Timeout during connect with certbot renewal

Since this month my let’s encrypt certificate for my domain is not renewing anymore. As far as I know i did not change anything. What I DID do this month is restore my entire webserver from a snapshot after I got a corrupted disk, the snapshot was about a week old.

I ran a check on https://check-your-website.server-daten.de/?q=home.mecallie.com and that seems fine to me, except for one error at the bottom…

I have checked my firewall: port 80 seems to be forwarded ok.

My domain is:
home.mecallie.com
I ran this command:
certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/home.mecallie.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for home.mecallie.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (home.mecallie.com) from /etc/letsencrypt/renewal/home.mecallie.com.conf produced an unexpected error: Failed authorization procedure. home.mecallie.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://home.mecallie.com/.well-known/acme-challenge/h7EsR5ii1R-iGpjfky2_TdIPRWPCR0aRI6uJP0Dl4cU: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/home.mecallie.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/home.mecallie.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: home.mecallie.com
   Type:   connection
   Detail: Fetching
   http://home.mecallie.com/.well-known/acme-challenge/h7EsR5ii1R-iGpjfky2_TdIPRWPCR0aRI6uJP0Dl4cU:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):
nginx 1.14.0
The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.27.0 EDIT: just upgraded to certbot 0.31.0 via ppa. Same issue.

Hi @Mecallie

there is nothing ok. Grade T - Timeout. And an explicit warning.

http://home.mecallie.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 217.122.13.60
	-14
	
	Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. 
Creating a Letsencrypt certificate via http-01 challenge 
can't work. You need a running webserver (http) and an 
open port 80. If it's a home server + ipv4, perhaps a correct 
port forwarding port 80 extern ⇒ working port intern is 
required. Port 80 / http can  redirect to another domain 
port 80 or port 443, but not other ports. If it's a home 
server, perhaps your ISP blocks port 80. Then you 
may use the dns-01 challenge.

Ah, I actually missed the part below the screenshots. Or it was not ready yet?

Something strange was (is?) going on with my firewall. Port 80 was forwarded just fine (and if I go to port 80 on the domain name in a browser I am redirected to 443 by Nextcloud). However, after deleting the NAT rule and creating it again I now get the following output with cerbot renew --dry-run:

Processing /etc/letsencrypt/renewal/home.mecallie.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/home.mecallie.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/home.mecallie.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The weird thing is that the actual renew still does not work:


Processing /etc/letsencrypt/renewal/home.mecallie.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for home.mecallie.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (home.mecallie.com) from /etc/letsencrypt/renewal/home.mecallie.com.conf produced an unexpected error: Failed authorization procedure. home.mecallie.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://home.mecallie.com/.well-known/acme-challenge/TLd0XbqcfelRRnMt1jkw38qvR4IqKxrcY22w8yyYAbI: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/home.mecallie.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/home.mecallie.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: home.mecallie.com
   Type:   connection
   Detail: Fetching
   http://home.mecallie.com/.well-known/acme-challenge/TLd0XbqcfelRRnMt1jkw38qvR4IqKxrcY22w8yyYAbI:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

So the test goes fine now, but the actual renew still does not :?

Use the online tool to recheck your domain and to see the answer.

I did. Am I correct in assuming that the answer is the fact that I get a 403 error instead of a 404?

You have to fix that.

Read

I gathered as much after reading that error. No idea why that starts happening all of a sudden. But does not seem to have anything to do with let’s encrypt but with the nginx/nextcloud config. I will check the Nextcloud forum. Thank you for your assistance.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.