Tried to create new cert but certbot kept trying to renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.21jerry.com

I ran this command: certbot certonly --webroot -w /var/www/html -d mail.21jerry.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.21jerry.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain mail.21jerry.com
http-01 challenge for mail.21jerry.com
Cleaning up challenges
Some challenges have failed.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Hi, I thought my mail server was renewing but I guess it wasn't. Odds against me, we had a storm today exactly 90 days from the original request (NORCAL) and the power went out. When it came up, the cert was expired.

I tried to renew it, but I suspect the challenge isn't working for some reason. There is a webmail interface so it should be coming up. I don't understand it, I guess. So I tried to create a new cert but every time I tried, and I guess I exceeded the tries today, it kept trying to renew the old cert and challenge again. So I need the server up and I'm stuck. This is an iredmail mail server only. Help!

There's no practical difference between a "new cert" and a "renewed cert." Both are new certs, both cover the same domain names, and both require the same sorts of challenges to be completed in order to issue a cert. And right now, your server isn't responding on port 80, which will prevent cert issuance:

yes, I figured the port 80 might be the issue. This server hasn't been rebooted since then either and I have a feeling it has something to do with iptables or its follow-on. digging into that now.

I just went and looked at nftables and port 80 is open but I think, and I'm far from an expert in this area, the only thing listening is my webmail server which requires ssl. Does that make sense?

I checked open ports and I did see an issue with 443 being correct but 80 wasn't pointing to the correct IP address for inbound. so I fixed that. I have two default sites available, one for 80 and one for 443 ssl. 80 had pointed to the ssl so I took that out and restarted everything. It is still flipping over to 443 for some reason I don't understand. I also don't understand how I got the cert in the first place. I guess I have to keep digging until it replies on 80?

Since you have nginx listening on port 80 (and hopefully python-certbot-nginx installed), I wonder if this could be resolved with:

certbot renew --cert-name mail.21jerry.com --authenticator nginx --dry-run

The port 80 "connection refused" issue from before seems to be resolved now, so hopefully this just works?

after a lot of screwing around, probably have opened my server up to all kinds of hell, I am now able to go to 21jerry.com, or the address, 50.211.214.194, or the address:80.

mail.21jerry.com still gives me the ssl error as I would expect it to. Do I have to fix that too? I would think I would only ever want ssl and port 443 open to that site, no?

also, I think I exceed the number of tries for today.

thanks for the help, by the way.

I have no idea what I did, just hope I can undo it. But after a ton of screwing around, downloading and installing certbot again, it finally worked, at least it said it did. I have no idea why. I think the great computer in the sky just felt sorry for me.

No I have to put the certs in the right place and test.

Thanks for the pointers!

just to close this out, I still have no idea how I got around this issue. I did reinstall certbot and download the apache2 plugin, but if I had a cert, this must have been there before, I think. But even after running it a few times, I still had a problem. Then all of a sudden, and the only thing I can think happened, is I overflowed my cache and there was something in there that was causing it to keep going to the https site. but that doesn't mean anything other, so who the F knows!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.