_ignore_headers   Set-Cookie;
        add_header             X-Cache-Status $upstream_cache_status;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

#server {
#    server_name www.files.prsnl-server.com;
#
#    location / {
#        proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
#        proxy_hide_header      Strict-Transport-Security;
#        proxy_cache            example-cache;
#        proxy_cache_valid      200 1440m;
#        proxy_cache_use_stale  error timeout updating http_500 http_502 http_503 http_504;
#        proxy_cache_revalidate on;
#        proxy_cache_lock       on;
#        proxy_ignore_headers   Set-Cookie;
#        add_header             X-Cache-Status $upstream_cache_status;
#    }
#
#    listen [::]:443 ssl ipv6only=on; # managed by Certbot
#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/www.files.prsnl-server.com/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#
#}

So it's pretty messy, and I actually don't really know which file I should use/edit/rely on

Still, all renewals failed with the above files:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (prsnl-server.com-0001) from /etc/letsencrypt/renewal/prsnl-server.com-0001.conf produced an unexpected error: Failed authorization procedure. files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://files.prsnl-server.com/.well-known/acme-challenge/pmd-xWJYAxZD3Iff42rSKNmd2j3A4b8qADqu35Oug04: Timeout after connect (your server may be slow or overloaded), prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://prsnl-server.com/.well-known/acme-challenge/EQgGK4Yjyfs67TBRzvqMZ4RJpO0btndOGLB9r4R93eY: Timeout after connect (your server may be slow or overloaded). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
http-01 challenge for www.files.prsnl-server.com
http-01 challenge for www.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (prsnl-server.com) from /etc/letsencrypt/renewal/prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://files.prsnl-server.com/.well-known/acme-challenge/MmblOwMkEDBS5eHj28OBbKGYjZNtbyJxoFqRHQyKtSM: Timeout after connect (your server may be slow or overloaded), www.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.prsnl-server.com/.well-known/acme-challenge/XG3LeN-6nviIYNVJPfkaROiUTwaQyCaYC8eyb1YbxV0: Timeout after connect (your server may be slow or overloaded), prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://prsnl-server.com/.well-known/acme-challenge/PVQM9Zg5Kgk9aYIEJremSngYKmyokt1mk8yOaMoWD8s: Timeout after connect (your server may be slow or overloaded), www.files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.files.prsnl-server.com/.well-known/acme-challenge/2BuqptaRNhPKEawOYnv6xqifAXetCJnv9a2P4u3lI9A: Timeout after connect (your server may be slow or overloaded). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.files.prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.files.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.files.prsnl-server.com) from /etc/letsencrypt/renewal/www.files.prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. www.files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.files.prsnl-server.com/.well-known/acme-challenge/WBmiCNHB6TxXpU_BTHqkkyBIxsq677SAVYYm-GjQA74: Timeout after connect (your server may be slow or overloaded). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.prsnl-server.com) from /etc/letsencrypt/renewal/www.prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. www.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.prsnl-server.com/.well-known/acme-challenge/9vhvsxCCPqrajrr3Lj4pLT_D_RrP01EPU-2i2PwalIY: Timeout after connect (your server may be slow or overloaded). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/prsnl-server.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/prsnl-server.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://files.prsnl-server.com/.well-known/acme-challenge/MmblOwMkEDBS5eHj28OBbKGYjZNtbyJxoFqRHQyKtSM:
   Timeout after connect (your server may be slow or overloaded)

   Domain: www.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://www.prsnl-server.com/.well-known/acme-challenge/XG3LeN-6nviIYNVJPfkaROiUTwaQyCaYC8eyb1YbxV0:
   Timeout after connect (your server may be slow or overloaded)

   Domain: prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://prsnl-server.com/.well-known/acme-challenge/PVQM9Zg5Kgk9aYIEJremSngYKmyokt1mk8yOaMoWD8s:
   Timeout after connect (your server may be slow or overloaded)

   Domain: www.files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://www.files.prsnl-server.com/.well-known/acme-challenge/2BuqptaRNhPKEawOYnv6xqifAXetCJnv9a2P4u3lI9A:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://files.prsnl-server.com/.well-known/acme-challenge/pmd-xWJYAxZD3Iff42rSKNmd2j3A4b8qADqu35Oug04:
   Timeout after connect (your server may be slow or overloaded)

   Domain: prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://prsnl-server.com/.well-known/acme-challenge/EQgGK4Yjyfs67TBRzvqMZ4RJpO0btndOGLB9r4R93eY:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: www.files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://www.files.prsnl-server.com/.well-known/acme-challenge/WBmiCNHB6TxXpU_BTHqkkyBIxsq677SAVYYm-GjQA74:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: www.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://www.prsnl-server.com/.well-known/acme-challenge/9vhvsxCCPqrajrr3Lj4pLT_D_RrP01EPU-2i2PwalIY:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

JuergenAuer · September 25, 2020, 11:54am

Hi @PennyWise94

PennyWise94:

Domain: files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://files.prsnl-server.com/.well-known/acme-challenge/MmblOwMkEDBS5eHj28OBbKGYjZNtbyJxoFqRHQyKtSM:
   Timeout after connect (your server may be slow or overloaded)

I can load that address

http://files.prsnl-server.com/.well-known/acme-challenge/MmblOwMkEDBS5eHj28OBbKGYjZNtbyJxoFqRHQyKtSM

http status 404 - Not Found, but that's a correct answer, not a timeout.

