My domain is: mirror.anarc.at
I ran this command: certbot renew
It produced this output:
- The following errors were reported by the server:
Domain: mirror.anarc.at
Type: connection
Detail: Fetching
http://mirror.anarc.at/.well-known/acme-challenge/5_CpOCx38guwL_I9Gd1x5VaNopxi_rCUwobYJehbsFg:
Timeout during connect (likely firewall problem)
I have also tried:
root@marcos:/etc# certbot certonly -d mirror.anarc.at --webroot -w /var/www/mirror/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for mirror.anarc.at
Performing the following challenges:
http-01 challenge for mirror.anarc.at
Using the webroot path /var/www/mirror for all unmatched domains.
Waiting for verification...
Challenge failed for domain mirror.anarc.at
http-01 challenge for mirror.anarc.at
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mirror.anarc.at
Type: connection
Detail: Fetching
http://mirror.anarc.at/.well-known/acme-challenge/B1k-K3ozfrJ5hQx7d5lLhLzUD3C8w1jNxrnRGZIxSLY:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
And I can reproduce the issue on Let's Debug (although debugging shows the webserver is reachable, see Let's Debug), but nowhere else: I have tried from people.debian.org and other machines and they can all reach my server correctly. I am not firewalling port 80 or 443, although I am redirecting the former to the latter, which never caused problems in the past.
My web server is (include version): 2.4.52-1~deb11u2
The operating system my web server runs on is (include version): Debian 11 "bullseye"
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 1.12.0
I should also point out that I've been tracking my /etc
directory in git for a while, with daily autocommit. Since around November, I started noticing an accumulation of CSRs in /etc/letsencrypt/csr
, where I now have a whopping 1638 entries. Typically, I'd get new CSRs added there when new certificates are renewed, but because renewals have started breaking at some point in the past, I'm now adding dozens of CSRs a day in there. It seems that, around March 3rd, the Let's Encrypt servers have started having trouble reaching my server and I cannot clearly explain why this is happening anymore.
I've been using Let's Encrypt since at least 2017, and this is the first time I need to ask for help around a problem like this. Typically, the configuration issues are on my end: some expired DNS entry or misconfigured virtual host. But this is different: nothing changed on my end, and things seem to be working from other point of views on the network. I also tried to check the challenge by using --debug-challenges
and curl
ing the URL to see if the challenge is really available, and it is (with curl -L
).
Is there something obvious I'm missing here? I looked at other issues like HTTP challenge fails: Timeout during connect, DNS problem - #5 by JuergenAuer and I don't seem to find anything that matches my experience there.
Thanks for any input.