So if Letsencrypt sees a Timeout, looks like you have a regional firewall or something else that blocks Letsencrypt.

PennyWise94 · September 25, 2020, 12:12pm

When I go to that specific URL, I get

AccessDenied prsnltx0000000000000164ad917-005f6dddd6-27b38d1-ams3a27b38d1-ams3a-ams3

Which seems like a DigitalOcean Spaces error to me. But it does redirect to https when I try to visit the URL.

So it should be something in my ufw settings?

JuergenAuer · September 25, 2020, 1:03pm

It's your system. Find and change that. There are different places possible - firewall, htaccess, router, application.

That's unrelevant, that's your browser cache. See https://check-your-website.server-daten.de/?q=files.prsnl-server.com%2F.well-known%2Facme-challenge%2F1234 - there is no redirect to https.

Read your own error message.

rg305 · September 25, 2020, 5:58pm

I would remove these entries:

PennyWise94:

#location
#    return 301 https://$host$request_uri;
location = /.well-known/acme-challenge/IpWvtupr1WY3cjXIuCS-NI_lEmlM3pC9coMsow8Gb9M{default_type text/plain;return 200 IpWvtupr1WY3cjXIuCS-NI_lEmlM3pC9coMsow8Gb9M.vqsmwnas2RpfbcZeLJJB_G8aCMvlMef-Nw3DCDX6zC0;} # managed by Certbot

And replace them with the ones I provided (twice already - so not going to add them here again).

This file lacks a listening port:

And things in /sites-available/ are not necessarily being used.
Check in /sites-enabled/.

The default file, if in use, would conflict/overlap with another file.
Check which files, and names, are actually in use with:
sudo apachectl -S

PennyWise94 · September 25, 2020, 8:14pm

Ah, nice! Thx!

127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

I’m not at home right now, so will dig deeper tomorrow. Keep you posted.

PennyWise94 · September 27, 2020, 12:07pm

Still can't figure it out. I introduced your code block to allow the acme challenge, this is my entire default config file in sites-enabled:

# HTTP — redirect all traffic to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name prsnl-server.com;
    #skip challenge requests and redirect all other traffic to HTTPS
    location ^/(?!\.well-known) {
        return 301 https://$host$request_uri;
    }
}

#upstream my_http_servers {
#    ip_hash;
#    server 127.0.0.1:5000;      # httpServer1 listens to port 444
#    server 127.0.0.1:5001;      # httpServer2 listens to port 445
#}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name prsnl-server.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
       # proxy_pass http://my_http_servers;
        proxy_pass http://localhost:5000;
       # proxy_set_header Upgrade $http_upgrade;
       # proxy_set_header Connection "upgrade";
       # proxy_http_version 1.1;
       # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       # proxy_set_header Host $host;
    }

}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.prsnl-server.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.prsnl-server.com/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
        # proxy_pass http://my_http_servers;
        proxy_pass http://localhost:5000;
        # proxy_set_header Upgrade $http_upgrade;
        # proxy_set_header Connection "upgrade";
        # proxy_http_version 1.1;
        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header Host $host;
    }

}



server {
    listen 80;
    listen [::]:80;
    server_name files.prsnl-server.com;
    #skip challenge requests and redirect all other traffic to HTTPS
    location ^/(?!\.well-known) {
        return 301 https://$host$request_uri;
    }

    location / {
        proxy_pass https://prsnl.ams3.cdn.digitaloceanspaces.com/;
        proxy_hide_header      Strict-Transport-Security;
        proxy_cache            example-cache;
        proxy_cache_valid      200 1440m;
        proxy_cache_use_stale  error timeout updating http_500 http_502 http_503 http_504;
        proxy_cache_revalidate on;
        proxy_cache_lock       on;
        proxy_ignore_headers   Set-Cookie;
        add_header             X-Cache-Status $upstream_cache_status;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/prsnl-server.com-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

#server {
#    server_name www.files.prsnl-server.com;
#

It renews for www.prsnl-server.com, not for the others. I don't understand.

root@PRSNL-nodeJS-AMS3:/etc/nginx/sites-enabled# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (prsnl-server.com-0001) from /etc/letsencrypt/renewal/prsnl-server.com-0001.conf produced an unexpected error: Failed authorization procedure. prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://prsnl-server.com/.well-known/acme-challenge/ZrJmTyJfo8g1AMRlXQI0-ZB7wNc_OOEvR2khFaDmt4w: Timeout after connect (your server may be slow or overloaded), files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://files.prsnl-server.com/.well-known/acme-challenge/pqcQ6frHvSgIIpua7PBLii-M8QjyuqJAr89dDXCGCss: Timeout after connect (your server may be slow or overloaded). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for files.prsnl-server.com
http-01 challenge for prsnl-server.com
http-01 challenge for www.files.prsnl-server.com
http-01 challenge for www.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (prsnl-server.com) from /etc/letsencrypt/renewal/prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://prsnl-server.com/.well-known/acme-challenge/FXKnf7PcxHq2vf4WH25SZ1yTkuMrrrA-Uwwhl_Ycf7E: Timeout after connect (your server may be slow or overloaded), www.files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.files.prsnl-server.com/.well-known/acme-challenge/RyMy8aBqmCQfO6xskPvHp0Ihy0fA1O7zAXVwTxhPkQ0: Timeout after connect (your server may be slow or overloaded), files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://files.prsnl-server.com/.well-known/acme-challenge/UvJ8cpm6IjYlEiM81AZvZAxND5d94fhY08gFX_CZUdE: Timeout after connect (your server may be slow or overloaded), www.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.prsnl-server.com/.well-known/acme-challenge/UwerVDLXdYcjI7rK4VeCSqKtwsFfsFmEF2tNEqBWXS0: Timeout after connect (your server may be slow or overloaded). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.files.prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.files.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.files.prsnl-server.com) from /etc/letsencrypt/renewal/www.files.prsnl-server.com.conf produced an unexpected error: Failed authorization procedure. www.files.prsnl-server.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.files.prsnl-server.com/.well-known/acme-challenge/476Cvbq4Ioygn67_5YYs8Gf51cNzVuJZEXouCIMblYM: Timeout after connect (your server may be slow or overloaded). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.prsnl-server.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.prsnl-server.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/prsnl-server.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs were successfully renewed:
  /etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/prsnl-server.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://prsnl-server.com/.well-known/acme-challenge/FXKnf7PcxHq2vf4WH25SZ1yTkuMrrrA-Uwwhl_Ycf7E:
   Timeout after connect (your server may be slow or overloaded)

   Domain: www.files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://www.files.prsnl-server.com/.well-known/acme-challenge/RyMy8aBqmCQfO6xskPvHp0Ihy0fA1O7zAXVwTxhPkQ0:
   Timeout after connect (your server may be slow or overloaded)

   Domain: files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://files.prsnl-server.com/.well-known/acme-challenge/UvJ8cpm6IjYlEiM81AZvZAxND5d94fhY08gFX_CZUdE:
   Timeout after connect (your server may be slow or overloaded)

   Domain: www.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://www.prsnl-server.com/.well-known/acme-challenge/UwerVDLXdYcjI7rK4VeCSqKtwsFfsFmEF2tNEqBWXS0:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://prsnl-server.com/.well-known/acme-challenge/ZrJmTyJfo8g1AMRlXQI0-ZB7wNc_OOEvR2khFaDmt4w:
   Timeout after connect (your server may be slow or overloaded)

   Domain: files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://files.prsnl-server.com/.well-known/acme-challenge/pqcQ6frHvSgIIpua7PBLii-M8QjyuqJAr89dDXCGCss:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: www.files.prsnl-server.com
   Type:   connection
   Detail: Fetching
   http://www.files.prsnl-server.com/.well-known/acme-challenge/476Cvbq4Ioygn67_5YYs8Gf51cNzVuJZEXouCIMblYM:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

PennyWise94 · September 27, 2020, 12:45pm

I just rebooted the server and tried again. All renewals succeeded just now:

root@PRSNL-nodeJS-AMS3:~# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/prsnl-server.com-0001.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator nginx, Installer nginx

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for files.prsnl-server.com

http-01 challenge for prsnl-server.com

Waiting for verification...

Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of nginx server; fullchain is

/etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/prsnl-server.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator nginx, Installer nginx

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for www.files.prsnl-server.com

Using default addresses 80 and [::]:80 ipv6only=on for authentication.

Waiting for verification...

Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of nginx server; fullchain is

/etc/letsencrypt/live/prsnl-server.com/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/www.files.prsnl-server.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator nginx, Installer nginx

Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed with reload of nginx server; fullchain is

/etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/www.prsnl-server.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:

/etc/letsencrypt/live/www.prsnl-server.com/fullchain.pem expires on 2020-12-26 (skipped)

Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/prsnl-server.com-0001/fullchain.pem (success)

/etc/letsencrypt/live/prsnl-server.com/fullchain.pem (success)

/etc/letsencrypt/live/www.files.prsnl-server.com/fullchain.pem (success)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Do I need to reboot before trying to apply the changes? I always restart nginx; service nginx restart or systemctl restart nginx. Do I need a full reboot? Any explanation for this?

Thx for all the help!

rg305 · September 27, 2020, 8:40pm

To keep things super simple and manageable, there should be four server sections:

listen 80 for prsnl-server.com (with the "alias" www.prsnl-server.com)
listen 443 for prsnl-server.com (with the "alias" www.prsnl-server.com)
listen 80 for files.prsnl-server.com
listen 443 for files.prsnl-server.com

But this is what you have now:

listen 80 for prsnl-server.com
listen 443 for prsnl-server.com
listen 443 for www.prsnl-server.com
listen 80 and 443 for files.prsnl-server.com

There is no listen 80 for www.prsnl-server.com
The last sever block creates an encryption issue for that name.
[doing 80 and 443 in the same block is difficult (at best) and should always be avoided]